420dd26c08
User chose variant (B) Semgrep в CI for Q.INFO.001. Investigation shows
.github/workflows/sast.yml already exists from PR #25 commit 53fb1ec
(10.05.2026, 2 days before audit) with better-than-minimal config:
- semgrep/semgrep-action@v1
- configs p/php + p/javascript + p/typescript + p/secrets
- triggers push/PR на main with path-filters app/app, app/resources/js, app/database/migrations
- SARIF upload to GitHub Security tab via github/codeql-action/upload-sarif@v3
Audit Phase 4 Subagent G missed this — searched only for local `npx semgrep`
CLI without checking existing CI workflows. Tagged as audit-gap finding for
future Phase 4 improvement (check `.github/workflows/` first).
No new code required. +SARIF added to cspell-words.txt.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>