main to develop

.github/workflows/advanced-security.yml

@@ -0,0 +1,31 @@
+name: Advanced Security Audit
+on:
+  pull_request:
+    branches: [ coreason-develop, main ]
+
+permissions: read-all
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: high
+          deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0
+
+

.github/workflows/bandit.yml

@@ -0,0 +1,35 @@
+name: Bandit Security Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  bandit:
+    name: Bandit Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: "Install Bandit"
+        run: pip install bandit[sarif]
+
+      - name: "Run Bandit"
+        run: bandit -r src -f sarif -o bandit-results.sarif || true
+
+      - name: "Upload Bandit results"
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8
+        with:
+          sarif_file: 'bandit-results.sarif'
+
+

.github/workflows/ci.yml

@@ -134,3 +134,5 @@ jobs:
       - name: Verify SHA256 sum
         run: sha256sum dist/*.whl
         shell: bash
+
+

.github/workflows/container-scan.yml

@@ -37,3 +37,5 @@ jobs:
         with:
           sarif_file: 'trivy-results.sarif'
         continue-on-error: true
+
+

.github/workflows/osv-scanner.yml

@@ -0,0 +1,21 @@
+name: OSV-Scanner
+on:
+  push:
+    branches: [main, coreason-develop]
+  pull_request:
+    branches: [main, coreason-develop]
+  schedule:
+    - cron: '0 0 * * 1'
+
+permissions: read-all
+
+jobs:
+  scan:
+    name: OSV-Scanner
+    permissions:
+      actions: read
+      security-events: write
+      contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638" # v1.9.1
+
+

.github/workflows/publish.yml

@@ -4,8 +4,10 @@
   push:
     tags:
       - 'v*.*.*'
+      - '*.*.*'
   release:
     types: [published]
+  workflow_dispatch:
 
 permissions:
   contents: write
@@ -120,6 +122,12 @@
 
       - uses: actions/checkout@v4
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -144,6 +152,7 @@
         with:
           context: .
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 

.github/workflows/scorecard.yml

@@ -0,0 +1,39 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload results"
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8
+        with:
+          sarif_file: results.sarif
+
+

.github/workflows/security.yml

@@ -84,3 +84,5 @@ jobs:
             pip-audit-report.html
             npm-audit.json
           retention-days: 14
+
+

.github/workflows/trivy.yml

@@ -0,0 +1,37 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: [ "main", "coreason-develop", "feat/add-security-scans" ]
+  pull_request:
+    branches: [ "main", "coreason-develop" ]
+
+permissions: read-all
+
+jobs:
+  trivy:
+    name: Trivy Vulnerability Scanner
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.35.5
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/trufflehog.yml

@@ -0,0 +1,29 @@
+name: TruffleHog Secret Scan
+
+on:
+  push:
+    branches: [ "main", "coreason-develop", "feat/add-security-scans" ]
+  pull_request:
+    branches: [ "main", "coreason-develop" ]
+
+permissions: read-all
+
+jobs:
+  trufflehog:
+    name: TruffleHog Secret Scanner
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@0fa069c12f0c7baf431041cd1e564a9c5058846c
+        with:
+          path: ./
+          extra_args: --debug --only-verified

.github/workflows/zap-dast.yml

@@ -0,0 +1,38 @@
+name: OWASP ZAP DAST Scan
+
+on:
+  push:
+    branches: [ "main", "coreason-develop", "feat/add-security-scans" ]
+  pull_request:
+    branches: [ "main", "coreason-develop" ]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  zap_scan:
+    name: OWASP ZAP Baseline Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      # Note: In a real environment, you would start your application here
+      # e.g., docker-compose up -d
+      # For now, we will scan a placeholder/demo target or skip if no target is running.
+      # To fully enable, replace target with your staging URL.
+
+      - name: ZAP Baseline Scan
+        uses: zaproxy/action-baseline@f948cb8d66e25e330a23e64e3fc72a5c0018b16d # master
+        continue-on-error: true # DAST scans can be noisy, so we prevent failing the build initially
+        with:
+          target: 'https://coreason.ai/' # Placeholder target for the baseline
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'

Dockerfile

@@ -45,4 +45,4 @@ COPY --from=builder /wheels /wheels
 # Install the application wheel
 RUN uv pip install --no-cache /wheels/*.whl
 
-CMD ["python", "-m", "coreason_meta_engineering.main"]
+CMD ["coreason-meta-mcp"]