chore: integrate with latest gemara layer4

[trumant]

This was tested against the revanite-io/example-osps-baseline-level-1 repository and produced:

Running in debug mode
2025-09-28T09:07:11.293-0400 [WARN]  OSPS-AC-01.01: Not evaluated. Two-factor authentication evaluation requires a token with org:admin permissions, or manual review
2025-09-28T09:07:11.293-0400 [INFO]  OSPS-AC-02.01: This control is enforced by GitHub for all projects
2025-09-28T09:07:11.293-0400 [WARN]  OSPS-AC-03.01: Branch protection rule does not restrict pushes or require approving reviews; Rulesets not yet evaluated.
2025-09-28T09:07:11.293-0400 [INFO]  OSPS-AC-03.02: Branch protection rule prevents deletions
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-01.01: GitHub Workflows variables do not contain untrusted inputs
2025-09-28T09:07:11.778-0400 [WARN]  OSPS-BR-01.02: Not implemented
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-03.01: All links use HTTPS
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-03.02: No official distribution points found in Security Insights data
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-DO-01.01: User guide was specified in Security Insights data
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-DO-02.01: Repository accepts vulnerability reports
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-GV-02.01: Issues are enabled for the repository
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-GV-03.01: Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-LE-02.01: All license found are OSI or FSF approved
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-LE-02.02: All license found are OSI or FSF approved
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-LE-03.01: License was found in a well known location via the GitHub API
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-LE-03.02: No releases found
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-01.01: Repository is public
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-01.02: This control is enforced by GitHub for all projects
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-QA-02.01: No dependency manifests found in the GitHub dependency graph API. Review project to ensure dependencies are managed.
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-04.01: Insights contains a list of repositories
2025-09-28T09:07:12.420-0400 [INFO]  OSPS-QA-05.01: No common binary file extensions were found in the repository
2025-09-28T09:07:12.420-0400 [INFO]  OSPS-VM-02.01: Security contacts were specified in Security Insights data
2025-09-28T09:07:12.420-0400 [ERROR] > test_OSPS_B: 11 Passed, 5 Warnings, 0 Failed

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code analysis shows zero security vulnerabilities across all scanned files, the dependency analysis reveals critical supply chain security risks that override the clean code findings. The PR replaces established organizational packages (privateerproj/privateer-sdk, ossf/gemara) with personal fork packages from github.com/trumant that lack security scorecard data and use pseudo-versions instead of stable releases. Supply chain security risks take precedence over clean code analysis, as compromised dependencies can introduce threats regardless of code quality. The migration from official organizational packages to personal forks requires security verification, proper versioning, and justification before proceeding.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

• Verify the legitimacy and security of the personal fork packages github.com/trumant/privateer-sdk and github.com/trumant/gemara before proceeding. Confirm these are authorized replacements for the official packages.
• Request that the new dependencies use proper semantic versioning and tagged releases instead of pseudo-versions (commit-based versions) for better dependency management and security tracking.
• Conduct a security review of the trumant GitHub account and repositories to ensure they meet your organization's supply chain security standards before adopting these dependencies.
• Consider reaching out to the maintainers to understand why the migration from official packages (privateerproj, ossf) to personal forks is necessary and whether official alternatives exist.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 719fc94, performed at: 2025-09-28T13:10:42Z

Found this helpful? Give it a 👍 or 👎 reaction!