[Cogitations] Add security scanning to CI (pip-audit + bandit)

[zircote]

Quality Gate Reference

• Checklist Item(s): CCD-005 (Security Scanning, score 0.0), SEC-002 (Dep Vuln Scanning, score 0.4)
• Current Score: CI/CD 15/100, Security 85/100 — CCD-005 is Tier 1 blocker
• Impact: High — closes two items across domains
• Effort: Low

Description

No security scanning exists in CI. dependabot.yml covers GitHub Actions ecosystem only, not Python dependencies. A ci.yml with a security job has been created locally but needs pip-audit and bandit configured.

Implementation Plan

1. Add pip-audit to CI security job (already stubbed in ci.yml)
2. Add bandit for Python SAST scanning
3. Configure bandit in pyproject.toml: skip B101 (assert in tests)
4. Extend dependabot.yml to include pip ecosystem
5. Add .gitignore patterns for secret files (.env, *.pem, *.key)

Cross-Domain Impact

• Fixes CCD-005 (security scanning in CI) — CI/CD domain
• Improves SEC-002 (dependency vulnerability scanning) — Security domain

Acceptance Criteria

• CCD-005 score → 1.0 (security scanning in pipeline)
• SEC-002 score → ≥0.8
• pip-audit and bandit pass in CI
• No regression in other domain scores

References

• pip-audit — PyPA-endorsed dependency scanner
• bandit — Python SAST tool

---

Generated by Cogitations /cog-discover