fix: address OpenSSF Scorecard findings

[don-petry]

Summary

• Add SECURITY.md for security policy (Scorecard: Security-Policy (0/10) #15)
• Scope workflow token permissions to least privilege (Scorecard: Token-Permissions (0/10) #16)
• Pin all GitHub Action dependencies to commit SHAs (Scorecard: Pinned-Dependencies (6/10) #17)
• Add CodeQL SAST workflow to run on all commits (Scorecard: SAST (7/10) #18)
• Ensure CI tests run on all PRs (Scorecard: CI-Tests (8/10) #19)

Closes #15, #16, #17, #18, #19

Test plan

• Verify CI passes on this PR
• Verify CodeQL runs
• Verify no workflow permission errors

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Summary by CodeRabbit

• Documentation

  • Added a security policy with supported versions, private vulnerability reporting, and response timeframes.

• Chores

  • Strengthened CI/CD security by applying default-deny workflow permissions and restoring job-level permissions where required.
  • Added an automated code analysis workflow (scheduled and on PRs).
  • Pinned automation steps to fixed revisions for more reliable runs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Workflow-level permissions were set to a default-deny (permissions: {}) across multiple GitHub Actions files, job-level permissions were restored where needed, the Claude Code action input was renamed to claude_code_oauth_token, a new CodeQL workflow was added, and a SECURITY.md file was introduced documenting the security reporting policy.

Changes

Cohort / File(s)	Summary
Claude workflow .github/workflows/claude.yml	Added top-level permissions: {} and renamed Claude Code action input from anthropic_api_key to claude_code_oauth_token (now uses ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}).
Dependabot automerge workflow .github/workflows/dependabot-automerge.yml	Replaced workflow-level permissions with permissions: {} and added job-level permissions for dependabot; updated some action refs to pinned commit SHAs.
SonarCloud workflow .github/workflows/sonarcloud.yml	Replaced workflow-level permissions with permissions: {} and added job-level permissions for the sonarcloud job (restoring prior read scopes).
CodeQL workflow (new) .github/workflows/codeql.yml	Added new CodeQL workflow triggered on pushes, PRs to main, and a weekly cron; uses matrix for language: ['actions'], checks out repo, runs codeql-action/init and codeql-action/analyze, and sets explicit job permissions for security events and repo contents.
Security policy (new) SECURITY.md	Added project security policy with supported versions, reporting channels (email and private GitHub reporting), acknowledgement and remediation timelines, and coordinated disclosure guidance.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Checkout as actions/checkout
    participant Init as github/codeql-action/init
    participant Analyze as github/codeql-action/analyze
    participant GitHub as GitHub API

    Runner->>Checkout: checkout repository
    Runner->>Init: initialize CodeQL DB (matrix language)
    Init->>GitHub: fetch analysis configuration
    Runner->>Analyze: run CodeQL analysis (category: /language:actions)
    Analyze->>GitHub: upload security events/results
    GitHub-->>Runner: job status / annotations

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add Claude Code GitHub Action #12: Edits the same .github/workflows/claude.yml, changing workflow/job permissions and renaming the Claude Code action input from anthropic_api_key to claude_code_oauth_token.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes scope creep beyond the linked issue #15: workflow permission scoping, GitHub Action SHA pinning, and CodeQL workflow setup address other scorecard issues but are not in the provided linked issues.	Verify whether issues #16, #17, #18, and #19 were intentionally excluded from linked issues or should be added to the assessment criteria for this PR.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main objective of the PR: addressing OpenSSF Scorecard findings through security and workflow improvements.
Linked Issues check	✅ Passed	The PR implements the primary requirement from issue #15: adding SECURITY.md to address the OpenSSF Scorecard Security-Policy check.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch scorecard-fixes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aims to remediate several OpenSSF Scorecard findings by adding a security policy, tightening GitHub Actions permissions, pinning GitHub Actions to commit SHAs, and introducing CodeQL scanning.

Changes:

• Add SECURITY.md to document vulnerability reporting and disclosure expectations.
• Add a new CodeQL workflow and pin multiple GitHub Actions dependencies to commit SHAs.
• Adjust workflow token permissions (but several workflows currently set permissions: read-all at the workflow level).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
SECURITY.md	Adds a security policy and vulnerability reporting guidance.
.github/workflows/sonarcloud.yml	Sets workflow/job permissions and pins actions used for Sonar analysis.
.github/workflows/dependabot-automerge.yml	Scopes permissions (job-level) and pins actions for Dependabot auto-merge flow.
.github/workflows/codeql.yml	Adds a CodeQL workflow with pinned actions and job-level security-events permissions.
.github/workflows/claude.yml	Adds workflow-level permissions declaration (currently read-all) alongside job-level permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

SECURITY.md (1)

15-16: Consider using a relative URL for the private vulnerability reporting link.

