fix: SHA-pin slsa_with_provenance action; explicit shell=False; fix C-009/C-024 doc errors

[spoorcc]

• Pin slsa-framework/source-actions/slsa_with_provenance to commit SHA
  dea965cdca5e0cb422bf7b2653c9d15f678ad01c (was tag v0.1.0, violating
  the C-009 commit-SHA pinning control for the most security-sensitive
  workflow)
• Add explicit shell=False to subprocess.run() in cmdline.py; the default
  is False but the code did not state it, undermining the C-007 claim
• Rename duplicate C-009 "Plaintext transport detection" (usage model) to
  C-045 to eliminate the control-ID conflict with C-009 "Actions
  commit-SHA pinning" (supply-chain model); update all references in
  compliance_data.py, compliance_track.rst, threat_model_usage.rst,
  control_register.rst
• Rename C-024 from "secrets: inherit scope" to "Explicit secret
  forwarding" — the implementation deliberately avoids secrets: inherit
  and uses selective named forwarding; the old name was the inverse of
  the actual behaviour
• Fix DFT-15 (VCS externals) accept rationale: the "Manifest under code
  review" assumption does not cover nested submodule/external URLs that
  come from the upstream repo, not dfetch.yaml; rebase on dfetch scope
  boundary assumption with explicit residual-risk statement
• Add Risk Rating Methodology section to security.rst documenting the
  Sev/Risk scale (L/M/H/VH/C) aligned with BSI TR-03183-1 §5.3; add
  cross-reference from both threat model pages and update report_template
• Clarify ECR-C SO.Updateability and ECR-M SO.SecureDataDeletion: add
  explanatory notes and gaps column text so "✓ Implemented" rows with no
  control listed are not misleading to conformity assessors
• Update C-009 description from absolute "Every third-party Action" to
  "All third-party Actions" (accurate after the SHA-pin fix above)

https://claude.ai/code/session_01CtU2HEmkrr4gBHvZMRT3U5

Summary by CodeRabbit

Release Notes

• Documentation

  • Added comprehensive Risk Rating Methodology section defining the qualitative risk assessment framework
  • Updated compliance tracking documentation with refined control references and explanatory notes
  • Enhanced threat model documentation with improved control descriptions and cross-references across security documentation

• Chores

  • Updated security infrastructure pinning for increased supply chain integrity

[coderabbitai]

Warning

Review limit reached

@spoorcc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 37 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2b24e42-ca2d-4a94-9179-3977862fd263

📥 Commits

Reviewing files that changed from the base of the PR and between 7695bbc and c737a63.

📒 Files selected for processing (6)

• dfetch/util/cmdline.py
• doc/explanation/security.rst
• doc/explanation/threat_model_supply_chain.rst
• doc/explanation/threat_model_usage.rst
• security/report_template.rst
• security/tm_usage.py

Walkthrough

Pins the SLSA source-provenance GitHub Action to a commit SHA and adds shell=False to subprocess.run (removing the nosec suppression). Renames control C-024 to "Explicit secret forwarding," introduces a new C-045 "Plaintext transport detection" control replacing C-009 throughout threat models and compliance data, adds a Risk Rating Methodology section to security.rst with cross-references, and expands SO.Updateability, SO.SecureDataDeletion, and DFT-15 justifications.

Changes

Security Hardening (Code and Workflow)

Layer / File(s)	Summary
Action SHA pin and explicit shell=False .github/workflows/source-provenance.yml, dfetch/util/cmdline.py	slsa_with_provenance step switches from v0.1.0 tag to a pinned commit SHA; subprocess.run gains shell=False and drops the # nosec comment.

