Summary
The engineering-practices audit reports 216 open Dependabot alerts and 36 open secret-scanning alerts across the org. CodeQL and GitHub default code scanning are explicitly excluded from this practice; this issue is only for the bounded dependency and secret-alert backlog.
Why it matters
The new audit gives us a single live signal, but the backlog still needs ownership and burn-down. Critical/high dependency issues and open secret alerts are operational risk even when repo rails are now present.
What to do
- Export the current Dependabot critical/high alert list and secret-scanning alert list from the audit source.
- Group by owning repo and by fix type: version bump, replacement, accepted risk, revoked/rotated secret, or false positive.
- File or link repo-scoped PRs/issues for the real fixes.
- Keep this bounded to Dependabot and secret scanning; do not enable CodeQL or default code scanning.
Acceptance criteria
- Every critical/high Dependabot alert has a linked fix, suppression rationale, or owner.
- Every open secret-scanning alert has a linked rotation/revocation/false-positive disposition.
- The engineering-practices audit can report zero critical/high dependency alerts and zero untriaged secret alerts, or explain explicit accepted-risk exceptions.
Summary
The engineering-practices audit reports 216 open Dependabot alerts and 36 open secret-scanning alerts across the org. CodeQL and GitHub default code scanning are explicitly excluded from this practice; this issue is only for the bounded dependency and secret-alert backlog.
Why it matters
The new audit gives us a single live signal, but the backlog still needs ownership and burn-down. Critical/high dependency issues and open secret alerts are operational risk even when repo rails are now present.
What to do
Acceptance criteria