feat: integrate enterprise security scanning suite

.github/workflows/advanced-security.yml

@@ -0,0 +1,31 @@
+name: Advanced Security Audit
+on:
+  pull_request:
+    branches: [ coreason-develop, main ]
+
+permissions: read-all
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: high
+          deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0
+
+

.github/workflows/bandit.yml

@@ -0,0 +1,36 @@
+name: Bandit Security Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions: read-all
+
+jobs:
+  bandit:
+    name: Bandit Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: "Install Bandit"
+        run: pip install bandit[sarif]
+
+      - name: "Run Bandit"
+        run: bandit -r . -f sarif -o bandit-results.sarif || true
+
+      - name: "Upload Bandit results"
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8
+        with:
+          sarif_file: 'bandit-results.sarif'
+
+

.github/workflows/ci.yml

@@ -7,8 +7,7 @@ on:
       - develop
   pull_request:
 
-permissions:
-  contents: read
+permissions: read-all
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -21,6 +20,8 @@ jobs:
   lint-and-audit:
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     env:
       TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
       COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
@@ -33,7 +34,7 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -102,6 +103,8 @@ jobs:
   security-sast:
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     env:
       TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
       COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
@@ -114,7 +117,7 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -153,6 +156,8 @@ jobs:
     if: always() && needs.lint-and-audit.result == 'success' && needs.security-sast.result == 'success'
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     env:
       TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
       COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
@@ -165,7 +170,7 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -219,6 +224,8 @@ jobs:
     needs: [test]
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     env:
       TEMPORAL_CI_NAMESPACE: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
       COMPOSE_PROJECT_NAME: ci-${{ github.repository_id }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
@@ -231,7 +238,7 @@ jobs:
         run: sudo chown -R $(whoami):$(whoami) ${{ github.workspace }} || true
 
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -282,3 +289,5 @@ jobs:
           if [ -f "compose.yaml" ]; then docker compose down -v || true; fi
           sudo chown -R $(whoami):$(whoami) ${{ github.workspace }}
         shell: bash
+
+

.github/workflows/container-scan.yml

@@ -7,8 +7,7 @@ on:
     branches: [ "develop", "main" ]
 
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   trivy:
@@ -41,3 +40,5 @@ jobs:
         with:
           sarif_file: 'trivy-results.sarif'
         continue-on-error: true
+
+

.github/workflows/docs.yml

@@ -24,7 +24,7 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -57,3 +57,5 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
+
+

.github/workflows/nightly-fuzzing.yml

@@ -5,8 +5,7 @@ on:
     - cron: "0 3 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: read-all
 
 env:
   UV_PYTHON_PREFERENCE: "only-managed"
@@ -16,9 +15,11 @@ jobs:
   hypothesis-fuzz:
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -48,3 +49,5 @@ jobs:
           name: hypothesis-examples
           path: .hypothesis/
           retention-days: 7
+
+

.github/workflows/osv-scanner.yml

@@ -0,0 +1,21 @@
+name: OSV-Scanner
+on:
+  push:
+    branches: [main, coreason-develop]
+  pull_request:
+    branches: [main, coreason-develop]
+  schedule:
+    - cron: '0 0 * * 1'
+
+permissions: read-all
+
+jobs:
+  scan:
+    name: OSV-Scanner
+    permissions:
+      actions: read
+      security-events: write
+      contents: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@764c91816374ff2d8fc2095dab36eecd42d61638" # v1.9.1
+
+

.github/workflows/publish.yml

@@ -8,12 +8,7 @@ on:
   release:
     types: [published]
 
-permissions:
-  contents: write
-  id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore
-  pages: write    # Required for GitHub Pages deployment
-  actions: read   # Required for SBOM artifact access and download
-  attestations: write # Required for SLSA build provenance
+permissions: read-all
 
 env:
   UV_PYTHON_PREFERENCE: "only-managed"
@@ -28,9 +23,15 @@ jobs:
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
     environment: pypi
+    permissions:
+      contents: write
+      id-token: write # Required for PyPI OIDC Trusted Publishing and Sigstore
+      pages: write    # Required for GitHub Pages deployment
+      actions: read   # Required for SBOM artifact access and download
+      attestations: write # Required for SLSA build provenance
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -114,7 +115,7 @@ jobs:
       attestations: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -175,3 +176,5 @@ jobs:
           subject-name: ghcr.io/coreason-ai/coreason-runtime
           subject-digest: ${{ steps.build-and-push.outputs.digest }}
           push-to-registry: true
+
+

.github/workflows/scorecard.yml

@@ -0,0 +1,39 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload results"
+        uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.28.8
+        with:
+          sarif_file: results.sarif
+
+

.github/workflows/security.yml

@@ -9,16 +9,15 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  security-events: write
-  actions: read
+permissions: read-all
 
 jobs:
   secret-scan:
     name: Secret Scanning
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -35,9 +34,13 @@ jobs:
     name: Software Composition Analysis
     runs-on: [self-hosted, hetzner, x64]
     timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.3
         with:
           egress-policy: audit
 
@@ -86,3 +89,5 @@ jobs:
             pip-audit-report.html
             npm-audit.json
           retention-days: 14
+
+