Security Documentation and Compliance Data Refresh

Layer / File(s)	Summary
New Risk Rating Methodology section and cross-references doc/explanation/security.rst, security/report_template.rst, doc/explanation/threat_model_supply_chain.rst, doc/explanation/threat_model_usage.rst	security.rst gains a BSI TR-03183-1-aligned two-axis risk ratings table and treatment vocabulary; report template and both threat model preambles add cross-references to it.
C-045 introduction and C-024 rename in source data security/tm_usage.py, security/tm_supply_chain.py, doc/explanation/control_register.rst	tm_usage.py renames the plaintext transport detection control from C-009 to C-045; tm_supply_chain.py refines C-009 SHA-pin wording and renames C-024 to "Explicit secret forwarding"; control_register.rst adds the C-045 entry and updates C-024's reference to .github/workflows/ci.yml.
C-009→C-045 remapping across compliance data and rendered docs security/compliance_data.py, doc/explanation/threat_model_supply_chain.rst, doc/explanation/threat_model_usage.rst, doc/explanation/compliance_track.rst	All SO implementation entries referencing C-009 for transport/auth/integrity/monitoring warnings are updated to C-045; threat model docs reflect the renamed C-024 and C-045 descriptions.
Expanded compliance justifications and DFT-15 narrative security/compliance_data.py, security/tm_usage.py, doc/explanation/compliance_track.rst	SO.Updateability and SO.SecureDataDeletion rationales are expanded in compliance data; DFT-15 acceptance rationale shifts to the "dfetch scope boundary" assumption with added residual-risk language; compliance_track.rst adds rubric notes for ECR-C and ECR-M.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• dfetch-org/dfetch#1272: Directly conflicts with this PR on the same control identifiers—removes C-045 in favor of C-043 in security/compliance_data.py and the threat model docs.
• dfetch-org/dfetch#1271: Introduced the CRA Track B compliance framework in security/compliance_data.py and doc/explanation/compliance_track.rst that this PR's C-009→C-045 remapping builds on.
• dfetch-org/dfetch#1181: Created or significantly modified doc/explanation/security.rst, the same file this PR extends with the new "Risk Rating Methodology" section.

Suggested labels

github_actions, development, documentation

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes all three main changes: SHA-pinning the SLSA action, adding explicit shell=False, and fixing C-009/C-024 control ID conflicts in documentation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/security-model-compliance-review-lgvmeq

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

security/tm_usage.py (1)

1366-1377: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the stale control ID in the DFT-26 note.

C-009 now refers to commit-SHA pinning, so this note should point to C-045 to stay aligned with the control register and generated docs.

Diff

-            "C-009 emits a visible warning immediately before the VCS command when a "
+            "C-045 emits a visible warning immediately before the VCS command when a "

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@security/tm_usage.py` around lines 1366 - 1377, The DFT-26 definition
contains a stale control ID reference in its note field. Replace the reference
to "C-009" with "C-045" in the note text that describes the visible warning for
plaintext VCS schemes. This ensures the note stays aligned with the current
control register where C-009 now refers to commit-SHA pinning and C-045 is the
correct control for this credential warning behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@doc/explanation/security.rst`:
- Around line 111-113: The Risk Rating Methodology section in
doc/explanation/security.rst (lines 111-113) lacks a dedicated reStructuredText
section label, causing existing cross-references to resolve to the page-level
security anchor instead of the section itself. Add a unique section label
(following reStructuredText convention) directly above the "Risk Rating
Methodology" heading in doc/explanation/security.rst. Then update the three
reference sites to point to this new section label instead of the generic
security anchor: in security/report_template.rst (lines 17-18), in
doc/explanation/threat_model_supply_chain.rst (lines 20-21), and in
doc/explanation/threat_model_usage.rst (lines 20-21). Ensure all three sibling
files use the same new section label name to maintain consistency.

---

Outside diff comments:
In `@security/tm_usage.py`:
- Around line 1366-1377: The DFT-26 definition contains a stale control ID
reference in its note field. Replace the reference to "C-009" with "C-045" in
the note text that describes the visible warning for plaintext VCS schemes. This
ensures the note stays aligned with the current control register where C-009 now
refers to commit-SHA pinning and C-045 is the correct control for this
credential warning behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b8d7f337-9572-4e0f-a653-10de2b352b20

📥 Commits

Reviewing files that changed from the base of the PR and between b721b05 and 7695bbc.

📒 Files selected for processing (11)

• .github/workflows/source-provenance.yml
• dfetch/util/cmdline.py
• doc/explanation/compliance_track.rst
• doc/explanation/control_register.rst
• doc/explanation/security.rst
• doc/explanation/threat_model_supply_chain.rst
• doc/explanation/threat_model_usage.rst
• security/compliance_data.py
• security/report_template.rst
• security/tm_supply_chain.py
• security/tm_usage.py