Skip to content

docs: OSV-Scanner rollout ADR, reference, and runbook#43

Merged
zircote merged 1 commit into
mainfrom
docs/osv-scanner-rollout
Jul 1, 2026
Merged

docs: OSV-Scanner rollout ADR, reference, and runbook#43
zircote merged 1 commit into
mainfrom
docs/osv-scanner-rollout

Conversation

@zircote

@zircote zircote commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Adds ADR-012 (the decision to close the OSV-Scanner adoption gap identified in the 2026-07-01 audit), a new docs/reference/ entry describing reusable-sca-osv.yml, and a tactical on-call runbook for a failed sca check or code-scanning alert.

ADR-012 validates against structured-madr in both smadr strict mode and mif --level 3. The reference doc validates at mif --level 3. The runbook validates at mif --level 1, matching this repo's existing runbook convention.

Companion to the rollout PRs opened against doc-site, mif-docs-plugin, and research-harness-template.

Adds ADR-012 (the decision to close the OSV-Scanner adoption gap), a new docs/reference/ entry for reusable-sca-osv.yml, and a tactical on-call runbook for a failed sca check or code-scanning alert. ADR-012 validated against structured-madr in both smadr strict mode and mif --level 3; the reference doc validated at mif --level 3; the runbook validated at mif --level 1, matching this repo's existing runbook convention.
Copilot AI review requested due to automatic review settings July 1, 2026 16:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documentation to complete and operationalize the org-wide OSV-Scanner SCA rollout: a new ADR capturing the decision and scope, a reference doc for the reusable-sca-osv.yml reusable workflow, and an on-call runbook for responding to failed SCA checks / OSV-Scanner code-scanning alerts.

Changes:

  • Add ADR-012 documenting the 2026-07-01 decision to close the remaining OSV-Scanner adoption gap.
  • Add a reference page describing reusable-sca-osv.yml inputs, permissions, layers, SHA pin, and consuming repos.
  • Add an operational runbook for diagnosing and remediating sca / OSV-Scanner findings.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
docs/runbooks/osv-scanner-alert-runbook.md New runbook for triage/remediation of failed sca checks and OSV-Scanner code-scanning alerts.
docs/reference/reusable-sca-osv.md New reference doc for the reusable-sca-osv.yml reusable workflow (inputs, permissions, usage).
docs/adr/ADR-012-osv-scanner-rollout-completion.md New ADR documenting the OSV-Scanner rollout completion decision and audit summary.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/runbooks/osv-scanner-alert-runbook.md
Comment thread docs/runbooks/osv-scanner-alert-runbook.md
Comment thread docs/runbooks/osv-scanner-alert-runbook.md
Comment thread docs/runbooks/osv-scanner-alert-runbook.md
Comment thread docs/reference/reusable-sca-osv.md
Comment thread docs/adr/ADR-012-osv-scanner-rollout-completion.md
@zircote zircote merged commit 30c4cff into main Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants