[oblt-aw][security] Fix SEC-010 Semgrep mapping misclassification

[github-actions]

Closes #1062

This remediates SEC-010 finding classification drift in the security detector by correcting Semgrep check_id mapping logic so secret-related findings are no longer labeled as injection findings.

What changed

• Updated Semgrep mapping in scripts/obs/security-scan.sh:
  • hardcoded.*(secret|token|credential) -> SEC-020
  • secret|token|credential -> SEC-002
  • injection|template|insecure -> SEC-010
  • fallback -> SEC-012
• Added regression test tests/test_security_scan_semgrep_mapping.py to lock the mapping behavior.

Plan checklist

• Identify the detector mapping root cause tied to SEC-010 misclassification
• Implement ordered mapping updates in the detector logic
• Add deterministic regression coverage for mapping behavior
• Run repository test suites

Validation evidence

/tmp/gh-aw/agent/venv/bin/python -m pytest tests/
92 passed in 0.11s

npm test --silent
15 passed, 0 failed

Security requirements confirmation

• Least-privilege: no workflow/job permission scopes were expanded; this PR only updates detector mapping and tests.
• Env-indirection: no secrets/tokens were interpolated into workflow run: command strings; no workflow command token handling was added or broadened.

Note

🔒 Integrity filter blocked 17 items

The following items were blocked because they don't meet the GitHub integrity level.

• [oblt-aw][security] SEC-010 — findings (2026-05-27) #1062 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1062 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #142 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #106 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #107 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #108 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #109 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1062 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1051 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1034 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1019 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #1010 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #997 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #988 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #974 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #962 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 1 more item

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.