Triage run: 2026-04-29T10:40:00Z (UTC)
Scan source: GH Actions nightly scan (08:07 UTC), workflow run 25099895216, auto-filed issues
Scan report: docs/security/scans/2026-04-29.md — ABSENT (recurring workflow gap; issues filed but doc not committed to repo — same pattern as 2026-04-26/27/28)
Triaged by: security-agent (claude-sonnet-4-6)
Slack DM sent: No — see rationale below
docs/security/scans/2026-04-29.md not present in repo. Triage performed against:
- Auto-filed issues #527 and #528 (today's scan, workflow run 25099895216)
- 2026-04-28 triage doc for trend comparison
- Baseline at docs/security/scans/2026-04-25.md
Recurring gap: workflow creates issues but does not commit the scan output doc. Now the 4th consecutive day without a committed scan file. See tooling gaps.
| Severity (as filed) | Count | Triage verdict | After triage |
|---|---|---|---|
| CRITICAL | 1 (#527) | Downgraded — not a credential | MEDIUM |
| HIGH | 1 (#528) | Downgraded — CVSS 6.9 below HIGH threshold | MEDIUM |
| MEDIUM (new today) | 0 | n/a | — |
| HIGH carry-forward | ~16 open | No change today | — |
No genuine CRITICAL findings. No new HIGH findings. No Slack DM sent.
Filed by: nightly workflow (auto-filed as CRITICAL) Verdict: Downgraded to MEDIUM — not a credential; infra ID hardcoding concern
What was matched. gitleaks generic-api-key rule matched the 32-char hex string cf_access_account_id = "22b5c35090724fbf05db6d4f501ac821" at line 31 of terraform/freescout/terraform.tfvars. The file was introduced in commit 55fa9eb (FreeScout IaC) with placeholder REPLACE_WITH_CF_ACCOUNT_ID and updated in 69993ff with the real value.
Source-code verification. Both values in that file are Cloudflare infrastructure namespace identifiers:
- cloudflare_zone_id = "f12dbb5cac57d5591a5058874498a6d1" — Zone ID for raxx.app
- cf_access_account_id = "22b5c35090724fbf05db6d4f501ac821" — CF Account ID
These are NOT API tokens. They cannot authenticate to the Cloudflare API on their own. The Zone ID is derivable from public DNS. The Account ID is visible to anyone with access to the Cloudflare dashboard for raxx.app. The file's own comment acknowledges the tradeoff: "not a secret but not committed to avoid hardcoding infra IDs that could drift."
Residual risk. MEDIUM: these IDs could provide minor fingerprinting signal and could assist a targeted attacker who independently has a Cloudflare API token. No rotation required. No blast radius from the commit itself.
This is a NEW finding (first appearance of terraform.tfvars in gitleaks hits). Distinct from the known FP pattern that #442 addressed. The allowlist in #442 does not cover this pattern.
Routing. Operator policy decision: either (a) accept and add a .gitleaks.toml allowlist entry for CF Zone ID / Account ID patterns in terraform files, or (b) restore placeholders and inject values via env vars / Infisical at terraform plan time.
Label changes: severity:critical removed, severity:medium-low added, area:devops added. Comment posted: #527 comment
Filed by: nightly workflow (auto-filed as HIGH) Verdict: Downgraded to MEDIUM — CVSS 6.9 is below the 7.0 threshold
Advisory. GHSA-p423-j2cm-9vmq / CVE-2026-39892: - CVSS: 6.9 (Moderate per NVD) - Affected: cryptography >=45.0.0, <46.0.7 - Fixed in: 46.0.7 - Vulnerability: Buffer overflow when non-contiguous buffers are passed to Hash.update(). Primarily affects Python 3.11+.
Context. The 2026-04-25 baseline flagged cryptography==42.0.8 (HIGH, 4 CVEs, issue #288). Dep-hygiene work (#419, merged 2026-04-26) bumped to cryptography==46.0.6, resolving the prior 4 HIGH CVEs. The new version ships a different advisory at CVSS 6.9. Net direction is positive (multiple HIGH CVEs replaced by one MEDIUM). The affected manifest is console/requirements.txt.
Per agent-spec severity tiers. MEDIUM tier = CVSS 7-9. CVSS 6.9 falls below this threshold. Downgrading from HIGH to MEDIUM.
Routing. feature-developer: bump cryptography to >=46.0.7,<47 in console/requirements.txt. Confirm no breaking API changes in Hash.update() paths used by the console app.
