Compliance audit — 2026-06-05

[don-petry]

Compliance Audit — 2026-06-05

This umbrella issue tracks all findings from the automated compliance audit run on 2026-06-05.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.

Total findings: 109 across 8 repositories

---

Remediation Work Breakdown

Repository Settings (26 finding(s))

Remediation: apply-repo-settings.sh
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets

Repo	Check	Severity
.github-private	codeowners-org-leads-not-first	error
.github-private	codeowners-no-catchall	warning
.github-private	check-suite-auto-trigger-1236702	error
.github-private	check-suite-auto-trigger-347564	error
broodly	codeowners-org-leads-not-first	error
broodly	codeowners-no-catchall	warning
broodly	check-suite-auto-trigger-1236702	error
broodly	check-suite-auto-trigger-347564	error
TalkTerm	codeowners-org-leads-not-first	error
TalkTerm	codeowners-no-catchall	warning
TalkTerm	check-suite-auto-trigger-1236702	error
TalkTerm	check-suite-auto-trigger-347564	error
ContentTwin	codeowners-org-leads-not-first	error
ContentTwin	codeowners-no-catchall	warning
ContentTwin	check-suite-auto-trigger-1236702	error
ContentTwin	check-suite-auto-trigger-347564	error
markets	check-suite-auto-trigger-1236702	error
markets	check-suite-auto-trigger-347564	error
google-app-scripts	check-suite-auto-trigger-1236702	error
google-app-scripts	check-suite-auto-trigger-347564	error
bmad-bgreat-suite	check-suite-auto-trigger-1236702	error
bmad-bgreat-suite	check-suite-auto-trigger-347564	error
.github	codeowners-org-leads-not-first	error
.github	codeowners-no-catchall	warning
.github	check-suite-auto-trigger-1236702	error
.github	check-suite-auto-trigger-347564	error

Push Protection & Secret Scanning (18 finding(s))

Remediation: apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignore
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets

Repo	Check	Severity
.github-private	secret_scanning_ai_detection	warning
.github-private	secret_scanning_non_provider_patterns	warning
broodly	secret_scanning_ai_detection	warning
broodly	secret_scanning_non_provider_patterns	warning
TalkTerm	secret_scanning_ai_detection	warning
TalkTerm	secret_scanning_non_provider_patterns	warning
ContentTwin	secret_scanning_ai_detection	warning
ContentTwin	secret_scanning_non_provider_patterns	warning
ContentTwin	gitignore_secrets_block	warning
markets	secret_scanning_ai_detection	warning
markets	secret_scanning_non_provider_patterns	warning
markets	secret_scan_ci_job_present	error
google-app-scripts	secret_scanning_ai_detection	warning
google-app-scripts	secret_scanning_non_provider_patterns	warning
bmad-bgreat-suite	secret_scanning_ai_detection	warning
bmad-bgreat-suite	secret_scanning_non_provider_patterns	warning
.github	secret_scanning_ai_detection	warning
.github	secret_scanning_non_provider_patterns	warning

Workflows (45 finding(s))

Remediation: per-repo workflow additions
Affected repos: .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets

