Security & governance baseline: 30 Dependabot alerts, no branch protection, missing standard configs

[turbomam]

Summary

The repo is missing the standard GitHub security/governance baseline and carries 30 open Dependabot alerts: 1 critical, 9 high, 16 medium, 4 low. See the Security tab for details.

Each gap below is small; together they represent a coherent hygiene cluster worth addressing.

Baseline gaps

Missing	Purpose	Effort
Branch protection on master	Require passing checks; block force-push and deletion	Settings toggle
.github/dependabot.yml	Auto-propose dependency upgrades	Single-file PR
.github/workflows/codeql.yml	Free static security analysis	Single-file PR (GitHub template)
SECURITY.md	Vulnerability reporting policy	Single-file PR
CODEOWNERS	Auto-request reviews from owners of touched paths	Requires owner decisions
.pre-commit-config.yaml	Local lint/format gate	Single-file PR

Suggested order

1. Branch protection on master (stops the bleed first)
2. dependabot.yml + codeql.yml (cheap, automated)
3. SECURITY.md
4. CODEOWNERS and .pre-commit-config.yaml (need team input)

Why branch protection first

Right now master has no required checks, no force-push block, and no deletion block (gh api repos/Knowledge-Graph-Hub/kg-microbe/branches/master/protection → 404). Every subsequent hygiene PR relies on the base branch being stable.

[turbomam]

Full audit of GitHub security / code-quality features on this repo (2026-04-17)

Captured during repo-cleanup pass. All of the below are free on public repos (no GHAS license needed). Tiering: R = repo-settings toggle (admin only); F = file-based (regular PR).

Security features that are OFF / missing

Feature	Type	Status	Note
Dependabot alerts (vulnerability_alerts)	R	OFF (HTTP 404)	Sidebar shows "33 vulnerabilities" but main view says "alerts are inactive" — the count is a stale artifact in GitHub's DB. No new CVE will be detected until this is toggled on.
Dependabot security updates (automated_security_fixes)	R	OFF (HTTP 404)	Even when alerts are on, this is what actually opens fix-PRs.
Secret scanning	R	Not configured (security_and_analysis: null)	GitHub scans for leaked provider credentials in history and new commits.
Secret scanning push protection	R	Not configured	Blocks pushes that contain detected secrets.
Secret scanning — non-provider patterns	R	Not configured	Org-specific token detection.
Secret scanning — validity checks	R	Not configured	Live-validates found tokens against providers.
Private vulnerability reporting	R	enabled: false	Lets reporters privately submit advisories instead of opening public issues.
CodeQL code scanning	F+R	No codeql.yml workflow; no default setup	Free static security analysis for Python.
.github/dependabot.yml	F	Missing	Version-update PRs (separate from security). Proposed in #548.
SECURITY.md	F	Missing	Required by some governance policies; sets reporter expectations.
CODEOWNERS	F	Missing	Auto-requests review from path owners.
.pre-commit-config.yaml	F	Missing	Local lint/format gate before commits.

Code-quality / merge-safety features missing

Feature	Type	Status	Note
Branch protection on master	R	404 = none	master accepts force-push and deletion from anyone with push permission. Biggest single gap.
delete_branch_on_merge	R	false	Stale branches accumulate after merge (we pruned 17 in this cleanup pass).
allow_auto_merge	R	false	Adds per-PR "auto-merge when ready" button; capability only, not compulsion.
Rulesets	R	[]	Newer, more granular alternative to branch protection rules.

Things that ARE in place

• .github/workflows/qc.yml runs ruff check/format, tox tests on Python 3.10/3.11/3.12 for PRs to master.
• poetry.lock is committed.
• Public repo; allow_forking: true.
• allow_update_branch: true (means the "Update branch" button works).

Recommended sequence

Admin-only (fastest):

1. Enable Dependabot alerts (one toggle)
2. Enable Dependabot security updates (one toggle)
3. Enable secret scanning + push protection (one toggle each)
4. Enable private vulnerability reporting (one toggle)
5. Add branch protection on master requiring qc.yml jobs
6. Enable delete_branch_on_merge and allow_auto_merge

All six above are free, take minutes, and are each individually reversible.

File-based PRs (I can open, team reviews):
7. .github/dependabot.yml — #548
8. .github/workflows/codeql.yml (default Python template)
9. SECURITY.md (minimum: who to contact, supported versions)
10. .pre-commit-config.yaml (ruff + common hooks)
11. CODEOWNERS — needs team input on who owns what

Impact of doing all of the above

• Known CVEs actively monitored and fixes proposed automatically.
• Secrets can't be force-pushed to master.
• master can't be force-pushed or deleted.
• Static security analysis runs on every PR.
• Stale branches clean up on merge.
• Baseline documented for external collaborators (SECURITY.md, CODEOWNERS).

Happy to open draft PRs for 8–11 as separate small artifacts if useful. #547, #549, #544, #545, #548 already track sub-pieces.

[turbomam]

Correction to the audit above

Reviewed the state again after the 333-commit fast-forward that happened during this cleanup:

• .pre-commit-config.yaml is already in place on master. Misreported as missing above — apologies; my local working tree was stale when I ran the initial check. It configures ruff (check + format), codespell, and deptry via pre-commit. No file-based action needed here.

The other gaps listed above stand: no dependabot.yml, no CodeQL workflow, no SECURITY.md, no CODEOWNERS, branch protection missing, Dependabot/secret scanning toggles off.