fix(security): harden supply chain and resolve dependency alerts

- Pin all reusable workflow refs to SHA digests (org-infra@32b8e9b)
- Pin Dockerfile base image to digest
- Add SECURITY.md with vulnerability reporting guidelines
- Add .github/dependabot.yml for automated dependency updates
- Update package-lock.json resolving 6 of 7 Dependabot alerts
  (vite, postcss, @babel/plugin-transform-modules-systemjs, lodash)

Resolves: OpenSSF Scorecard alerts #1, #2, #3, #4, #5, #6, #7, #9, #27
Resolves: Dependabot alerts #15-20, #22
Signed-off-by: sonupreetam <spreetam@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sonupreetam

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04@sha256:253b0ee40a5afd4f295640f9f90aed206953962fab56bfa14d9fcb593f33dc47
 
 # hadolint ignore=DL3008
 RUN apt-get update && \

.github/dependabot.yml

@@ -0,0 +1,41 @@
+---
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - automated
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - automated
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - automated
+
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+      - automated

.github/workflows/ci_checks.yml

@@ -17,7 +17,7 @@ permissions:
 jobs:
   call_reusable_ci:
     name: Standardized CI
-    uses: complytime/org-infra/.github/workflows/reusable_ci.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_ci.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main
     permissions:
       contents: read
       issues: read

.github/workflows/ci_dependencies.yml

@@ -17,11 +17,11 @@ permissions:
 jobs:
   call_deps_reviewer:
     name: General
-    uses: complytime/org-infra/.github/workflows/reusable_deps_reviewer.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_deps_reviewer.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main
 
   call_dependabot_reviewer:
     name: Dependabot
-    uses: complytime/org-infra/.github/workflows/reusable_dependabot_reviewer.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_dependabot_reviewer.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main
 
   comment_on_dependabot_prs:
     name: Dependabot Comment

.github/workflows/ci_scheduled.yml

@@ -19,4 +19,4 @@ jobs:
       actions: read
       security-events: write
       id-token: write
-    uses: complytime/org-infra/.github/workflows/reusable_scheduled.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_scheduled.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main

.github/workflows/ci_security.yml

@@ -25,12 +25,12 @@ jobs:
       security-events: write
       id-token: write
       packages: write
-    uses: complytime/org-infra/.github/workflows/reusable_vuln_scan.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_vuln_scan.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main
 
   call_reusable_security:
     name: OpenSSF Scorecards
     permissions:
       contents: read
       id-token: write
       security-events: write
-    uses: complytime/org-infra/.github/workflows/reusable_security.yml@main
+    uses: complytime/org-infra/.github/workflows/reusable_security.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it
+responsibly. **Do not open a public GitHub issue.**
+
+Instead, please use one of the following methods:
+
+1. **GitHub Security Advisory** (preferred): Use the
+   [private vulnerability reporting](https://github.com/complytime/website/security/advisories/new)
+   feature on this repository.
+
+2. **Email**: Send details to the maintainers listed in the repository's
+   `MAINTAINERS` file or reach out via the organization contact.
+
+### What to include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response timeline
+
+- **Acknowledgment**: Within 5 business days of report
+- **Assessment**: Within 10 business days
+- **Fix or mitigation**: Depending on severity, typically within 30 days
+
+## Security Best Practices
+
+This project follows supply-chain security best practices:
+
+- GitHub Actions are pinned to full SHA digests
+- Dependencies are monitored via Dependabot and OSV-Scanner
+- OpenSSF Scorecard checks run on every push and on a daily schedule

config/postcss.config.js

@@ -1,6 +1,27 @@
 const autoprefixer = require('autoprefixer');
-const { purgeCSSPlugin } = require('@fullhuman/postcss-purgecss');
-const whitelister = require('purgecss-whitelister');
+const purgeCSSPlugin = require('@fullhuman/postcss-purgecss');
+const glob = require('glob');
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Extracts CSS selectors from SCSS/CSS files matching the given glob patterns.
+ * Replaces purgecss-whitelister to avoid its vulnerable lodash transitive dep.
+ */
+function whitelister(patterns) {
+    const selectors = new Set();
+    const files = patterns.flatMap((pattern) => glob.sync(pattern));
+    for (const file of files) {
+        const content = fs.readFileSync(path.resolve(file), 'utf8');
+        const matches = content.matchAll(
+            /(?:^|[\s,{;])([.#])([a-zA-Z_][\w-]*)/g
+        );
+        for (const match of matches) {
+            selectors.add(match[2]);
+        }
+    }
+    return [...selectors];
+}
 
 module.exports = {
     plugins: [