The hardcoded URL https://github.com/petry-projects/markets/security/advisories/new will break if the repository is forked or renamed. Consider using a relative reference or noting that users should adjust this URL for forks.

📝 Suggested change

 Instead, please send an email to **security@petry-projects.dev** or use
-[GitHub's private vulnerability reporting](https://github.com/petry-projects/markets/security/advisories/new).
+[GitHub's private vulnerability reporting](../../security/advisories/new).

Note: Relative URLs work in GitHub's rendered Markdown and will correctly resolve for forks.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 15 - 16, Replace the hardcoded GitHub advisory URL
in SECURITY.md (the string
"https://github.com/petry-projects/markets/security/advisories/new") with a
relative URL or note to adjust for forks; specifically update the link text that
currently points to the absolute advisory path so it uses a relative path like
"/security/advisories/new" (or add a brief parenthetical instructing users of
forks to update the URL) to ensure the link resolves correctly after
renames/forks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@SECURITY.md`:
- Around line 15-16: Replace the hardcoded GitHub advisory URL in SECURITY.md
(the string "https://github.com/petry-projects/markets/security/advisories/new")
with a relative URL or note to adjust for forks; specifically update the link
text that currently points to the absolute advisory path so it uses a relative
path like "/security/advisories/new" (or add a brief parenthetical instructing
users of forks to update the URL) to ensure the link resolves correctly after
renames/forks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 208fb050-be94-48b5-a772-46c4c2e506ac

📥 Commits

Reviewing files that changed from the base of the PR and between 86140f1 and 579c4a9.

📒 Files selected for processing (5)

• .github/workflows/claude.yml
• .github/workflows/codeql.yml
• .github/workflows/dependabot-automerge.yml
• .github/workflows/sonarcloud.yml
• SECURITY.md

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

SECURITY.md (1)

5-8: Replace latest with concrete supported version(s).

latest is ambiguous in a security policy. Consider listing explicit versions/ranges (or a clearly named support channel like main) so users know exactly what is covered.

As per coding guidelines, “Focus on Markdown best practices, clear and consistent formatting, correct link references, and accurate technical documentation. Flag broken links, inconsistent heading levels, and unclear instructions.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 5 - 8, Replace the ambiguous table entry "latest"
in the Version column with explicit supported version identifiers or a named
branch (e.g., "v1.2.x, v1.3.x" or "main") and update any adjacent text to
describe the support policy; specifically edit the table row that currently
reads "| latest | :white_check_mark: |" so it lists concrete version strings or
a clear channel name and, if needed, add a short note under the table explaining
the support window/criteria and how to interpret the listed versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY.md`:
- Around line 15-16: Replace the fragile relative advisories link with the
repository's absolute GitHub security advisories URL: change the relative path
"[GitHub's private vulnerability reporting](../../security/advisories/new)" in
SECURITY.md to the full URL
"https://github.com/petry-projects/markets/security/advisories/new" so reporters
always reach the correct private reporting page; keep the email address intact
and ensure the Markdown link text remains unchanged.

---

Nitpick comments:
In `@SECURITY.md`:
- Around line 5-8: Replace the ambiguous table entry "latest" in the Version
column with explicit supported version identifiers or a named branch (e.g.,
"v1.2.x, v1.3.x" or "main") and update any adjacent text to describe the support
policy; specifically edit the table row that currently reads "| latest |
:white_check_mark: |" so it lists concrete version strings or a clear channel
name and, if needed, add a short note under the table explaining the support
window/criteria and how to interpret the listed versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2eea52a8-00bc-4ecd-a5d0-6e70380ff03f

📥 Commits

Reviewing files that changed from the base of the PR and between 579c4a9 and 636bc26.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use an absolute GitHub advisories URL to avoid broken reporting flow.

../../security/advisories/new is a fragile relative path for a security-reporting entry point. Please use the full repo URL (for example, https://github.com/petry-projects/markets/security/advisories/new) so reporters always land on the correct private reporting page.

As per coding guidelines, “Focus on Markdown best practices, clear and consistent formatting, correct link references, and accurate technical documentation. Flag broken links, inconsistent heading levels, and unclear instructions.”

🧰 Tools

🪛 LanguageTool

[style] ~15-~15: Consider using “email”.
Context: ...ity vulnerabilities.** Instead, please send an email to security@petry-projects.dev or use ...

(SEND_AN_EMAIL)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 15 - 16, Replace the fragile relative advisories
link with the repository's absolute GitHub security advisories URL: change the
relative path "[GitHub's private vulnerability
reporting](../../security/advisories/new)" in SECURITY.md to the full URL
"https://github.com/petry-projects/markets/security/advisories/new" so reporters
always reach the correct private reporting page; keep the email address intact
and ensure the Markdown link text remains unchanged.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud