feat(security): Add comprehensive security scanning infrastructure

[berntpopp]

Summary

• Add multi-layered security scanning to CI/CD pipeline
• pip-audit and Bandit for Python security
• eslint-plugin-security and npm audit for JavaScript
• CodeQL SAST for both languages
• Dockle CIS benchmark scanning for Docker images
• Dependency Review action to block vulnerable PRs

Changes

New Workflows

• security.yml - pip-audit, Bandit, npm audit scans
• codeql.yml - GitHub CodeQL SAST (Python + JavaScript)

Updated Workflows

• docker-publish.yml - Added Dockle CIS benchmark scanning
• ci.yml - Added dependency-review action for PR blocking

New Files

• SECURITY.md - Security policy with vulnerability reporting
• plan/01-active/SECURITY-SCANNING-PLAN.md - Implementation plan

Dependencies

• Python: pip-audit, bandit[toml]
• Frontend: eslint-plugin-security

Makefile Targets

make security            # Run all scans
make security-python     # pip-audit + Bandit
make security-frontend   # npm audit + ESLint

Test plan

• pip-audit runs locally (found urllib3 vulns)
• Bandit via Ruff works
• Standalone Bandit works with config
• ESLint with security plugin works (23 warnings)
• make check passes
• CI workflows pass on this PR

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull request overview

This PR establishes a comprehensive security scanning infrastructure for the Phentrieve project, adding multiple layers of automated security checks to the CI/CD pipeline. The implementation addresses gaps in Python/JavaScript dependency scanning, SAST analysis, container compliance checking, and PR-level vulnerability blocking.

Key Changes:

• Added Python security scanning with pip-audit and Bandit with SARIF output
• Integrated JavaScript security scanning using npm audit and eslint-plugin-security
• Implemented CodeQL SAST analysis for both Python and JavaScript codebases
• Added Dockle CIS benchmark compliance checking for Docker images
• Configured Dependency Review action to block PRs introducing vulnerable dependencies

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pyproject.toml	Added pip-audit and bandit with TOML/SARIF support to dev dependencies; configured Bandit exclusions and skipped checks
frontend/package.json	Added eslint-plugin-security dev dependency and npm audit scripts (audit, audit:prod, audit:fix)
frontend/eslint.config.js	Integrated eslint-plugin-security with recommended rules and tuned settings for common false positives
SECURITY.md	Created security policy documenting vulnerability reporting process, supported versions, and security measures
Makefile	Added security scanning targets: security, security-python, security-frontend, security-audit, security-report
.github/workflows/security.yml	New workflow for pip-audit, Bandit, and npm audit with SARIF uploads and security summary
.github/workflows/docker-publish.yml	Added Dockle CIS benchmark scanning for both API and frontend Docker images
.github/workflows/codeql.yml	New CodeQL SAST workflow scanning Python and JavaScript with extended security queries
.github/workflows/ci.yml	Added dependency-review action to block PRs with high-severity vulnerabilities in runtime dependencies
plan/01-active/SECURITY-SCANNING-PLAN.md	Comprehensive implementation plan documenting security scanning strategy, tools, and rollout phases

Files not reviewed (1)

• frontend/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ci-summary job unconditionally depends on dependency-review, but dependency-review only runs on pull requests (if: github.event_name == 'pull_request'). This will cause the summary job to be skipped on push events to main/develop branches. Add 'if: always()' to dependency-review in the needs array or make the dependency conditional.

[Copilot]

This check will fail when dependency-review is skipped (on non-PR events), as the result will be 'skipped' not 'success'. Add a condition to only check when the job actually ran: if [[ \"${{ needs.dependency-review.result }}\" == \"failure\" ]]; then

[berntpopp]

Addressed Copilot Review Feedback

Fixed in commit 65e17a5:

Issue 1 (dependency-review conditional dependency):

• Added a comment documenting that dependency-review only runs on PRs
• The if: always() on ci-summary ensures it runs regardless of dependency status

Issue 2 (handling skipped state):

• The existing check result == "failure" correctly handles this - it only fails on actual failures, not on the 'skipped' state
• Added a comment clarifying this behavior
• Improved step summary with a markdown table for better visibility

The workflow correctly handles both scenarios:

• PR events: dependency-review runs and result is checked
• Push events: dependency-review is skipped, ci-summary still runs (via if: always()), and the failure check passes since skipped != failure