docs(security-analysis): document OSV-Scanner as merge_group dependency-CVE check (#168)

[williaby]

Summary

Closes #168 by reframing the merge_group dependency-CVE coverage in workflow-templates/python-security-analysis.yml from "known limitation" to explicit design decision. The runtime behavior is unchanged; the prior framing wrongly implied a coverage gap that a future maintainer might try to "fix."

This branch has two commits:

1. b514fb0 Point the CRITICAL block at the correct followup issue (Add osv-scanner dependency check on merge_group events #168 instead of "Enable GitHub merge_queue for repos with auto-merging dep bumps #154 followup").
2. d7ecaf3 Document OSV-Scanner as the canonical merge_group dependency-CVE check and add a role marker above the osv-scanner job. Closes Add osv-scanner dependency check on merge_group events #168.

Architectural reframe

• actions/dependency-review-action remains pull_request-only by design. It requires PR base/head SHAs from a pull_request context and provides PR-time affordances (GPL-2.0/3.0 deny-license enforcement, PR comment summary) that apply at review time, not to speculative merge refs.
• OSV-Scanner is the canonical merge_group dependency-CVE check. The osv-scanner job has no event_name filter, so it already fires on both pull_request and merge_group and feeds the security-gate aggregator via needs:.
• merge_group SAST and dependency coverage is therefore CodeQL + Bandit + OSV-Scanner + OWASP Dependency-Check. dependency-review layers PR-time license policy and comment summary on top of that baseline at PR review time.

Resolved license-enforcement question

The handoff audit raised one open question: is GPL-2.0/3.0 license enforcement on merge_group runs a hard requirement?

Answer: no. python-sbom.yml's license-compliance job is fail-on-forbidden-licenses: false (warn-only) and only runs on push:main / release / weekly schedule. dependency-review-action's deny-licenses: GPL-2.0, GPL-3.0 is therefore the only fail-on license policy in the repo, and it lives at PR review time. The queued PR's deps were already enforced at that gate; replicating the check on the speculative merge ref would add no security signal because license findings are PR-review policy, not exploitable speculative-merge regressions.

Verification

Local:

• pre-commit run --files workflow-templates/python-security-analysis.yml passes (yamllint, no-em-dash, secrets, markdownlint, commitizen, etc.)
• Signed commit (-S) on both commits
• Diff confirms no functional change: dependency-security job's if: is unchanged, osv-scanner job's if: is unchanged

Deferred to #154 rollout:

• End-to-end validation requires merge_queue enabled on a consumer repo. Confirm via gh api repos/<org>/<repo>/commits/<sha>/check-runs that the OSV Vulnerability Scanner check appears on a merge_group ref. Record that confirmation in Enable GitHub merge_queue for repos with auto-merging dep bumps #154, not here.

Audit trail

Adds docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md, the handoff document that walks through the three candidate approaches, picks Option 1 (comment-only), and records the architectural reasoning and the license question's resolution.

References

• Closes Add osv-scanner dependency check on merge_group events #168
• Unblocks Enable GitHub merge_queue for repos with auto-merging dep bumps #154 (merge_queue per-repo rollout)
• Builds on feat(workflow-templates): add merge_group trigger for GitHub merge queue #163 (added merge_group: triggers to 9 templates)
• Standards manifest: CI-040 (merge_group required)

Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Updated security workflow documentation to clarify dependency vulnerability scanning coverage during merge queue processing.
  • Added audit documentation detailing security coverage behavior and verification procedures for merged references.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a detailed audit handoff document for Issue #168 and updates inline comments in workflow-templates/python-security-analysis.yml to document that actions/dependency-review-action is pull_request-only and that OSV-Scanner is the canonical merge_group dependency-CVE check.

Changes

Documentation & Workflow Comments

Layer / File(s)	Summary
Audit overview & context docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md	Adds title/metadata and explains the merge_group dependency-vulnerability coverage gap and its cause.
Audit current state and options docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md	Records workflow-template behavior, shows three remediation options, and recommends Option 1 (design-decision update).
Audit verification, references, resolution docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md	Adds verification steps, references, quick-start snippet, and records final resolution (Option 1 accepted in PR #178).
Workflow inline comments workflow-templates/python-security-analysis.yml	Replaces/expands comments to state dependency-review is pull_request-only and to explicitly label OSV-Scanner as the canonical merge_group dependency-CVE check (references #168).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble through the changelog sprig,
A hop, a note — a clearer twig,
Merge-group gaps now neatly penned,
OSV watches to the end,
Rabbity cheers — docs and comments sing! 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary changes: documenting OSV-Scanner as the merge_group dependency-CVE check and issue #168 closure. It is concise, specific, and directly related to the changeset's main objective.
Description check	✅ Passed	The PR description is comprehensive and addresses the template's key sections: clear summary of changes, related issue (#168), documentation update type, detailed changes made, architectural rationale, verification steps, and audit trail. Required sections are well-populated.
Linked Issues check	✅ Passed	The PR successfully addresses all acceptance criteria from issue #168: picks and documents the approach (Option 1 with architectural rationale), updates the CRITICAL/KNOWN LIMITATION block in the workflow template, implements comment-only changes that maintain security-gate integrity, and provides comprehensive audit documentation.
Out of Scope Changes check	✅ Passed	All changes remain in scope: YAML template documentation/comments clarifying merge_group coverage design, a new audit document explaining the architectural decision, and an issue reference correction. No unrelated refactoring, functional logic changes, or scope creep detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-osv-merge-group-comment-168

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the documentation comment in the python-security-analysis workflow template to reference the correct tracking issue for the merge_group dependency-CVE coverage gap, keeping the KNOWN LIMITATION guidance accurate for consumer repos using merge queue.

Changes:

• Updates the KNOWN LIMITATION follow-up reference from issue #154 followup to issue #168.
• Rewords the follow-up text to stay solution-agnostic about how dependency-CVE coverage on merge_group will be restored.

[williaby]

PR Review

This PR is comment-only YAML plus a new audit document — no logic, security, or CI surface changes. All checks pass; SonarCloud Quality Gate green (0 new issues, 0 new hotspots); branch is BEHIND main (rebase before merge). Manual diff review only (full agent stack skipped: no Python, no tests, no types, no new modules).

Critical: none.

Important (1):

• [doc accuracy] docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md:226-229: Section 12 still poses the GPL-2.0/GPL-3.0 license-enforcement question as open for "the receiving team," but the PR body explicitly resolves it ("Answer: no. ... dependency-review-action's deny-licenses is therefore the only fail-on license policy in the repo, and it lives at PR review time"). Add a Resolution subsection to Section 12 (or convert Section 12 to "Resolution") capturing the answer so the audit doc is internally consistent as a standalone decision record.

Suggested (3 — optional, all doc-only edits to the audit file):

• docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md:3-7: Frontmatter says Status: Open, ready to assign, but this PR is the Option 1 delivery. Update to Resolved by PR #178 (Option 1) or add a Resolution callout at the top.
• docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md:38-78: Section 3 line citations reference pre-PR file state. Actual post-PR lines: 30-47 (DESIGN DECISION block), 146-152 (dependency-security if:), 227-231 (osv-scanner job), 404-439 (security-gate). Either update the citations or add a footnote that line numbers reference pre-merge state.
• docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md:111-113: Section 6 step 3 lists an optional echo step on the osv-scanner job that this PR did not implement (role marker is comment-only in YAML). Either delete the optional step from the doc or file a tiny follow-up.

Informational: Copilot's review body describes only the first commit (b514fb0); the substantive KNOWN LIMITATION → DESIGN DECISION reframe in d7ecaf3 was not specifically validated, but Copilot left zero inline comments. No action required.

Strengths: architectural rigor in the reframe; PR body resolves the audit's open question; all cross-references to #168, #154, and #163 verify; CLAUDE.md compliant (no em-dashes, conventional commits, signed, correct branch convention).

🤖 Generated with Claude Code

[williaby]

PR Fix Summary

All 4 findings from the /pr-review comment above addressed. Branch also rebased onto main to clear the BEHIND state.

