feat: initial public scaffold (CLI, tests, CI, CodeQL)

Author: CoderDeltaLAN

.github/workflows/build.yml

@@ -0,0 +1,84 @@
+name: CI / build
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+concurrency:
+  group: "ci-${{ github.ref }}"
+  cancel-in-progress: false
+
+jobs:
+  python:
+    name: python (${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: [ "3.11", "3.12" ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install Poetry
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry
+
+      - name: Cache Poetry
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pypoetry
+          key: poetry-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}
+          restore-keys: |
+            poetry-${{ runner.os }}-${{ matrix.python-version }}-
+
+      - name: Install deps
+        run: |
+          poetry install --no-interaction
+
+      - name: Lint (ruff)
+        run: |
+          mkdir -p _ci_logs
+          poetry run ruff check . --output-format=github 2>&1 | tee -a _ci_logs/ruff.log
+
+      - name: Format (black --check)
+        run: |
+          poetry run black --check . 2>&1 | tee -a _ci_logs/black.log
+
+      - name: Tests (pytest 100%)
+        env:
+          PYTHONPATH: src
+        run: |
+          poetry run pytest -q 2>&1 | tee -a _ci_logs/pytest.log
+
+      - name: Type check (mypy src)
+        run: |
+          poetry run mypy src 2>&1 | tee -a _ci_logs/mypy.log
+
+      - name: Upload logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: logs-${{ matrix.python-version }}
+          path: _ci_logs
+
+      - name: Job summary
+        if: always()
+        run: |
+          echo "### CI logs for Python ${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- ruff: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- black: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- pytest: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- mypy: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/codeql.yml

@@ -0,0 +1,37 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '43 3 * * 5'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: "codeql-${{ github.ref }}"
+  cancel-in-progress: false
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"

.gitignore

@@ -0,0 +1,12 @@
+__pycache__/
+*.pyc
+.venv/
+.dist/
+build/
+dist/
+.coverage
+.pytest_cache/
+.mypy_cache/
+.cache/
+*.egg-info/
+coverage.xml

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 CoderDeltaLAN
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

PREFLIGHT_LOCAL.txt

@@ -0,0 +1,24 @@
+# Ejecutar desde el repo:
+cd /home/user/Proyectos/osv-vuln-bot
+
+# Limpieza
+rm -rf .venv dist build .mypy_cache .pytest_cache _ci_logs
+
+# Instalar
+poetry install --no-interaction
+
+# Gates Always-Green
+poetry run ruff check . --fix
+poetry run ruff check .
+poetry run black .
+poetry run black --check .
+
+# Tests 100%
+PYTHONPATH=src poetry run pytest -q
+
+# Type-check
+poetry run mypy src
+
+# Smoke CLI
+poetry run osv-vuln-bot --help
+poetry run osv-vuln-bot scan --deps examples/deps.sample.json --fail-on critical

README.md

@@ -0,0 +1,25 @@
+# osv-vuln-bot
+
+Automated OSV vulnerability scanner CLI. Scans a dependency manifest and reports findings.
+Roadmap: open dependency bump PRs prioritized by severity.
+
+## Quick start
+```bash
+poetry install --no-interaction
+poetry run osv-vuln-bot scan --deps examples/deps.sample.json --out /tmp/osv-report.json --fail-on high
+```
+
+## Manifest format
+`deps.json` is an array of objects:
+```json
+[
+  {"ecosystem":"PyPI","name":"requests","version":"2.32.0"},
+  {"ecosystem":"npm","name":"lodash","version":"4.17.21"}
+]
+```
+
+## CI
+- Workflow: **CI / build** (Python 3.11/3.12; uploads logs artifacts).
+- Code scanning: **CodeQL Analysis**.
+
+License: MIT.

_ci_logs/black_check.log

@@ -0,0 +1,2 @@
+All done! ✨ 🍰 ✨
+9 files would be left unchanged.

_ci_logs/black_format.log

@@ -0,0 +1,2 @@
+All done! ✨ 🍰 ✨
+9 files left unchanged.

_ci_logs/install.log

@@ -0,0 +1,31 @@
+Creating virtualenv osv-vuln-bot in /home/user/Proyectos/osv-vuln-bot/.venv
+Installing dependencies from lock file
+
+Package operations: 24 installs, 0 updates, 0 removals
+
+  - Installing certifi (2025.8.3)
+  - Installing h11 (0.16.0)
+  - Installing idna (3.10)
+  - Installing packaging (25.0)
+  - Installing pluggy (1.6.0)
+  - Installing iniconfig (2.1.0)
+  - Installing pygments (2.19.2)
+  - Installing sniffio (1.3.1)
+  - Installing typing-extensions (4.15.0)
+  - Installing anyio (4.10.0)
+  - Installing click (8.2.1)
+  - Installing coverage (7.10.6)
+  - Installing httpcore (1.0.9)
+  - Installing mypy-extensions (1.1.0)
+  - Installing pathspec (0.12.1)
+  - Installing platformdirs (4.4.0)
+  - Installing pytest (8.4.2)
+  - Installing urllib3 (2.5.0)
+  - Installing black (24.10.0)
+  - Installing httpx (0.27.2)
+  - Installing mypy (1.18.1)
+  - Installing pytest-cov (5.0.0)
+  - Installing types-requests (2.32.4.20250809)
+  - Installing ruff (0.5.7)
+
+Installing the current project: osv-vuln-bot (0.1.0)

_ci_logs/mypy.log

@@ -0,0 +1 @@
+Success: no issues found in 3 source files