ParanoiHack · Nitr4x · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/.github/security-config.toml b/.github/security-config.toml
@@ -5,12 +5,10 @@ path = "."
 
 [kics]
 platform = "Dockerfile"
-exclude_queries = ["fd54f200-402c-4333-a5a4-36ef6709af2f"]
 
 [grype]
 ignore_states = "not-fixed,unknown,wont-fix"
 transitive_libraries = false
 
 [opengrep]
-exclude = ["*_test.go", "docker-compose.yml", "Dockerfile"]
-exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"]
+exclude = ["*_test.go", "docker-compose.yml", "Dockerfile"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,6 +26,7 @@ jobs:
     name: Security
     needs: test
     uses: ./.github/workflows/security.yml
+    secrets: inherit
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -26,12 +26,20 @@ jobs:
         run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml"
 
       - name: Run ScopeGuardian
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_ACCESS_TOKEN: ${{ secrets.DD_ACCESS_TOKEN }}
+          SG_VERSION: ${{ vars.SG_VERSION }}
+          BRANCH: ${{ github.head_ref || github.ref_name }}
         run: |
           docker run --rm \
             -v "$GITHUB_WORKSPACE:/tmp/data" \
             -e SCAN_DIR=/tmp/data \
-            ghcr.io/paranoihack/scopeguardian:${{ vars.SG_VERSION }} \
+            -e DD_URL="$DD_URL" \
+            -e DD_ACCESS_TOKEN="$DD_ACCESS_TOKEN" \
+            "ghcr.io/paranoihack/scopeguardian:$SG_VERSION" \
             --projectName ScopeGuardian \
-            --branch "${{ github.ref_name }}" \
+            --branch "$BRANCH" \
             --threshold "critical=1,high=1,medium=1,low=1" \
+            --sync \
             /tmp/data/.github/security-config.toml