Skip to content

fix(scanner): reject unsupported AI security claims#7

Merged
Param-10 merged 1 commit into
mainfrom
codex/polaris-false-positive-gates
Jun 24, 2026
Merged

fix(scanner): reject unsupported AI security claims#7
Param-10 merged 1 commit into
mainfrom
codex/polaris-false-positive-gates

Conversation

@Param-10

Copy link
Copy Markdown
Owner

Summary

  • reject unresolved action-version freshness claims for immutable full-SHA references
  • distinguish npm stage publish from direct npm publish using parsed command arguments
  • require unqualified reviewer approval before accepting AI-only findings
  • reject remediations that weaken action pinning, bypass staged approval, introduce duplicate YAML keys, or add deterministic findings
  • add a deterministic high-severity rule for direct npm publication with a long-lived repository token

Root cause

AI-only findings were accepted when the reviewer marked their evidence valid even if the final remediation recommendation was reject. Polaris also lacked semantic guards for staged npm publishing and external version-freshness claims.

Verification

  • original backend suite: 42/42 passed
  • reliability suite: 29/29 passed
  • exact release-workflow regression: 0 accepted findings
  • Python compilation and diff checks passed

Security outcome

The false fixes can no longer become applicable: Polaris rejects full-SHA-to-tag downgrades and staged-to-direct publishing changes before commit.

@vercel

vercel Bot commented Jun 24, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
polaris Ready Ready Preview, Comment Jun 24, 2026 1:40am

@Param-10 Param-10 merged commit e66d75b into main Jun 24, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant