Skip to content

🧩 Lab 04: .github Repository SCA Governance

Mission Scenario

You are the GitOps Governance Operator. Your goal is to audit and harden inputs/repositories/GitHub/.github so it can be onboarded into atlantyqa-labs governance with a local-first approach.

1. 🎯 Operational Goal

By the end of this lab you will have:

  1. Reproducible SCA evidence for the .github repository.
  2. Prioritized workflow supply-chain findings.
  3. A validated bootstrap request to promote .github into atlantyqa-labs.
  4. Updated governance state (catalog + onboarding plan).

2. ⚔️ Mission Execution

target="inputs/repositories/GitHub/.github"
find "$target" -maxdepth 3 -type f | sort
rg -n "^\s*uses:\s*" "$target"/workflows/*.yml
rg -n "sudo apt-get|pip install|git log --show-signature -1" "$target"/workflows/*.yml

Expected result: 1. 3 workflows detected. 2. actions/checkout@v3 usage. 3. Mutable runtime install in gen-docs.yml.

rg -n --hidden -g '!.git' \
  -e 'ghp_[A-Za-z0-9]{30,}' \
  -e 'github_pat_[A-Za-z0-9_]{20,}' \
  -e 'AKIA[0-9A-Z]{16}' \
  -e 'BEGIN (RSA|EC|OPENSSH|PRIVATE) KEY' \
  inputs/repositories/GitHub/.github || true

find inputs/repositories/GitHub/.github -type f -iname '*.iso'

Expected result: 1. secret_hit_count=0 2. forbidden_iso_count=0

bash scripts/repo-bootstrap-from-inputs.sh \
  --mode validate \
  --request-file .github/repo-bootstrap/requests/org-community-health.yml \
  --report-file outputs/repo-bootstrap/org-community-health.md

Expected result: 1. Report generated at outputs/repo-bootstrap/org-community-health.md. 2. passed compliance status.

bash scripts/github-inputs-recovery-runbook.sh \
  --inputs-root inputs \
  --target-org atlantyqa-labs \
  --owners "Kabehz,atlantyde-labs,atlantyqa-labs" \
  --skip-github-check \
  --publish-all-owned \
  --dry-run

Expected result: 1. .github appears in repo-inventory.tsv. 2. .github shows workflow_count > 0.

3. 📸 Required Evidence

  • [ ] Copy of outputs/repo-bootstrap/org-community-health.md.
  • [ ] repo-inventory.tsv snippet showing .github.
  • [ ] sca-findings.tsv snippet including secret_hit_count and workflow_count.
  • [ ] Commit hash containing catalog and docs updates.
PR template (summary):
- Scope: inputs/.github SCA + governance onboarding
- Findings: actions pinning / permissions / mutable runtime installs
- Bootstrap request: org-community-health.yml (validate: passed)
- Catalog: .github added with decision=review

4. ✅ Approval Criteria

  1. Local SCA report is generated and reproducible.
  2. Bootstrap request validates successfully.
  3. GitOps catalog includes .github.
  4. Risks are documented with concrete hardening actions.

🎯 Next Level

Apply real workflow hardening → Back to Labs