fix: resolve code scanning alerts across repo (#79)

Clear-text logging (10 alerts fixed):
- healthcare-hipaa/main.py: Added _redact() helper, masked patient data
- agent-mesh healthcare-hipaa/main.py: Masked patient ID in logs
- eu-ai-act-compliance/demo.py: Masked agent labels
- financial-sox/demo.py: Masked SSN-containing messages

URL sanitization (12 alerts fixed):
- test_rate_limiting_template.py: Use explicit equality for domain checks
- test_identity.py, test_coverage_boost.py: Use urlparse() for SPIFFE URIs
- service-worker.ts: Use new URL().hostname for platform detection

Workflow token permissions (3 alerts fixed):
- auto-merge-dependabot.yml, sbom.yml, codeql.yml: Top-level read-only
  permissions with write scopes pushed to job level

Workflow pinned dependencies (8 action refs pinned):
- dependency-review.yml, labeler.yml, pr-size.yml, stale.yml,
  welcome.yml, auto-merge-dependabot.yml: Pin to commit SHAs

Dockerfile/script dependency pinning (11 files):
- Pin pip install versions in Dockerfiles and shell scripts
- Add --no-cache-dir where missing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/workflows/auto-merge-dependabot.yml

@@ -2,14 +2,16 @@
 name: Auto-merge Dependabot PRs
 on: pull_request
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.actor == 'dependabot[bot]'
     steps:
-      - uses: dependabot/fetch-metadata@v2
+      - uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
         id: metadata
       - name: Auto-approve patch and minor updates
         if: steps.metadata.outputs.update-type != 'version-update:semver-major'

.github/workflows/codeql.yml

@@ -10,12 +10,13 @@ on:
 
 permissions:
   contents: read
-  security-events: write
-  actions: read
 
 jobs:
   analyze:
     name: Analyze
+    permissions:
+      security-events: write
+      actions: read
     runs-on: ubuntu-latest
     continue-on-error: true
     strategy:

.github/workflows/dependency-review.yml

@@ -10,8 +10,8 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
         with:
           fail-on-severity: moderate
           comment-summary-in-pr: always

.github/workflows/labeler.yml

@@ -10,7 +10,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           sync-labels: true

.github/workflows/pr-size.yml

@@ -10,7 +10,7 @@ jobs:
   size-label:
     runs-on: ubuntu-latest
     steps:
-      - uses: codelytv/pr-size-labeler@v1
+      - uses: codelytv/pr-size-labeler@4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a # v1.10.3
         with:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           xs_label: "size/XS"

.github/workflows/sbom.yml

@@ -9,13 +9,15 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  id-token: write
-  attestations: write
+  contents: read
 
 jobs:
   sbom:
     name: Generate SBOM
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/stale.yml

@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           days-before-stale: 60
           days-before-close: 14

.github/workflows/welcome.yml

@@ -12,7 +12,7 @@ jobs:
   welcome:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/first-interaction@v1
+      - uses: actions/first-interaction@34f15f4562c5e4085ea721c63dadab8138be06db # v1.3.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           issue-message: |

packages/agent-hypervisor/examples/docker-compose/Dockerfile

@@ -2,12 +2,12 @@ FROM python:3.12-slim@sha256:d51616d5860ba60aa1786987d93b6aaebc05dd70f59f4cc36b0
 
 WORKDIR /app
 
-# Install the hypervisor package and API dependencies
+# Install the hypervisor package and API dependencies (pinned for reproducibility)
 RUN pip install --no-cache-dir \
-    agent-hypervisor[api] \
-    redis \
-    pyyaml \
-    httpx
+    "agent-hypervisor[api]>=0.1.0" \
+    redis==5.2.1 \
+    pyyaml==6.0.2 \
+    httpx==0.28.1
 
 COPY app/ /app/app/
 COPY config/ /app/config/

packages/agent-mesh/examples/03-healthcare-hipaa/main.py

@@ -23,6 +23,16 @@
 )
 
 
+def _redact(value, visible_chars: int = 0) -> str:
+    """Redact a sensitive value for safe logging."""
+    s = str(value)
+    if not s:
+        return "***"
+    if visible_chars > 0:
+        return s[:visible_chars] + "***"
+    return "***"
+
+
 class HealthcareAgent:
     """HIPAA-compliant healthcare data analysis agent."""
 
@@ -83,7 +93,7 @@ def detect_phi(self, data: Dict[str, Any]) -> bool:
 
     async def access_patient_data(self, patient_id: str, purpose: str) -> Dict[str, Any]:
         """Access patient data with HIPAA controls."""
-        print(f"📂 Accessing patient data: {patient_id[:3]}***")
+        print(f"📂 Accessing patient data: {_redact(patient_id, 3)}")
         print(f"   Purpose: {purpose}")
 
         # Check policy