[oblt-aw][security] Fix SEC-010 semgrep mapping misclassification

[github-actions]

Closes #962

This remediates SEC-010 detector findings by correcting Semgrep finding-to-SEC mapping in scripts/obs/security-scan.sh so secret-management findings are not misclassified as injection.

What changed

• Updated Semgrep mapping logic in scripts/obs/security-scan.sh:
  • hardcoded secret/token/credential patterns -> SEC-020
  • other secret/token/credential patterns -> SEC-002
  • injection/template/insecure patterns -> SEC-010
  • fallback -> SEC-012
• Added deterministic regression test: tests/test_security_scan_semgrep_mapping.py
• Updated detector/ruleset docs to match implementation:
  • docs/workflows/gh-aw-security-detector.md
  • docs/workflows/security-scanning-ruleset.md

Resolution plan checklist

• Read and execute remediation tasks focused on SEC-010 misclassification in Semgrep mapping
• Fix detector classification root cause in scripts/obs/security-scan.sh
• Add deterministic regression coverage to prevent reintroduction
• Validate with repository test suites
• Update docs to reflect implemented behavior

Validation evidence

$ npm test --silent
6 passed, 0 failed

$ /tmp/gh-aw/agent/venv/bin/python -m pytest tests/
92 passed in 0.13s

Security implementation notes

• Least-privilege: no workflow/job permission scopes were expanded; this PR changes detector classification logic plus tests/docs only.
• Env-indirection: no direct secret/token interpolation was introduced in run: command strings; no workflow command token handling was broadened.

Note

🔒 Integrity filter blocked 28 items

The following items were blocked because they don't meet the GitHub integrity level.

• [oblt-aw][security] SEC-010 — findings (2026-05-19) #962 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #962 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #962 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #966 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #142 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #106 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #107 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #108 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #109 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #947 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #933 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #924 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #912 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #899 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #884 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #868 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 12 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.