Security hardening: secret scanning CI, Dockerfile supply-chain fixes, SECURITY.md

[Copilot]

Addresses several supply-chain and secret-exposure risks: no CI secret scanning, curl | bash installer patterns in the Dockerfile, a generic non-actionable SECURITY.md, and untracked transcript output directories.

Changes

.github/workflows/secret-scanning.yml (new)

• Runs gitleaks/gitleaks-action@v2.3.9 (pinned) on PRs and pushes to main with full history (fetch-depth: 0)
• Minimal permissions (contents: read); fails build on verified findings

Dockerfile — eliminate curl | bash/sh

Before	After
curl … | bash - (NodeSource setup script)	GPG-verified apt repository for Node 20.x
curl … | sh (uv installer)	pip3 install --no-cache-dir uv via PyPI
PATH included /root/.cargo/bin	Removed (Rust uv installer no longer used)

Added python3-pip to the Python apt install step to support pip-based uv install.

SECURITY.md

Replaced generic Microsoft template with repo-specific guidance: GitHub Security Advisory link for private disclosure, 90-day timeline, scope definition, and a note about .env.example and automated scanning.

.gitignore

Added exported_transcripts/ — session transcript output that was untracked and could contain sensitive context.

Original prompt

Create a security-hardening pull request for the repository acailic/amplifier-adding-codex.

Context:

• The repository loads environment variables from a .env file in multiple Pydantic BaseSettings configs.
• The repository contains an .env.example file.
• There is a .codex/config.toml which defines an [env_allow] allowlist for environment variables.
• There is a Dockerfile that uses network installer scripts (e.g., NodeSource setup_20.x piped to bash, and astral.sh/uv/install.sh), which is a supply-chain risk.

Goals:

1. Prevent accidental committing of secrets and local artifacts:

   • Ensure .env is git-ignored.
   • Ensure common secret files and local state/artifact directories are git-ignored (e.g., .data/, .tmp/, transcript outputs, caches) if applicable.
   • Ensure .env.example remains as a non-secret template (no real keys).

2. Add automated secret scanning in CI:

   • Add a GitHub Actions workflow to run a secret scanner (prefer gitleaks) on pull requests and pushes to main.
   • Configure it to fail the build on verified/high-confidence findings.
   • Make the workflow fast and suitable for OSS.

3. Add security documentation:

   • Add SECURITY.md with instructions for responsibly reporting vulnerabilities.

4. Dockerfile hardening:

   • Reduce supply-chain risk where reasonable (pin versions, avoid curl | bash if possible; if not possible, at least document and add basic mitigations).
   • Ensure the Docker build does not accidentally bake secrets into images.

5. Keep changes minimal and non-breaking.

Deliverables:

• A PR against base branch main with clear title and description explaining changes.
• Any new files (workflow, SECURITY.md, .gitignore updates) added/updated.
• CI workflow should run successfully.

Notes:

• If .gitignore already exists, update it; otherwise create it.
• Do not add any real credentials.
• Prefer standard GitHub templates and widely-used scanning actions.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.