chore: add security scans

Author: GabrielVasilescu04

.github/workflows/ci.yml

@@ -13,10 +13,21 @@ on:
     branches:
       - main
 
+  workflow_dispatch:
+    inputs:
+      run_security_scans:
+        description: 'Run FOSSA and CODEQL scans'
+        required: false
+        default: 'false'
+
 jobs:
   commit-lint:
     if: ${{ github.event_name == 'pull_request' }}
     uses: ./.github/workflows/commitlint.yml
 
   lint:
     uses: ./.github/workflows/lint.yml
+
+  security-scans:
+    if:  github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_security_scans =='true')
+    uses: ./.github/workflows/security-scans.yml

.github/workflows/security-scans.yml

@@ -0,0 +1,56 @@
+name: Security Stages
+
+on:
+  workflow_call:
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+  
+
+  fossa:
+    name: FOSSA Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run FOSSA scan
+        uses: fossas/fossa-action@main
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          debug: true
+
+      - name: Upload FOSSA artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: fossa.debug.json.gz
+          path: ./fossa.debug.json.gz
+