[oblt-aw][security] Fix SEC-010 Semgrep mapping misclassification

[github-actions]

Closes #988

This remediates SEC-010 finding classification drift by fixing Semgrep check_id mapping in scripts/obs/security-scan.sh.

What changed

• Updated Semgrep rule mapping in scripts/obs/security-scan.sh:
  • hardcoded.*(secret|token|credential) -> SEC-020
  • secret|token|credential -> SEC-002
  • injection|template|insecure -> SEC-010
  • fallback -> SEC-012
• Added regression test tests/test_security_scan_semgrep_mapping.py to lock mapping behavior.
• Updated docs to match implementation:
  • docs/workflows/gh-aw-security-detector.md
  • docs/workflows/security-scanning-ruleset.md

Resolution plan checklist

• Identify and fix SEC mapping root cause in detector implementation
• Add deterministic regression coverage
• Validate repository test suites
• Update security detector docs/ruleset traceability

Validation evidence

/tmp/gh-aw/agent/venv/bin/python -m pytest tests/
95 passed in 0.18s

npm test --silent
6 passed, 0 failed

Security requirements confirmation

• Least-privilege: no workflow/job permissions were broadened; this PR only changes detector mapping logic, tests, and docs.
• Env-indirection: no secret/token interpolation was introduced in workflow run: command strings.

Note

🔒 Integrity filter blocked 41 items

The following items were blocked because they don't meet the GitHub integrity level.

• #988 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-21) #988 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #988 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #990 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #989 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #991 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #993 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-043 — findings (2026-05-21) #993 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-21) #992 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-031 — findings (2026-05-21) #991 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-030 — findings (2026-05-21) #990 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-022 — findings (2026-05-21) #989 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-21) #988 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-043 — findings (2026-05-20) #979 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-032 — findings (2026-05-20) #978 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-031 — findings (2026-05-20) #977 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 25 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.