feat(16-dependencies-scan): added dependency review

Author: abhi-markan

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @ministryofjustice/dev-sec-ops

.github/workflows/dependency-review.yml

@@ -0,0 +1,82 @@
+# GitHub Actions workflow for automated dependency review on pull requests
+#
+# Purpose:
+#   Analyzes dependencies in pull requests targeting the main branch to identify
+#   potential security vulnerabilities, license issues, and supply chain risks
+#
+# Triggers:
+#   - Pull requests targeting the 'main' branch
+#
+# Workflow Jobs:
+#   1. setup: Configures infrastructure and environment variables
+#      - Outputs environment name and timezone for downstream jobs
+#      - Runs on ubuntu-latest
+#
+#   2. dependencies: Performs dependency analysis
+#      - Requires 'contents: read' and 'pull-requests: write' permissions
+#      - Uses GitHub's dependency-review-action to scan dependency changes
+#      - Posts review summary as a comment on the pull request
+#      - Depends on successful completion of setup job
+#
+# Environment Variables:
+#   - environment: Set to 'base' deployment environment
+#   - timezone: Retrieved from repository variable TIMEZONE
+#
+# Security:
+#   - Workflow runs with minimal permissions (permissions: {})
+#   - Individual jobs request only necessary permissions
+#   - Uses pinned action versions with SHA commits for security
+#
+# Dependencies:
+#   - actions/checkout@v6.0.1 (SHA: 8e8c483db84b4bee98b60c0593521ed34d9990e8)
+#   - actions/dependency-review-action@v4.8.3 (SHA: 774d14bf50b7a2e2460f9f49e25c52503ecab125)
+#
+
+name: Dependencies review
+run-name: Evaluating dependencies on ${{ github.event.pull_request.number }} 🔎
+
+on:
+  pull_request:
+    branches: ["main"]
+
+permissions: {}
+
+env:
+  environment: base
+  timezone: ${{ vars.TIMEZONE }}
+
+jobs:
+  # 1. Setup test infrastructure
+  setup:
+    name: Infrastructure 🔧
+    runs-on: ubuntu-latest
+    outputs:
+      environment: ${{ env.environment }}
+      timezone: ${{ env.timezone }}
+    steps:
+      - name: Environment 🧪
+        run: echo "Environment set to ${{ env.environment }}"
+
+      - name: Timezone 🌐
+        run: echo "Timezone set to ${{ env.timezone }}"
+
+  # 2. Execute dependencies review
+  dependencies:
+    permissions:
+      contents: read
+      pull-requests: write
+
+    name: Dependencies 🔎
+    needs: setup
+    environment:
+      name: ${{ needs.setup.outputs.environment }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Review
+        uses: actions/dependency-review-action@774d14bf50b7a2e2460f9f49e25c52503ecab125 #v4.8.3
+        with:
+          comment-summary-in-pr: always

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Ministry of Justice
+Copyright (c) 2025 Crown Copyright (Ministry of Justice)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -11,7 +11,7 @@
 
 A lightweight, Docker-based security scanner that integrates seamlessly with Git workflows to prevent hardcoded secrets from being committed to your repository. Built for the Ministry of Justice, this tool leverages following CLI commands to detect sensitive information such as API keys, passwords, tokens, and other credentials.
 
-* [GitLeaks](https://github.com/gitleaks/gitleaks)
+- [GitLeaks](https://github.com/gitleaks/gitleaks)
 
 ## ✨ Features
 
@@ -34,11 +34,13 @@ A lightweight, Docker-based security scanner that integrates seamlessly with Git
 ### Installation
 
 1. **Install pre-commit** (if not already installed):
+
    ```bash
    pip install pre-commit
    ```
 
 2. **Add to your repository** by creating or updating `.pre-commit-config.yaml`:
+
    ```yaml
    repos:
      - repo: https://github.com/ministryofjustice/devsecops-hooks
@@ -48,11 +50,13 @@ A lightweight, Docker-based security scanner that integrates seamlessly with Git
    ```
 
 3. **Install the hook**:
+
    ```bash
    pre-commit install
    ```
 
 4. **Run manually** (optional):
+
    ```bash
    pre-commit run --all-files
    ```
@@ -135,8 +139,8 @@ docker run --rm -v $(pwd):/src ghcr.io/ministryofjustice/pre-commit-hook:latest
 
 ### ✅ Success (No Secrets Detected)
 
-```
-⚡️ MoJ scanner 1.0.0⚡️
+```bash
+⚡️ Ministry of Justice - Scanner 1.0.0⚡️
 
 ○
     │╲
@@ -151,7 +155,7 @@ docker run --rm -v $(pwd):/src ghcr.io/ministryofjustice/pre-commit-hook:latest
 
 ### ❌ Failure (Secrets Detected)
 
-```
+```bash
 ⚡️ MoJ scanner 1.0.0⚡️
 
 ○
@@ -195,7 +199,7 @@ docker run --rm -v $(pwd):/src devsecops-hooks:local
 
 ## 📝 Environment Variables
 
-### Required for Installation
+### Build Arguments
 
 - `GIT_LEAKS_VERSION` - GitLeaks version to install (e.g., `8.30.0`)
 - `GIT_LEAKS_SHA512` - SHA-512 checksum for downloaded archive
@@ -209,7 +213,7 @@ docker run --rm -v $(pwd):/src devsecops-hooks:local
 
 This project is licensed under the MIT Licence - see the [LICENSE](LICENSE) file for details.
 
-**Copyright © 2025 Ministry of Justice**
+Copyright © 2025 Crown Copyright (Ministry of Justice)
 
 ## 🔗 Links
 
@@ -234,4 +238,4 @@ If you encounter any issues or have questions:
 
 ---
 
-**Made with ❤️ by the Ministry of Justice**
+Made with ❤️ by the Ministry of Justice