Changes (1 commit, doc-only):

• 9d77b43 docs(audit): address pr-review feedback on issue-168 handoff — 10 insertions, 4 deletions in docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md. Workflow template (workflow-templates/python-security-analysis.yml) is unchanged from this PR's original intent.

Findings addressed:

Tier	Finding	Resolution
Important	Section 12 posed an open question that the PR body resolved	Section 12 retitled "(resolved in PR #178)" with a new Resolution subsection capturing the GPL-2.0/3.0 license-enforcement answer from the PR body verbatim
Suggested	Frontmatter Status: Open, ready to assign was stale	Updated to Status: Resolved by PR #178 (Option 1 selected)
Suggested	Section 3 line citations referenced pre-PR file state	Added a callout at the top of Section 3 listing the post-PR equivalents (30-47, 146-152, 227-231, 404-439) and explaining that the cited numbers are intentionally pre-PR for historical anchor
Suggested	Section 6 step 3 listed an optional echo step this PR did not implement	Marked (Optional, not implemented in PR #178) with cross-reference to the YAML role-marker comment that shipped in place of the runtime echo. Notes a follow-up issue is the path if runtime visibility ever becomes important

Rebase: Branch was BEHIND main. git rebase origin/main ran cleanly (mergeable: MERGEABLE), then force-pushed with --force-with-lease. HEAD SHA: 9d77b43. Required-check re-trigger should now fire reliably.

Verification:

• pre-commit run --all-files Passed (markdownlint, no-em-dash, detect-secrets, TruffleHog, commitizen, etc.)
• Commit signed (ED25519, Good signature)
• No em-dashes introduced (verified via grep -c "—")
• Workflow template diff unchanged from pre-fix state — only the audit doc was edited

Skipped (none): All 4 review findings resolved in this push. No CI failures, no SonarQube issues, no Copilot/CodeRabbit inline change requests to address. Coverage check N/A (no Python in this PR).

CI re-run triggered automatically by the force-push.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@workflow-templates/python-security-analysis.yml`:
- Around line 34-44: Update the comment to clarify that OSV-Scanner is the
canonical dependency-CVE check on merge_group only when the security-files gate
is true: explicitly state that osv-scanner, security-scanning, and
owasp-dependency-check are gated by needs.detect-changes.outputs.security_files
== 'true' and therefore may be skipped when that output is not 'true'; adjust
wording around "OSV-Scanner is the canonical dependency-CVE check on
merge_group" and similar language at the second location (lines ~223-226) to
condition the coverage on the security_files gate and mention that
dependency-review still runs on pull_request for PR-time license/comment
affordances.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98f042e7-66ac-4630-a288-7ef4237da70c

📥 Commits

Reviewing files that changed from the base of the PR and between b514fb0 and 9d77b43.

📒 Files selected for processing (2)

• docs/audits/2026-05-26-issue-168-merge-group-security-handoff.md
• workflow-templates/python-security-analysis.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify that merge_group dependency-CVE coverage is conditional on security_files.

These comments currently read as unconditional coverage, but osv-scanner, security-scanning, and owasp-dependency-check are all gated by needs.detect-changes.outputs.security_files == 'true'. Please update wording to reflect that OSV is the canonical merge_group dependency-CVE check when the security-files gate is true, otherwise the jobs can be skipped.

Also applies to: 223-226

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflow-templates/python-security-analysis.yml` around lines 34 - 44, Update
the comment to clarify that OSV-Scanner is the canonical dependency-CVE check on
merge_group only when the security-files gate is true: explicitly state that
osv-scanner, security-scanning, and owasp-dependency-check are gated by
needs.detect-changes.outputs.security_files == 'true' and therefore may be
skipped when that output is not 'true'; adjust wording around "OSV-Scanner is
the canonical dependency-CVE check on merge_group" and similar language at the
second location (lines ~223-226) to condition the coverage on the security_files
gate and mention that dependency-review still runs on pull_request for PR-time
license/comment affordances.