Label changes: severity:high removed, severity:medium-low added, area:backend-v2 added (note: affected file is console/requirements.txt; no area:console label exists — area:backend-v2 is closest). Comment posted: #528 comment
| Finding | Issue filed? | Filed by | Action |
|---|---|---|---|
| gitleaks: generic-api-key terraform/freescout/terraform.tfvars:31 | Yes — #527 | workflow | Triage comment added; downgraded to MEDIUM |
| pip-audit: GHSA-p423-j2cm-9vmq in cryptography==46.0.6 | Yes — #528 | workflow | Triage comment added; downgraded to MEDIUM |
No untracked CRITICAL/HIGH findings. 0 new issues filed by this triage agent.
None. All 18 open type:security issues have activity within the last 5 days. The repo baseline was established 2026-04-25 (4 days ago); no issues have crossed the 7-day threshold yet.
First check of stale threshold will be relevant starting 2026-05-01.
PR #442 (.gitleaks.toml allowlist for 3 known FP locations) was merged 2026-04-28T16:18:44Z. Today's scan ran AFTER the merge, and the 3 previously recurring FP CRITICALs (nda-framework.md:325, agent-bot-tokens-setup.md:73, triage doc RSA placeholder) did NOT fire today. The allowlist is working.
The terraform.tfvars finding (#527) is a net-new gitleaks hit for a location NOT covered by #442. A follow-up allowlist entry or env-var injection is needed.
| Issue | Area | Summary | Days open | Status |
|---|---|---|---|---|
| #320 | frontend (Antlers) | trivy: GHSA-5c6j-r48x-rmvq serialize-javascript@6.0.2 | 4 | open |
| #319 | backend-v2 | trivy: CVE-2026-26007 cryptography@42.0.8 | 4 | open — NOTE: cryptography was bumped to 46.0.6 in #419; verify whether #319 is now closeable |
| #318 | frontend (Antlers) | npm audit: workbox-webpack-plugin | 4 | open |
| #317 | frontend (Antlers) | npm audit: workbox-build | 4 | open |
| #316 | frontend (Antlers) | npm audit: serialize-javascript | 4 | open |
| #315 | frontend (Antlers) | npm audit: rollup-plugin-terser | 4 | open |
| #314 | frontend (Antlers) | npm audit: react-scripts | 4 | open |
| #251 | infra | Security H3: rotate HEROKU_API_KEY | 5 | open |
| #249 | infra | Self-hosted secrets vault (Infisical) | 5 | open |
Note: #319 tracks CVE-2026-26007 against cryptography@42.0.8. Per #419 (merged 2026-04-26), cryptography was bumped to 46.0.6. If the bump is confirmed in the affected manifest, #319 may be closeable. Routing the flag to feature-developer to verify and recommend close.
| Metric | 2026-04-28 | 2026-04-29 | Delta |
|---|---|---|---|
| CRITICAL (genuine) | 0 | 0 | 0 |
| CRITICAL auto-filed | 4 (all FP) | 1 (downgraded to MEDIUM) | -3 |
| HIGH (new today, genuine) | 0 | 0 | 0 |
| HIGH carry-forward | ~21 | ~16 (some closed since 2026-04-28) | -5 |
| FP suppressed by .gitleaks.toml | 0 | 3 (nda-framework, runbook, triage-doc) | +3 |
Positive signal: #442 merged and working. FP noise substantially reduced. Net-new finding today (terraform.tfvars) is a MEDIUM-severity infra hygiene item, not a credential.
Not sent. Today's auto-filed CRITICAL (#527) was downgraded to MEDIUM after source-code verification. No genuine CRITICAL findings today. Per agent spec: "Do NOT spam — if no new CRITICAL, no DM."
Zero. Both findings were already auto-filed by the workflow. No gap in coverage found.
docs/security/scans/2026-04-25.md (baseline) and docs/security/triage/2026-04-28.md (prior triage)docs/security/scans/2026-04-29.md absent — recurring gap, 4th consecutive dayconsole/requirements.txt pins cryptography==46.0.6 (confirms #528 affected file)docs/security/scans/2026-04-29.md — workflow must commit scan output file. 4th consecutive day absent. Root cause: workflow writes to runner filesystem only, not repo. Fix: add a git commit + push step to the workflow for the scan output. Route: sre-agent / operator.cloudflare_zone_id / cf_access_account_id patterns in terraform vars, or inject values at plan time. This will re-fire nightly until addressed.last_rotated_at per credential still unread. Now 4 days overdue from first baseline.