chore: enhance security configurations

[jakec-dev]

Security Enhancements Implementation

Completed: 2025-01-06

What was implemented:

This PR implements comprehensive security improvements based on OpenSSF Scorecard recommendations to enhance
the project's security posture.

Security Policies & Documentation

• SECURITY.md: Created security policy with vulnerability reporting procedures via GitHub's security
  advisory feature
• CODEOWNERS: Established code ownership for automatic review assignments
• Updated CONTRIBUTING.md: Streamlined developer setup with consolidated make install command

GitHub Actions Security

• Pinned all actions to commit SHAs: Prevents supply chain attacks and ensures reproducible builds
• Added CodeQL workflow: Semantic code analysis for security vulnerabilities
• Configured proper permissions: Set permissions: read-all at workflow top level
• Fixed gitleaks pre-commit: Updated to use correct v8 syntax (gitleaks git --staged)

Developer Tooling

• Unified installation: make install now installs all security tools:
  • gitleaks (secret scanning)
  • govulncheck (vulnerability scanning)
  • go-licenses (license compliance)
  • Plus existing tools (golangci-lint, staticcheck, lefthook)
• Added license checking: New make licenses target for dependency license compliance
• Enhanced audit target: Added dependency pinning verification

Build & Release Security

• GoReleaser enhancements:
  • Added SHA256 checksums
  • Enabled SBOM (Software Bill of Materials) generation
  • Configured for supply chain transparency

Expected Scorecard Improvements:

• Security-Policy: 0 → 10 ✅
• Pinned-Dependencies: 4 → 8+ ✅
• SAST: Improved with CodeQL ✅
• Token-Permissions: Fixed warnings ✅
• Binary-Artifacts: Enhanced with SBOM ✅

Files created/modified:

• Created: SECURITY.md, CODEOWNERS, .github/workflows/codeql.yml
• Modified: All GitHub workflows (dependency pinning), Makefile, CONTRIBUTING.md, .lefthook.yml,
  .goreleaser.yml

Next steps (requires GitHub UI):

• Configure Repository Rulesets for branch protection
• Enable security advisories in repository settings
• Consider applying for CII Best Practices badge
• Add fuzzing tests for critical code paths

Testing:

• make install successfully installs all tools
• Pre-commit hooks work with updated gitleaks
• All GitHub Actions pass with pinned dependencies
• CodeQL analysis runs successfully

Closes #11

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.