#1 Add automated security verification and data collection

[Anonymous]

Originally created by: Copilot

Bootstraps security verification and data collection for the repository across three layers: static analysis via CI, a runnable scan script, and a security policy.

Changes

• .github/workflows/codeql.yml — CodeQL workflow triggered on push, PR, and weekly schedule; scans Python with results surfaced in the Security tab.

• security_scan.py — CLI script that collects and reports security findings:

• Credential patterns: AWS keys, GitHub tokens, private key headers, passwords, API keys (regex with backreferences for balanced-quote accuracy)
• File permission anomalies: world-writable files, unexpected executable bits
• Dependency risks: blocked/malicious packages in requirements*.txt
• Structured stdout report + optional --output FILE JSON dump; exits 2 on HIGH/CRITICAL findings

```
$ python security_scan.py .
============================================================
Security Scan Report
Generated : 2026-05-13T17:54:30Z
Root : /repo
============================================================
Total findings : 1
HIGH : 1

---

[HIGH] AWS Access Key — config.py:12
============================================================
```

• SECURITY.md — Vulnerability reporting policy pointing to GitHub Security Advisories; documents the automated tooling in use.

• tests/test_security_scan.py — 22 unit tests covering all three collectors, report builder, and CLI entry point.

• conftest.py — pytest root path config (removes fragile sys.path hacks from test files).

Original prompt

> where we verify and collect data on security

[Anonymous]

• assigned_to: Copilot

[Anonymous]

• assigned_to: MoneyMan421