Skip to content

[REVIEW] iac-security: add policy-as-code expiry, secret zero-values, and module source digest gates#2697

Closed
JamesJi79 wants to merge 1 commit into
UnitOneAI:mainfrom
JamesJi79:review-gates-iac
Closed

[REVIEW] iac-security: add policy-as-code expiry, secret zero-values, and module source digest gates#2697
JamesJi79 wants to merge 1 commit into
UnitOneAI:mainfrom
JamesJi79:review-gates-iac

Conversation

@JamesJi79

Copy link
Copy Markdown

Adds three review gates for iac-security skill:

  1. Policy-as-Code Exception Expiry Gate (closes [REVIEW] iac-security: add policy-as-code exception expiry gates #2677)

    • Exception lifecycle governance check
    • Exception scope narrowing check
  2. Secret Zero-Values in Plan Diffs Gate (closes [REVIEW] iac-security: add secret zero-values in plan diffs gates #2676)

    • Sensitive value source verification check
    • Provider default drift detection check
  3. Module Source Digest and Mirror Pinning Gate (closes [REVIEW] iac-security: add module source digest and mirror pinning gates #2675)

    • Module source integrity check
    • Private registry mirror integrity check

All three gates add evidence requirements for common IaC false-positive patterns.

@JamesJi79 JamesJi79 requested a review from kamalsrini as a code owner June 16, 2026 09:25
@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 16, 2026
@github-actions

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

1 participant