From 22e49702a8eecd5934e4fefc89bcbe947742491d Mon Sep 17 00:00:00 2001
From: Clay Sheaff <claysheaff@protonmail.com>
Date: Sat, 14 Feb 2026 12:32:10 -0800
Subject: [PATCH] Add CodeQL and gitleaks to security workflow

- CodeQL: static analysis of Python code (injection, path traversal, etc.)
- gitleaks: scans full git history for accidentally committed secrets
- pip-audit: existing dependency CVE scanning

All run on PRs and weekly schedule.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/security.yml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index ba565eb..f698cee 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -6,8 +6,38 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  security-events: write
+
 jobs:
-  audit:
+  codeql:
+    name: CodeQL analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+
+  gitleaks:
+    name: Secret scanning
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Scan for secrets
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  dependency-audit:
     name: Dependency audit
     runs-on: ubuntu-latest
     steps: