ci(security): add CodeQL, Dependabot, and OSV-Scanner bundle

[RBKunnela]

Summary

Replicates the security scanner bundle from paybot-core PR #3 (merged 2026-05-22, squash 6dc6f5aa) to paybot-sdk.

This PR is governed by .claude/rules/automated-pr-merge-authority.md (NON-NEGOTIABLE rule established 2026-05-22). Only @devops may merge, and only after @qa issues a PASS verdict under the 12-check matrix.

Why

Closes the highest-leverage gap on paybot-sdk: it is the most public-facing of the three paybot repos (npm-published, reaches end-developers' machines). Bringing it under the same scanner regime as paybot-core means consumer-facing supply-chain CVEs become visible and flow into the automated PR pipeline.

What each scanner does

Scanner	Layer	Cadence	Output
CodeQL (.github/workflows/codeql.yml)	SAST — JavaScript/TypeScript taint flow, SQL injection, unsafe regex, hardcoded crypto via security-extended queries	PR + push to main + weekly Monday 06:00 UTC	SARIF to Security tab
OSV-Scanner (.github/workflows/osv-scanner.yml)	Vuln DB — broader than Dependabot alone (npm advisories + GHSA + ecosystem feeds via Google's OSV.dev)	PR + push to main + weekly Tuesday 06:00 UTC	SARIF to Security tab
Dependabot (.github/dependabot.yml)	CVE alerts + auto-PRs for npm + github-actions ecosystems	Weekly Monday 06:00 UTC + immediate security updates	Vulnerability alerts feed + auto-PRs

Public-repo simpler form (vs paybot-core)

Key difference from paybot-core PR #3: paybot-sdk is public. Public repos get GitHub-native Code Scanning (SARIF upload to Security tab) and Dependabot for free, without GitHub Advanced Security.

So this PR uses the simpler upload: true form on both CodeQL and OSV-Scanner — no GHAS workarounds needed. paybot-core (private personal-account) required upload: false + actions/upload-artifact for SARIF preservation; that workaround does NOT appear here.

If/when paybot-sdk becomes private, switch back to the paybot-core pattern. Until then, the simpler form is the right default.

Anti-patterns applied (from paybot-core PR #3 hard-won learnings)

AP #	Pattern	Avoidance applied here
2	OSV @v2 major-version alias is invalid (only exact tags exist)	Pinned to @v2.2.1; Dependabot github-actions ecosystem will surface upgrades
3	Per-job permissions: on reusable-workflow callers silently dropped	Permissions block lifted to workflow level in osv-scanner.yml
4	Guessing required-check context names	Deferred: required_status_checks update will happen post-merge using verbatim context strings from gh pr checks <PR> once first run completes

AP #1 (GHAS-SARIF gating) explicitly does not apply here — public repo, native upload is free.

Dependabot API enabled

The two endpoints have been called in the correct order (vulnerability-alerts BEFORE automated-security-fixes):

PUT /repos/RBKunnela/paybot-sdk/vulnerability-alerts          → 204
PUT /repos/RBKunnela/paybot-sdk/automated-security-fixes      → 204

Both returned success. Dependabot will back-scan the lockfile and surface any pre-existing CVEs imminently (paybot-core surfaced 22 alerts the moment alerts were enabled — paybot-sdk may produce a similar wave).

SINKRA chain integration

Per automated-pr-merge-authority.md, this PR is routed:

• @aiox-master (Orion): routing decision — chore-style CI-infra PR, no story file, scoped to .github/. Same carve-out as paybot-core PR 🤝 Founding Contributors — Join the open agent payment protocol #3.
• @qa (Quinn): full 12-check adapted matrix, minimum 2 passes — TO RUN
• @devops (Gage): sole merge actor — TO RUN after @qa PASS

Do NOT enable auto-merge on this PR. Do NOT merge until @qa issues PASS and @devops verifies the audit trail.

Follow-up work (NOT in this PR)

1. required_status_checks update — after first CI run completes, capture exact check context names from gh pr checks <pr-num> --repo RBKunnela/paybot-sdk (AP Founding 10 Contributors Program — Support Open Agent Commerce #4 — verbatim, no reformatting). Then PATCH branch protection on main to add the new checks alongside the existing build (18) + build (20).
2. Triage Dependabot alerts — separate PR(s) per advisory, routed through SINKRA chain.
3. Add npm test + npm run lint to ci.yml — Task Founding 10 Contributors Program — Support Open Agent Commerce #4 from the post-PR-🤝 Founding Contributors — Join the open agent payment protocol #3 backlog; CI currently runs typecheck + build only.
4. Replicate to paybot-mcp — Task [CODE] [SDK] from @unknown-bot (stake: 1) #2 from the same backlog.

Reference

• Precedent: RBKunnela/paybot-core#3 (merged 6dc6f5aa, 2026-05-22)
• Rule: .claude/rules/automated-pr-merge-authority.md (NON-NEGOTIABLE)
• Session chronicle: .aios/handoffs/handoff-2026-05-22-paybot-security-hardening.md

---

Convoked by @aiox-master. Authored by @devops (Gage). Awaiting @qa validation.

Summary by CodeRabbit

Chores

• Enabled automated dependency version updates via Dependabot, with separate schedules for npm packages and GitHub Actions, and automatic pull request creation
• Added CodeQL static analysis security scanning for JavaScript/TypeScript code, running automatically on schedule and for pull requests
• Configured OSV Scanner to scan dependencies for known security vulnerabilities

[coderabbitai]

Walkthrough

Three GitHub security automation workflows are added: Dependabot automatically updates npm and GitHub Actions dependencies weekly with PR limits and scoped commit messages; CodeQL runs static analysis on JavaScript/TypeScript with security-extended queries and uploads results; OSV-Scanner scans lockfiles for known vulnerabilities using Google's reusable workflow.

Changes

CI/Security Automation Setup

Layer / File(s)	Summary
Automated dependency updates .github/dependabot.yml	Dependabot configuration schedules weekly npm (10 open PRs) and GitHub Actions (5 open PRs) updates with deps/ci commit prefixes and dependency labels.
Static code analysis with CodeQL .github/workflows/codeql.yml	CodeQL workflow triggers on main pushes, pull requests, and Monday 06:00 UTC cron; runs security-extended analysis on javascript-typescript with SARIF upload to code scanning.
Dependency vulnerability scanning .github/workflows/osv-scanner.yml	OSV-Scanner workflow (v2.2.1) runs recursive scans on repository lockfiles/manifests, triggered on main activity and Tuesday 06:00 UTC cron, with SARIF upload enabled.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically summarizes the main change: adding three security scanners (CodeQL, Dependabot, OSV-Scanner) and their configurations to CI infrastructure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/security-scanners-bundle

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[gemini-code-assist]

Code Review

This pull request introduces a .github/dependabot.yml configuration to automate weekly dependency updates for npm and GitHub Actions. Feedback focuses on a discrepancy between the PR description and the actual changes, specifically the absence of mentioned security scanner workflows (CodeQL and OSV-Scanner). Additionally, it is recommended to implement grouped updates for both ecosystems to minimize the manual overhead of the project's strict merge process.

[gemini-code-assist]

The PR title and description indicate that this PR adds a "security scanner bundle" including CodeQL (.github/workflows/codeql.yml) and OSV-Scanner (.github/workflows/osv-scanner.yml) workflows. However, these files are missing from the current diff. Please ensure all components of the bundle are included in the PR.

[gemini-code-assist]

Given the strict merge process described in the PR summary (requiring a 12-check matrix pass and manual merge by @devops), receiving multiple individual PRs for dependency updates every week could lead to significant process overhead. Consider using Dependabot's grouped updates feature to bundle these into a single PR. This would allow the team to run the QA matrix once for the entire set of weekly updates.

    labels:
      - "dependencies"
      - "npm"
    groups:
      npm-dependencies:
        patterns:
          - "*"

[gemini-code-assist]

Similar to the npm ecosystem, grouping GitHub Actions updates can help reduce the number of PRs that need to go through the manual QA and merge process.

    labels:
      - "dependencies"
      - "github-actions"
    groups:
      action-dependencies:
        patterns:
          - "*"

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

47-48: ⚡ Quick win

Add persist-credentials: false to the Checkout step to reduce token exposure.

