Groupthink-dev · piersdd · Apr 18, 2026 · Apr 18, 2026
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -17,6 +17,9 @@ jobs:
         with:
           node-version: "22"
 
+      - name: Configure git for private deps
+        run: git config --global url."https://x-access-token:${{ github.token }}@github.com/".insteadOf "git+ssh://git@github.com/"
+
       - name: Install deps
         run: npm ci
 
@@ -26,6 +29,9 @@ jobs:
       - name: Validate pack manifests
         run: node scripts/validate-packs.js
 
+      - name: Security scan
+        run: node scripts/security-scan.js
+
       - name: Test build scripts
         run: node --test scripts/*.test.js
 

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: sync-pack-spec validate validate-packs validate-all validate-manifests build-api generate contracts test clean
+.PHONY: sync-pack-spec validate validate-packs scan-packs validate-all validate-manifests build-api generate contracts test clean
 
 # Optional: path to sealed pack YAMLs (private repo).
 # Set PRIVATE_PACKS_DIR to include sealed packs in the build.
@@ -55,8 +55,15 @@ validate-packs: sync-pack-spec generate
 	@PRIVATE_PACKS_DIR=$(PRIVATE_PACKS_DIR) node scripts/validate-packs.js
 	@echo "Done."
 
+# Security scan all pack YAML files (DD-147).
+# Runs SINJ prompt injection detection and cross-pack clone detection.
+scan-packs:
+	@echo "Security scanning pack manifests..."
+	@node scripts/security-scan.js
+	@echo "Done."
+
 # Validate everything.
-validate-all: validate validate-packs
+validate-all: validate validate-packs scan-packs
 
 # Validate manifests in sibling repos.
 # Canonical filename: stallari-plugin.yaml

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -6,5 +6,8 @@
   },
   "dependencies": {
     "yaml": "^2.7.0"
+  },
+  "devDependencies": {
+    "stallari-secops-scanner": "github:Groupthink-dev/stallari-secops-scanner"
   }
 }