Raxx · internal docs

internal · gated ↑ index

Security triage — 2026-04-28

Triage run: 2026-04-28T09:15:00Z (UTC) Scan source: GH Actions nightly scan (02:07 PDT / 09:07 UTC), workflow auto-filed issues Scan report: docs/security/scans/2026-04-28.md — ABSENT (recurring workflow gap; issues filed but doc not committed) Triaged by: security-agent (claude-sonnet-4-6) Slack DM sent: Yes — D0AJ7K184TV (triage outcome + #442 urgency)

Scan report status

docs/security/scans/2026-04-28.md not present. Same recurring gap as 2026-04-26 and 2026-04-27. Triage performed against: - Auto-filed issues #444–#447 (today's scan) - 2026-04-27 triage doc for trend comparison - Baseline at docs/security/scans/2026-04-25.md

Findings summary

Severity Count Disposition
CRITICAL (auto-filed) 4 All 4 confirmed false positives — see below
HIGH (new today) 0 None
HIGH resolved 1 (#430) pyjwt — fixed by #439 (merged 2026-04-27)
HIGH carry-forward ~21 open No change; see carry-forward table

No genuine CRITICAL findings. No release-blocking security event.

CRITICAL findings (all false positives)

#447 — gitleaks: generic-api-key in docs/legal/nda-framework.md:325

Verdict: FALSE POSITIVE. CommunityKey=2c04b76c-2b7d-4399-977e-d5876ba7e034 — public URL query parameter for the Uniform Law Commission UETA committee page (uniformlaws.org). Not a secret. Confirmed false positive in 2026-04-25 baseline and 2026-04-26 triage (issued as #395, #396 in prior cycle). 4th consecutive night firing. Root cause: #442 (.gitleaks.toml allowlist) OPEN, not merged. Action: Triage comment posted on #447. Recommend closing. Owner: feature-developer — unblock #442.

#446 — gitleaks: private-key in docs/ops/runbooks/agent-bot-tokens-setup.md:73

Verdict: FALSE POSITIVE. Runbook template placeholder: PRIVATE_KEY_PEM = -----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----. Documentation showing the shape of a secret stored in Infisical; no real key material in repo. Confirmed false positive in 2026-04-25 baseline and 2026-04-26 triage (issued as #395 in prior cycle). 4th consecutive night firing. Root cause: #442 (.gitleaks.toml allowlist) OPEN, not merged. Action: Triage comment posted on #446. Recommend closing. Owner: feature-developer — unblock #442.

#445 and #444 — gitleaks: private-key in docs/security/triage/2026-04-26.md:33

Verdict: FALSE POSITIVE (duplicate pair). The triage agent's own 2026-04-26 doc quotes the RSA placeholder for documentation purposes. Filed twice in the same scan run (workflow bug — duplicate issue on same finding). Not live key material. Root cause: (a) #442 allowlist not merged; (b) workflow deduplication gap producing twin issues. Action: Triage comments posted on #444 and #445. Recommend closing both. Owner: feature-developer — unblock #442; also investigate workflow deduplication.

HIGH resolved today

#430 — CVE-2026-32597 in pyjwt@2.10.1

Verdict: RESOLVED. PR #439 merged 2026-04-27T14:37Z. scripts/agents/requirements.txt now at pyjwt[crypto]==2.12.0 (fix version confirmed). console/requirements.txt also corrected: Markdown==3.8.1. Comment posted at #430 recommending close.

PR merge status (yesterday's expected landings)

PR Title Status Security impact
#442 .gitleaks.toml allowlist for 3 FP locations OPEN Until merged: 3-4 false CRITICALs per night
#443 CF-origin guard middleware (flag-gated) OPEN No exposure change yet — flag default off
#439 Correct dep bumps (pyjwt 2.12.0, Markdown 3.8.1) MERGED 2026-04-27 #430 resolved; Markdown gap closed

Carry-forward HIGHs (open, no change today)

Issue Area Summary Days open
#378 frontend (Antlers) Production source map publicly served 3 — check if #438 closed this
#307#312 console cryptography/pyopenssl/flask dep HIGHs 3
#313#320 frontend (Antlers) npm audit (react-scripts, workbox, serialize-javascript) 3
#252 infra Heroku origin bypass (CF-Connecting-IP enforcement) >4 — #443 open, flag off
#305, #306 backend-v2, console bandit B104 bind-all-interfaces 3

Note: PR #438 (merged 2026-04-27) targeted #378 and #379 — sourcemap + manifest fixes. #378 may be closeable; not verified in this run.

Trend vs 2026-04-27

Metric 2026-04-27 2026-04-28 Delta
CRITICAL (genuine) 0 0 0
CRITICAL (false positive noise) 0 (did not fire) 4 (re-fired) +4
HIGH (new today) 1 (#430) 0 -1
HIGH resolved 0 1 (#430 via #439) +1
HIGH total open 22 ~21 (net: #430 closeable) -1

Pattern: The false-positive CRITICAL noise re-fired after a one-day gap, this time including triage docs themselves being scanned. Workflow also filed duplicate issues (#444 and #445 for the same finding). Both are symptoms of #442 being stuck.

Slack DM status

Sent to D0AJ7K184TV at 09:15Z. Content: triage outcome, all 4 CRITICALs are FP, #442 urgency, #430 closeable.

Actions taken this run

  1. Confirmed UTC date: 2026-04-28
  2. Confirmed docs/security/scans/2026-04-28.md absent (recurring gap)
  3. Read 2026-04-25 baseline, 2026-04-26 and 2026-04-27 triage docs
  4. Read auto-filed issues #444–#447; confirmed all 4 are false positives via source code verification
  5. Verified #442 (allowlist PR) is OPEN — root cause of all 4 FP CRITICALs
  6. Verified #443 (CF origin guard PR) is OPEN — #252 exposure unchanged
  7. Verified #439 MERGED; confirmed pyjwt==2.12.0 and Markdown==3.8.1 on disk
  8. Posted triage comments on #444, #445, #446, #447
  9. Posted resolution comment on #430
  10. Sent Slack DM to Kristerpher at D0AJ7K184TV
  11. Wrote this triage doc

Tooling gaps (recurring)

  1. No docs/security/scans/2026-04-28.md — workflow must commit scan output file. 3rd consecutive day absent.
  2. #442 not merged — every day this sits open costs 3-4 false CRITICAL issues + agent triage time.
  3. Workflow deduplication gap — #444 and #445 filed for the exact same finding in one scan run. Workflow should deduplicate on (tool, file, line) before filing.
  4. Infisical rotation-cadence read not automatedlast_rotated_at per credential still unread. No new rotation flags this run.