• .github/workflows/codeql.yml currently has actions/checkout@v4 at lines 47-48, and there’s no persist-credentials: false setting present.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 47 - 48, Add the
persist-credentials: false setting to the Checkout step named "Checkout" that
uses actions/checkout@v4 so the workflow does not persist the GITHUB_TOKEN in
the checked-out repository; locate the step with uses: actions/checkout@v4 (the
"Checkout" step) and add the persist-credentials: false option under that step.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 47-60: Update the workflow steps that use mutable action tags:
replace uses: actions/checkout@v4 and uses: github/codeql-action/init@v3,
github/codeql-action/autobuild@v3, github/codeql-action/analyze@v3 with their
corresponding immutable 40-character commit SHAs, and in the Checkout step add
with: persist-credentials: false to avoid persisting the default token;
specifically edit the steps named "Checkout", "Initialize CodeQL", "Autobuild",
and "Perform CodeQL Analysis" to pin the uses: fields to exact commit SHAs and
add the persist-credentials: false key under the Checkout step's with block.

In @.github/workflows/osv-scanner.yml:
- Line 56: The workflow references the OSV reusable workflow using a mutable tag
in the uses string
("google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1");
replace that tag with the corresponding immutable commit SHA for the
google/osv-scanner-action repository (e.g.,
.github/workflows/osv-scanner-reusable.yml@<COMMIT_SHA>) so the action content
is pinned; locate the uses line in .github/workflows/osv-scanner.yml and update
it to the commit SHA obtained from the upstream repo (ensure the SHA matches the
desired v2.2.1 state).

---

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 47-48: Add the persist-credentials: false setting to the Checkout
step named "Checkout" that uses actions/checkout@v4 so the workflow does not
persist the GITHUB_TOKEN in the checked-out repository; locate the step with
uses: actions/checkout@v4 (the "Checkout" step) and add the persist-credentials:
false option under that step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e44456e6-6fc3-4ac5-80f4-813cd1134e23

📥 Commits

Reviewing files that changed from the base of the PR and between a16a929 and f89bf53.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/codeql.yml
• .github/workflows/osv-scanner.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Non-SHA pinned uses in CodeQL workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 287

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Relevant section of .github/workflows/codeql.yml:"
nl -ba .github/workflows/codeql.yml | sed -n '35,80p'

Repository: RBKunnela/paybot-sdk

Length of output: 175

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Relevant section of .github/workflows/codeql.yml (lines 35-80):"
awk 'NR>=35 && NR<=80 {printf "%d:%s\n", NR, $0}' .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 1073

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Searching for persist-credentials / permissions in .github/workflows/codeql.yml:"
rg -n --hidden -S "persist-credentials|permissions:" .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 161

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Relevant section of .github/workflows/codeql.yml (lines 15-45):"
awk 'NR>=15 && NR<=45 {printf "%d:%s\n", NR, $0}' .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 836

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n --hidden "persist-credentials" .github/workflows/codeql.yml || true

Repository: RBKunnela/paybot-sdk

Length of output: 46

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Non-SHA pinned uses in CodeQL workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 287

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Non-SHA pinned uses in CodeQL workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflows/codeql.yml

Repository: RBKunnela/paybot-sdk

Length of output: 287

---

Pin CodeQL workflow GitHub Actions to immutable commit SHAs (and harden checkout credentials)

• .github/workflows/codeql.yml uses mutable action tags: actions/checkout@v4, github/codeql-action/{init,autobuild,analyze}@v3``; pin each to its 40-char commit SHA to prevent supply-chain drift.
• The actions/checkout step does not set with: persist-credentials: false; add it to avoid persisting the default token in git config.

