ci(#557): add CodeQL, Scorecard, dependency-review, Bandit/pip-audit gates

[Knapp-Kevin]

Closes #557.

What

Adds the security/governance CI gates for SOC 2 readiness, reconciled against what already exists.

• codeql.yml — consumes _reusable-codeql.yml (languages: python); push/PR main + weekly cron.
• scorecard.yml — consumes _reusable-scorecard.yml; push main + weekly cron.
• dependency-review.yml — consumes _reusable-dependency-review.yml; PR-only, advisory: true (see below).
• security-scan.yml — vendored Bandit (blocking) + pip-audit (advisory); no reusable exists and the scan targets differ for mcp's flat layout. Actions SHA-pinned per P1: Complete GitHub Actions SHA-pinning + dep lockfile (SOC2 CC8.1 / OWASP LLM05·A06 / SSDF PO.5) #544.
• README — CodeQL + Security Scan status badges.

The three consumed templates are the SHA-pinned workflow_call reusables published by BicameralAI/bicameral-integrations, pinned @b1b52b5d1c37c8cfdd5f916a9558cbf019b66a6e (integrations main HEAD, 2026-06-08).

Scope corrections (vs the issue)

1. SBOM + attestation NOT added — already ships in publish.yml (CycloneDX 1.5 + Cosign/Rekor, release-integrated). Adding the SPDX reusable would duplicate a stronger existing gate.
2. No Scorecard badge — the reusable runs publish_results: false (org OIDC-publish policy); results upload to code-scanning as SARIF, but there is no public scorecard.dev badge to add.
3. dependency-review starts advisory — it requires the repo's Dependency Graph enabled; flip to advisory: false + fail-on-severity: moderate once Dependency Graph is confirmed on.

Verify on first run

• Cross-repo reusable access — this PR's CodeQL/Scorecard/dependency-review jobs resolve BicameralAI/bicameral-integrations reusables; if org/visibility policy refuses cross-repo workflow_call, they'll startup_failure and I'll vendor the three callers instead.

Refs

• P1: Complete GitHub Actions SHA-pinning + dep lockfile (SOC2 CC8.1 / OWASP LLM05·A06 / SSDF PO.5) #544 (Actions SHA-pinning — all new actions pinned)
• Badge block overlaps docs: refresh test + root READMEs (20-tool surface, retired mocks, e2e shelving) #565 (READMEs PR); whichever merges second rebases trivially.

Summary by CodeRabbit

• Chores
  • Added automated CodeQL security analysis to CI with scheduled and PR runs.
  • Implemented dependency-review on pull requests to detect vulnerable dependencies.
  • Added security scanning (Bandit and pip-audit) to surface code and dependency issues.
  • Integrated OpenSSF Scorecard for supply-chain security evaluation.
  • Added CI status badges to the README for visibility of security checks.

[coderabbitai]

Warning

Review limit reached

@jinhongkuan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9919a104-dc2b-46b3-b331-5eed82b7c3a5

📥 Commits

Reviewing files that changed from the base of the PR and between 09f2aea and 6b79e9f.

📒 Files selected for processing (5)

• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/scorecard.yml
• .github/workflows/security-scan.yml
• README.md

📝 Walkthrough

Walkthrough

This PR adds four CI security workflows (CodeQL, Dependency Review, OpenSSF Scorecard, Security Scan) plus README badges. Three workflows use SHA-pinned reusable templates; the Security Scan workflow runs Bandit and pip-audit locally.

Changes

Security and dependency scanning workflows

Layer / File(s)	Summary
CodeQL workflow setup .github/workflows/codeql.yml	Runs CodeQL on pushes to main, PRs targeting main/dev (markdown/docs excluded), and weekly; uses a SHA-pinned reusable template with concurrency cancellation and enables Python analysis.
Dependency review workflow .github/workflows/dependency-review.yml	Runs on PRs targeting main/dev; invokes a SHA-pinned reusable dependency-review template in advisory mode and fails on moderate severity findings.
Scorecard workflow .github/workflows/scorecard.yml	Runs OpenSSF Scorecard on push to main and weekly via a SHA-pinned reusable template; configures job-level permissions including security-events: write.
Local security scanning jobs .github/workflows/security-scan.yml	Defines bandit job (recursive Bandit scan with excludes and B101 skipped, advisory) and pip-audit job (installs project editable then runs pip-audit, advisory/continue-on-error).
Workflow status badges README.md	Added GitHub Actions status shields for CodeQL and Security Scan workflows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• #557: Implements the requested CI/security gates and scanning workflows described in that issue.

Poem

🐰 Four watches stitched in lines of YAML,

I hop through workflows, cheerful and calm.
CodeQL hums, Bandit peers in the night,
Dependencies checked, badges shining bright,
Hooray — the repo sleeps safer tonight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding multiple security CI gates (CodeQL, Scorecard, dependency-review, and Bandit/pip-audit) to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/557-security-gates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 22-24: The workflow currently uses advisory: true and
fail-on-severity: moderate but advisory:true does not cause PRs to be blocked;
either enable the repository Dependency Graph/security-advisories feature before
making this workflow a required branch-protection check, or do not add this
workflow to the required-check set yet; in short, ensure Dependency Graph is
enabled (so advisory + fail-on-severity: moderate can actually fail PRs) or keep
this workflow out of required checks until that prerequisite is met.

