[oblt-aw][security] Fix SEC-010 Semgrep mapping misclassification

[github-actions]

Closes #788

This change remediates the SEC-010 fixer plan by correcting Semgrep rule-to-SEC mapping in the security detector so secret-management findings are no longer mislabeled as injection findings.

What changed

• Updated Semgrep mapping logic in scripts/security-scan.sh:
  • hardcoded secret/token/credential patterns -> SEC-020
  • secret/token/credential patterns -> SEC-002
  • injection/template/insecure patterns -> SEC-010
  • fallback -> SEC-012
• Added deterministic regression test: tests/test_security_scan_semgrep_mapping.py
• Updated docs to reflect implementation:
  • docs/workflows/security-scanning-ruleset.md
  • docs/workflows/gh-aw-security-detector.md

Resolution plan checklist

• Read and execute triage resolution plan tasks in order
• Fix detector mapping root cause in scripts/security-scan.sh
• Add deterministic fixture-based test to prevent regression
• Validate with repository test suites
• Update docs to match behavior

Validation evidence

/tmp/gh-aw/agent/venv/bin/pytest tests/ && npm test
90 passed in 0.14s
Node test suite: 6 passed, 0 failed

Security implementation notes

• Least-privilege: no workflow/job permission scopes were expanded; this PR modifies detector classification logic and tests/docs only.
• Env-indirection: no secret interpolation was introduced; no workflow run: command strings were modified to embed secrets/tokens.

Note

🔒 Integrity filter blocked 10 items

The following items were blocked because they don't meet the GitHub integrity level.

• #788 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [oblt-aw][security] SEC-010 — findings (2026-05-05) #788 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #788 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #776 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #767 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #760 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #749 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #737 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #726 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #750 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.