Suggested hardening diff

-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@<40-char-commit-sha>

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@<40-char-commit-sha>

-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@<40-char-commit-sha>

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@<40-char-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 47-48: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 48-48: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 57-57: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 60-60: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 47 - 60, Update the workflow steps
that use mutable action tags: replace uses: actions/checkout@v4 and uses:
github/codeql-action/init@v3, github/codeql-action/autobuild@v3,
github/codeql-action/analyze@v3 with their corresponding immutable 40-character
commit SHAs, and in the Checkout step add with: persist-credentials: false to
avoid persisting the default token; specifically edit the steps named
"Checkout", "Initialize CodeQL", "Autobuild", and "Perform CodeQL Analysis" to
pin the uses: fields to exact commit SHAs and add the persist-credentials: false
key under the Checkout step's with block.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Non-SHA pinned uses in OSV workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflows/osv-scanner.yml

Repository: RBKunnela/paybot-sdk

Length of output: 192

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "osv-scanner workflow context (lines 40-80):"
nl -ba .github/workflows/osv-scanner.yml | sed -n '40,80p'

echo
echo "All non-SHA pinned `uses:` in this workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflows/osv-scanner.yml

Repository: RBKunnela/paybot-sdk

Length of output: 169

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/osv-scanner.yml"

echo "File line count:"
wc -l "$FILE"

echo
echo "osv-scanner workflow context (lines 45-70):"
awk 'NR>=45 && NR<=70 {printf "%d:%s\n", NR, $0}' "$FILE"

echo
echo "All non-SHA pinned `uses:` in this workflow:"
rg -nP '^\s*uses:\s*[^@]+@(?!(?:[0-9a-f]{40})\b).+$' "$FILE"

Repository: RBKunnela/paybot-sdk

Length of output: 1073

---

Pin OSV reusable workflow uses: to an immutable commit SHA (not @v2.2.1).

The workflow calls:
google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1
Tags are mutable, so the referenced workflow content can change without this repo updating.

Suggested hardening diff

-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1"
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@<40-char-commit-sha>"

🧰 Tools

🪛 zizmor (1.25.2)

[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/osv-scanner.yml at line 56, The workflow references the
OSV reusable workflow using a mutable tag in the uses string
("google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.2.1");
replace that tag with the corresponding immutable commit SHA for the
google/osv-scanner-action repository (e.g.,
.github/workflows/osv-scanner-reusable.yml@<COMMIT_SHA>) so the action content
is pinned; locate the uses line in .github/workflows/osv-scanner.yml and update
it to the commit SHA obtained from the upstream repo (ensure the SHA matches the
desired v2.2.1 state).

[RBKunnela]

Merge authorization per .claude/rules/automated-pr-merge-authority.md (2nd application of rule):

• @sm: SKIP (chore-style CI-infra PR, no user story required)
• @po: SKIP (no story to validate)
• @dev: SKIP (no application code; PR authored by aios-devops agent)
• @qa: PASS — 2-pass discipline, 12-check adapted matrix (4/4 required CI green)
  • Anti-patterns AP#2/🤝 Founding Contributors — Join the open agent payment protocol #3/Founding 10 Contributors Program — Support Open Agent Commerce #4 from PR 🤝 Founding Contributors — Join the open agent payment protocol #3 verified applied
  • AP#1 (GHAS gating) N/A — public repo, native SARIF upload works
• @aiox-master (Orion): Chain routing approved
• @devops: Executing merge

CodeRabbit CHANGES_REQUESTED dismissed: findings are tech-debt (SHA-pinning), tracked as Task #12 across all 3 paybot repos. Same posture as paybot-core PR #3 (merged 2026-05-22 with @qa PASS, identical pattern).

Non-blocking observations from @qa:

1. mcp Python alerts on packages/python/uv.lock — RESOLVED as legitimate (not cross-ecosystem misfire). Multi-ecosystem repo.
2. Dependabot config gap — pip/uv ecosystem missing. Tracked as Task ci(security): add CodeQL, Dependabot, and OSV-Scanner bundle #11.
3. CodeRabbit major findings on action SHA-pinning. Tracked as Task chore(deps): bump mcp from 0.9.1 to 1.23.0 in /packages/python #12.
4. Gemini "high" finding (claim of missing workflow files) is a false positive — all 3 files present.

Post-merge actions:

• Add Analyze (javascript-typescript) + scan / osv-scan to required_status_checks (NOT the GHAS app mirrors CodeQL / osv-scanner)

QA verdict PASS — findings tracked as Task #12 (SHA-pinning tech-debt across paybot-core+sdk+mcp). Same posture as paybot-core PR #3 precedent.