Triage run: 2026-04-26T08:07Z (UTC)
Scan source: GH Actions nightly scan, workflow run 24952383967
Scan report: docs/security/scans/2026-04-25.md (2026-04-26 scan report absent — see note below)
Triaged by: security-agent (claude-sonnet-4-6)
The docs/security/scans/2026-04-26.md file was not present at triage time. The GH Actions workflow filed issues automatically (2026-04-26T08:38Z) but did not write a structured scan doc to the repo. Triage performed against the auto-filed issues (#395–#400) plus the 2026-04-25 baseline for trend comparison. This is a tooling gap — the workflow should commit the scan report file as part of its run. Noted for operator.
| Severity | Count | Disposition |
|---|---|---|
| CRITICAL | 4 auto-filed | 2 genuine (open), 2 false positive (recommend close) |
| HIGH | 4 new today | 4 actionable, triaged with comments |
| HIGH (carry-forward) | 19 open | Per-#312–#320 + #378 + #252 backlog; no change |
| MEDIUM | 1 open | #379 (manifest.json) — unchanged |
| CRITICAL deadline | 1 open | #281 CF token expiry 2026-05-07 — 11 days |
Verdict: FALSE POSITIVE.
The matched string is a runbook template placeholder showing the shape of the secret (-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----). The actual private keys are in Infisical, not in the repo. No real key material present.
Action: Commented on issue recommending close. Remediation: rewrite example to non-key-shaped placeholder OR add .gitleaks.toml allowlist for this runbook. Owner: feature-developer.
Verdict: FALSE POSITIVE.
The CommunityKey=2c04b76c-... is a public URL query parameter for the Uniform Law Commission website. Known false positive — already confirmed and downgraded to INFO in the 2026-04-25 baseline scan. Will re-fire nightly until .gitleaks.toml allowlist is added.
Action: Commented on issue recommending close. Fix: .gitleaks.toml allowlist entry. Owner: feature-developer.
Verdict: GENUINE CRITICAL. Status unclear — requires operator confirmation.
Operator briefing indicated this was addressed, but the issue remains OPEN and no close comment was found. The file backend/.apisecretes containing a live AK-prefixed Alpaca trading key is still present as an untracked file per last git status.
Action: Added follow-up comment to #377 requesting operator confirmation of: (1) key revocation in Alpaca dashboard, (2) .gitignore updated, (3) file deleted.
Slack DM: Attempted — SLACK_BOT_TOKEN not available in agent environment (see note below).
Verdict: GENUINE CRITICAL deadline.
This is a hard expiry, not a scan finding. 11 days remain. The console rotation flow (#253/#254) is the primary path; manual CF dashboard roll is the no-regrets fallback by 2026-05-05.
Action: No new action required today — issue is groomed and ready-for-dev. Surfaced in this report as operator must-watch.
| Issue | Package | Location | Advisory | Owner | Remediation |
|---|---|---|---|---|---|
| #397 | requests==2.32.3 | console/requirements.txt | GHSA-9hjg-9r4m-mvj7 | feature-developer (area:console) | Bump to >=2.33.0; backend_v2 already clean |
| #398 | requests==2.32.3 | console/requirements.txt | GHSA-gc5v-m9x4-r6x2 | feature-developer (area:console) | Same fix as #397 — bundle |
| #399 | Markdown==3.7 | console/requirements.txt | GHSA-5wmx-573v-2qwq | feature-developer (area:console) | Bump to >=3.10.2; verify SOP drawer compatibility |
| #400 | pyjwt==2.8.0 | scripts/agents/requirements.txt | CVE-2026-32597 | feature-developer (area:devops) | Bump to >=2.12.0; JWT header bypass, agent layer only |
All four triaged with comments. Labels applied: area:console (#397, #398, #399), area:devops (#400).
Recommended bundling: #397 + #398 + #399 are all console/requirements.txt bumps — one PR closes all three.
These were filed 2026-04-25 and remain open. No re-triage needed today; no regressions observed.
| Issues | Area | Summary |
|---|---|---|
| #307–#312 | console / backend-v2 | cryptography/pyopenssl/flask dep bumps |
| #313–#320 | frontend | npm audit (react-scripts, workbox, serialize-javascript) |
| #252 | backend-v2 | Heroku origin bypass (CF-Connecting-IP enforcement) |
| #378 | frontend | Production source map publicly served |
| #305, #306 | backend-v2 | bandit B104 bind-all-interfaces |
.gitleaks.toml allowlist configured. These will re-fire every nightly run until fixed. This is the highest-priority tooling fix — it will continue inflating CRITICAL counts and creating false-alarm fatigue.Attempted to page D0AJ7K184TV (Kristerpher's DM) for CRITICAL findings. Failed: SLACK_BOT_TOKEN not set in agent environment. Operator: the CRITICALs requiring your attention are #377 (Alpaca key — confirm remediation) and #281 (CF token — 11 days to expiry). Slack paging capability needs the bot token wired into the agent environment; tracking as tooling gap.
| Metric | 2026-04-25 baseline | 2026-04-26 | Delta |
|---|---|---|---|
| CRITICAL (genuine) | 0 | 2 (unresolved #377 + #281 deadline) | +2 |
| CRITICAL (false positive) | 0 noise | 2 (gitleaks re: allowlist gap) | noise |
| HIGH (new) | 5 | 4 new today | +4 |
| HIGH (total open) | 5 | 23 | +18 (backlog growth from prior triage) |
| MEDIUM | 6 | 1 open (batched per prior scan) | - |
HIGH count growth is from the 2026-04-25 post-baseline filing sprint, not new vulnerabilities introduced today. The 4 new HIGHs today are all console/agent dep drift.
area:console (#397/#398/#399), area:devops (#400)docs/security/scans/2026-04-26.md — workflow must commit scan output file, not just file issues..gitleaks.toml allowlist absent — causes false-positive CRITICAL noise every nightly run.SLACK_BOT_TOKEN not in agent environment — Slack paging for CRITICALs is broken.last_rotated_at per credential is unread.