This repository enforces security and code quality at every stage of the CI/CD pipeline.

• Semgrep (SAST):
  Scans all Python application code for security vulnerabilities and code quality issues.

  • Fails the build on high/critical findings.
  • Results are uploaded to the GitHub Security tab (see "Code scanning alerts").

• Checkov (IaC):
  Scans all Terraform and Kubernetes manifests for misconfigurations and policy violations.

  • Fails the build on critical findings.
  • Output is visible in the Actions workflow logs.

• Trivy (Container):
  Scans Dockerfiles and built images for vulnerabilities and license issues.

  • Fails the build on critical vulnerabilities.

• flake8: No linting errors or warnings allowed.
• black: All code must be formatted.
• isort: All imports must be sorted.
• pytest-cov: Minimum 80% test coverage required.

• Review the "Actions" tab for failed jobs and logs.
• For code scanning alerts, visit the "Security" tab.
• Fix issues locally, re-run checks, and push updates.

• Container Security & Supply Chain Attestation
• GitHub Security Tab
• GitHub Actions