In @.github/workflows/security-scan.yml:
- Around line 22-23: The checkout steps leave the GITHUB_TOKEN in git config
which can be exfiltrated by repository-controlled install hooks (e.g., the
subsequent pip install -e .), so update both actions/checkout steps to disable
credential persistence by adding the input persist-credentials: false to each
checkout invocation (i.e., the steps using actions/checkout in this workflow) so
the token is not written to local git config before running repo-provided
build/install code.
- Around line 33-46: The pip-audit job is currently non-blocking because
continue-on-error: true; remove that setting or set continue-on-error: false for
the job named "pip-audit" so the workflow fails (and blocks merges) when
pip-audit detects vulnerabilities — update the pip-audit job definition (the job
with name "pip-audit" and the continue-on-error field) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3cb22a9d-c3b3-4a87-a8c5-6a4a270aea0e

📥 Commits

Reviewing files that changed from the base of the PR and between b214e4e and 8b9fcf3.

📒 Files selected for processing (5)

• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/scorecard.yml
• .github/workflows/security-scan.yml
• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

pip-audit findings won't block merges.

continue-on-error: true makes this job informational only, so a PR can still merge cleanly with known vulnerable runtime dependencies. That conflicts with the documented requirement for pip-audit to be part of the blocking security scan.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 38-38: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-scan.yml around lines 33 - 46, The pip-audit job
is currently non-blocking because continue-on-error: true; remove that setting
or set continue-on-error: false for the job named "pip-audit" so the workflow
fails (and blocks merges) when pip-audit detects vulnerabilities — update the
pip-audit job definition (the job with name "pip-audit" and the
continue-on-error field) accordingly.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security-scan.yml:
- Around line 40-42: Replace the shell fallback "|| true" on the Bandit
invocation with Bandit's built-in exit-zero flag so tool failures still surface;
update the run command that currently calls `bandit -r . --exclude
'./tests,./dashboard,./docs,./mocks,./.claude' --skip B101 --severity-level
medium --confidence-level medium || true` to instead use `--exit-zero`
(preserving all existing flags and excludes) in the Bandit invocation so
findings return exit code 0 while actual execution errors still fail the step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 414fd5a8-6bd9-405e-b5ca-8bee9b2ddf77

📥 Commits

Reviewing files that changed from the base of the PR and between 8b9fcf3 and 09f2aea.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does Bandit's --exit-zerooption return success for findings while still allowing genuine execution errors to fail, and is it preferred over shell|| true in CI?

💡 Result:

Bandit's --exit-zero option is designed to make the tool exit with a status code of 0 even when security findings are detected [1][2]. It does not suppress genuine execution errors, such as configuration issues or file access problems; these will still result in a non-zero exit status [3][4]. Regarding its preference over shell idioms like || true in CI environments: 1. Consistency and Alignment: Using --exit-zero is generally considered the more idiomatic approach because it aligns Bandit with other common Python ecosystem tools (such as flake8 and Pylint) that provide the same flag [4]. This makes your configuration more portable and readable across different environments (local vs. CI) without relying on shell-specific behavior [4]. 2. Integration: The option was specifically implemented to facilitate CI integration where security reports need to be generated (e.g., for consumption by platforms like SonarQube) without blocking the entire pipeline [3][5]. While both methods achieve the same goal of preventing a pipeline failure due to security findings, --exit-zero is preferred as it is a built-in feature of the tool, whereas || true is an external shell bypass that may mask legitimate tool failures or behave inconsistently depending on the shell environment [4]. However, note that if the purpose of the CI job is to enforce security standards, you should generally avoid using --exit-zero and instead allow the pipeline to fail upon the discovery of vulnerabilities [5].

Citations:

• 1: https://bandit.readthedocs.io/en/latest/man/bandit.html?highlight=context+lines
• 2: https://bandit.readthedocs.io/en/latest/man/bandit.html
• 3: --exit-zero option PyCQA/bandit#510
• 4: --exit-zero option PyCQA/bandit#419
• 5: https://blog.devops.dev/step-by-step-guide-to-devsecops-ci-cd-pipeline-with-jenkins-part-9-python-security-scanning-d7bacb79770c

---

Replace shell || true with bandit --exit-zero

Bandit’s --exit-zero exits with status 0 when security findings are detected, but it does not hide genuine execution/tooling failures (e.g., misconfiguration or file access issues). Using shell || true masks both and weakens CI signal.

Suggested change

-        # `|| true` keeps this advisory (green-with-findings in the log) until
-        # `#562` clears the B608 backlog; drop it to make Bandit blocking.
-        run: bandit -r . --exclude './tests,./dashboard,./docs,./mocks,./.claude' --skip B101 --severity-level medium --confidence-level medium || true
+        # `--exit-zero` keeps this advisory (findings don't fail the step) while
+        # still surfacing genuine execution/tooling failures.
+        run: bandit -r . --exclude './tests,./dashboard,./docs,./mocks,./.claude' --skip B101 --severity-level medium --confidence-level medium --exit-zero

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# `|| true` keeps this advisory (green-with-findings in the log) until
	# #562 clears the B608 backlog; drop it to make Bandit blocking.
	run: bandit -r . --exclude './tests,./dashboard,./docs,./mocks,./.claude' --skip B101 --severity-level medium --confidence-level medium || true
	# `--exit-zero` keeps this advisory (findings don't fail the step) while
	# still surfacing genuine execution/tooling failures.
	run: bandit -r . --exclude './tests,./dashboard,./docs,./mocks,./.claude' --skip B101 --severity-level medium --confidence-level medium --exit-zero

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-scan.yml around lines 40 - 42, Replace the shell
fallback "|| true" on the Bandit invocation with Bandit's built-in exit-zero
flag so tool failures still surface; update the run command that currently calls
`bandit -r . --exclude './tests,./dashboard,./docs,./mocks,./.claude' --skip
B101 --severity-level medium --confidence-level medium || true` to instead use
`--exit-zero` (preserving all existing flags and excludes) in the Bandit
invocation so findings return exit code 0 while actual execution errors still
fail the step.