Problem
Secret leaks, dep CVEs, and image CVEs all need scheduled + per-PR scanning. A single workflow keeps the scanning policy centralised and visible.
Proposed solution
Port .github/workflows/security.yml: gitleaks (binary, no SARIF upload, quota-aware), pip-audit (--strict, OSV backend, CVE ignore list with justifications), npm audit (--audit-level=high), trivy (aquasecurity/trivy-action, fails on fixable HIGH/CRITICAL). Trigger: PR + weekly schedule.
Acceptance criteria
Priority rationale
High: secret + dep scanning is table stakes for any open-source repo with portfolio visibility.
Depends on
#9
Problem
Secret leaks, dep CVEs, and image CVEs all need scheduled + per-PR scanning. A single workflow keeps the scanning policy centralised and visible.
Proposed solution
Port
.github/workflows/security.yml: gitleaks (binary, no SARIF upload, quota-aware), pip-audit (--strict, OSV backend, CVE ignore list with justifications), npm audit (--audit-level=high), trivy (aquasecurity/trivy-action, fails on fixable HIGH/CRITICAL). Trigger: PR + weekly schedule.Acceptance criteria
Priority rationale
High: secret + dep scanning is table stakes for any open-source repo with portfolio visibility.
Depends on
#9