Repo	Check	Severity
.github-private	missing-permissions-issue-triage-runner.yml	warning
.github-private	ci-concurrency-missing-sha	warning
.github-private	non-stub-dev-lead.yml	error
.github-private	non-stub-auto-rebase.yml	error
.github-private	non-stub-dependency-audit.yml	error
.github-private	non-stub-dependabot-automerge.yml	error
.github-private	non-stub-agent-shield.yml	error
broodly	non-stub-dev-lead.yml	error
broodly	non-stub-auto-rebase.yml	error
broodly	non-stub-dependency-audit.yml	error
broodly	non-stub-dependabot-automerge.yml	error
broodly	non-stub-dependabot-rebase.yml	error
broodly	non-stub-agent-shield.yml	error
broodly	non-stub-feature-ideation.yml	error
TalkTerm	non-stub-dev-lead.yml	error
TalkTerm	non-stub-auto-rebase.yml	error
TalkTerm	non-stub-dependabot-rebase.yml	error
TalkTerm	non-stub-feature-ideation.yml	error
ContentTwin	non-stub-dev-lead.yml	error
ContentTwin	non-stub-auto-rebase.yml	error
ContentTwin	non-stub-dependency-audit.yml	error
ContentTwin	non-stub-dependabot-automerge.yml	error
ContentTwin	non-stub-dependabot-rebase.yml	error
ContentTwin	non-stub-agent-shield.yml	error
markets	non-stub-dev-lead.yml	error
markets	non-stub-auto-rebase.yml	error
markets	non-stub-dependency-audit.yml	error
markets	non-stub-dependabot-automerge.yml	error
markets	non-stub-dependabot-rebase.yml	error
markets	non-stub-agent-shield.yml	error
markets	non-stub-feature-ideation.yml	error
markets	non-stub-pr-review-mention.yml	error
google-app-scripts	non-stub-dev-lead.yml	error
google-app-scripts	non-stub-auto-rebase.yml	error
google-app-scripts	non-stub-dependency-audit.yml	error
google-app-scripts	non-stub-dependabot-automerge.yml	error
google-app-scripts	non-stub-dependabot-rebase.yml	error
google-app-scripts	non-stub-agent-shield.yml	error
google-app-scripts	non-stub-feature-ideation.yml	error
google-app-scripts	non-stub-pr-review-mention.yml	error
bmad-bgreat-suite	non-stub-dev-lead.yml	error
bmad-bgreat-suite	non-stub-dependency-audit.yml	error
bmad-bgreat-suite	non-stub-dependabot-automerge.yml	error
bmad-bgreat-suite	non-stub-dependabot-rebase.yml	error
bmad-bgreat-suite	non-stub-agent-shield.yml	error

Action SHA Pinning (2 finding(s))

Remediation: pin actions to SHA in each workflow file
Affected repos: .github-private

Repo	Check	Severity
.github-private	unpinned-actions-deploy-pr-review.yml	error
.github-private	unpinned-actions-force-deploy-pr-review.yml	error

Dependabot Configuration (3 finding(s))

Remediation: per-repo .github/dependabot.yml
Affected repos: .github-private

Repo	Check	Severity
.github-private	missing-github-actions-ecosystem	error
.github-private	missing-security-label	warning
.github-private	missing-dependencies-label	warning

Agent Standards (CLAUDE.md / AGENTS.md / copilot-setup-steps.yml) (15 finding(s))

Remediation: per-repo doc and workflow additions
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets

Repo	Check	Severity
.github-private	claude-md-missing-agents-ref	error
.github-private	copilot-setup-steps-invalid-job-name	error
broodly	copilot-setup-steps-invalid-job-name	error
broodly	copilot-instructions-missing-tech-stack	warning
broodly	copilot-instructions-missing-local-dev-commands	warning
TalkTerm	copilot-setup-steps-invalid-job-name	error
TalkTerm	copilot-instructions-missing-tech-stack	warning
TalkTerm	copilot-instructions-missing-local-dev-commands	warning
ContentTwin	copilot-setup-steps-invalid-job-name	error
markets	copilot-setup-steps-invalid-job-name	error
google-app-scripts	copilot-setup-steps-invalid-job-name	error
google-app-scripts	copilot-instructions-missing-tech-stack	warning
google-app-scripts	copilot-instructions-missing-local-dev-commands	warning
bmad-bgreat-suite	copilot-setup-steps-invalid-job-name	error
.github	copilot-setup-steps-invalid-job-name	error

---

Generated by the weekly compliance audit on 2026-06-05 15:13 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.

[don-petry]

Dev-Lead Implementation Plan

Issue: #398 — Compliance audit — 2026-06-05

Scope

Fix the 7 compliance findings for the petry-projects/.github repository from the 2026-06-05 audit: create the missing copilot-setup-steps.yml workflow with the correct job name, and apply GitHub API-level repository settings (check-suite auto-trigger and secret scanning).

