Summary
The repo is missing the standard GitHub security/governance baseline and carries 30 open Dependabot alerts: 1 critical, 9 high, 16 medium, 4 low. See the Security tab for details. Alerts are already enabled (the 30 are visible); the gap is the rest of the baseline plus the security-updates toggle that would auto-open fix PRs.
berkeleybop/metpo has every item below configured and works as a copy-from template.
Each gap is small; together they are a coherent hygiene cluster worth addressing.
Baseline gaps
| Missing |
Purpose |
Effort |
Branch protection on master |
Require passing checks; block force-push and deletion |
Settings toggle |
| Dependabot security updates |
Auto-open fix PRs for the 30 existing alerts (separate toggle from dependabot.yml) |
Settings toggle |
| Secret scanning + push protection |
Block committed credentials at push time |
Settings toggle |
.github/dependabot.yml |
Auto-propose dependency version upgrades (pip + github-actions) |
Single-file PR |
| CodeQL (Default setup) |
Free static security analysis; prefer Settings, Code security, Code scanning, Default setup over a codeql.yml template since there is no build step |
Settings toggle |
dependency-review-action in CI |
Fail a PR that adds a vulnerable or bad-license dependency |
Single-file PR |
Pin Actions to commit SHAs + zizmor workflow (pinact to maintain) |
Close the mutable-tag supply-chain gap; lint the workflows |
Single-file PR |
SECURITY.md |
Vulnerability reporting policy |
Single-file PR |
CODEOWNERS |
Auto-request reviews from owners of touched paths |
Requires owner decisions |
.pre-commit-config.yaml |
Local lint/format gate |
Single-file PR |
Optional, lower priority: OpenSSF Scorecard action for a public-facing security score.
Suggested order
- Branch protection on
master (stops the bleed first)
- Dependabot security updates toggle + secret scanning/push protection (toggles, immediate value)
dependabot.yml + CodeQL Default setup + dependency-review-action (cheap, automated)
- SHA-pin Actions +
zizmor
SECURITY.md
CODEOWNERS and .pre-commit-config.yaml (need team input)
Why branch protection first
Right now master has no required checks, no force-push block, and no deletion block (gh api repos/Knowledge-Graph-Hub/kg-microbe/branches/master/protection returns 404). Every subsequent hygiene PR relies on the base branch being stable.
Summary
The repo is missing the standard GitHub security/governance baseline and carries 30 open Dependabot alerts: 1 critical, 9 high, 16 medium, 4 low. See the Security tab for details. Alerts are already enabled (the 30 are visible); the gap is the rest of the baseline plus the security-updates toggle that would auto-open fix PRs.
berkeleybop/metpohas every item below configured and works as a copy-from template.Each gap is small; together they are a coherent hygiene cluster worth addressing.
Baseline gaps
masterdependabot.yml).github/dependabot.ymlcodeql.ymltemplate since there is no build stepdependency-review-actionin CIzizmorworkflow (pinactto maintain)SECURITY.mdCODEOWNERS.pre-commit-config.yamlOptional, lower priority: OpenSSF Scorecard action for a public-facing security score.
Suggested order
master(stops the bleed first)dependabot.yml+ CodeQL Default setup +dependency-review-action(cheap, automated)zizmorSECURITY.mdCODEOWNERSand.pre-commit-config.yaml(need team input)Why branch protection first
Right now
masterhas no required checks, no force-push block, and no deletion block (gh api repos/Knowledge-Graph-Hub/kg-microbe/branches/master/protectionreturns 404). Every subsequent hygiene PR relies on the base branch being stable.