Current maturity score: 2/5
This repository has working tests in CI (the only non-kagenti repo that does), but lacks security scanning, governance files, and supply chain hardening.
Top 5 gaps
- Zero security scanning — 0/8 applicable tools. This is a gRPC ext-proc service that intercepts and modifies HTTP request/response bodies — SAST is critical.
- No LICENSE file — The nemocheck plugin declares Apache-2.0 but no LICENSE file exists at the repo root.
- No container build in CI — 2 Dockerfiles exist but no CI workflow builds or pushes images.
- 0% SHA-pinned actions — Both actions are tag-pinned only. No
permissions: block on the workflow.
- No Dependabot — requirements.txt, pyproject.toml, 2 container files, and 1 workflow have no automated dependency updates.
Recommended phase order
orchestrate:precommit — Add shellcheck, hadolint, gitleaks, yamllint hooksorchestrate:tests — Add pytest-cov at server level; scaffold E2E tests for gRPC ext-proc floworchestrate:ci — SHA-pin actions, add permissions, add Trivy, Bandit, dependabot, scorecard, container build workfloworchestrate:security — Add LICENSE (Apache 2.0), CODEOWNERS, SECURITY.md, CONTRIBUTING.mdorchestrate:replicate — CLAUDE.md, .claude/settings.json, skills
Context
Current maturity score: 2/5
This repository has working tests in CI (the only non-kagenti repo that does), but lacks security scanning, governance files, and supply chain hardening.
Top 5 gaps
permissions:block on the workflow.Recommended phase order
orchestrate:precommit— Add shellcheck, hadolint, gitleaks, yamllint hooksorchestrate:tests— Add pytest-cov at server level; scaffold E2E tests for gRPC ext-proc floworchestrate:ci— SHA-pin actions, add permissions, add Trivy, Bandit, dependabot, scorecard, container build workfloworchestrate:security— Add LICENSE (Apache 2.0), CODEOWNERS, SECURITY.md, CONTRIBUTING.mdorchestrate:replicate— CLAUDE.md, .claude/settings.json, skillsContext
orchestrate:scanskill