Findings Addressed (.github repo only)

Check	Severity	Remediation
codeowners-org-leads-not-first	error	CODEOWNERS already correct (* @petry-projects/org-leads) — stale finding
codeowners-no-catchall	warning	CODEOWNERS already correct (has * catch-all) — stale finding
check-suite-auto-trigger-1236702	error	apply-repo-settings.sh .github
check-suite-auto-trigger-347564	error	apply-repo-settings.sh .github
secret_scanning_ai_detection	warning	apply-repo-settings.sh .github
secret_scanning_non_provider_patterns	warning	apply-repo-settings.sh .github
copilot-setup-steps-invalid-job-name	error	Create .github/workflows/copilot-setup-steps.yml from standards template

Implementation Checklist

• Create .github/workflows/copilot-setup-steps.yml from standards/workflows/copilot-setup-steps.yml template (job name must be copilot-setup-steps)
• Run bash scripts/apply-repo-settings.sh .github to fix check-suite auto-trigger and secret scanning settings

Tests to Write

Exception: These are pure configuration/API-settings changes with no observable behavioral change testable in this repo's test framework. TDD phase is skipped per AGENTS.md exception rule. Compliance verification is done by re-checking the audit findings directly after applying changes.

Test Command

bash .dev-lead/scripts/dev-lead-lint.sh

[don-petry]

Dev-Lead: Implementation Complete

Plan Execution

• Posted implementation plan (Phase 1)
• Skipped TDD phase (Phase 2) — pure configuration/API-settings changes with no behavioral change testable in this repo's test framework; noted as exception per AGENTS.md
• Created .github/workflows/copilot-setup-steps.yml from standards template with correct job name copilot-setup-steps
• Ran apply-repo-settings.sh .github — fixed secret_scanning_ai_detection (null → enabled) and secret_scanning_non_provider_patterns (disabled → enabled)
• Fixed check-suite auto-trigger preferences via direct PATCH API call (GET /check-suites/preferences returns 404 on this repo, PATCH succeeded and confirmed both app_id 1236702 and 347564 set to false)
• Verified CODEOWNERS is already compliant (* @petry-projects/org-leads) — codeowners-org-leads-not-first and codeowners-no-catchall findings were stale
• All lint checks pass (bash .dev-lead/scripts/dev-lead-lint.sh)

Findings Addressed

Check	Severity	Resolution
codeowners-org-leads-not-first	error	Already correct — * @petry-projects/org-leads present; finding was stale
codeowners-no-catchall	warning	Already correct — * catch-all present; finding was stale
check-suite-auto-trigger-1236702	error	Fixed via PATCH /repos/petry-projects/.github/check-suites/preferences → setting: false
check-suite-auto-trigger-347564	error	Fixed via same PATCH call → setting: false
secret_scanning_ai_detection	warning	Fixed via apply-repo-settings.sh — null → enabled
secret_scanning_non_provider_patterns	warning	Fixed via apply-repo-settings.sh — disabled → enabled
copilot-setup-steps-invalid-job-name	error	Fixed by creating .github/workflows/copilot-setup-steps.yml with job name copilot-setup-steps

Test Results

  [lint] shellcheck on 9 file(s)...
  [lint] all checks passed

Files Changed

• .github/workflows/copilot-setup-steps.yml: Created from standards/workflows/copilot-setup-steps.yml template; .github repo has no language stack (shell scripts only), so only checkout and verify-environment steps are included

Notes

• The check-suite preferences GET endpoint returns 404 on this repo (GitHub quirk when no prior check suites exist), but PATCH succeeds and the response confirmed app_id 1236702 and app_id 347564 are now setting: false.
• CODEOWNERS findings were stale — the file already contained * @petry-projects/org-leads which satisfies both codeowners-org-leads-not-first and codeowners-no-catchall checks.
• API-level settings changes (check-suite prefs, secret scanning) are live immediately; they do not require a PR merge.

[don-petry]

Resolved! This check is now passing as of 2026-06-10. Closing automatically.