cld2labs · geethac2l · Feb 23, 2026 · Jan 28, 2026 · Feb 20, 2026 · Feb 23, 2026
diff --git a/.github/workflows/code-scans.yaml b/.github/workflows/code-scans.yaml
@@ -0,0 +1,98 @@
+name: SDLE Scans
+
+on:
+  workflow_dispatch:
+    inputs:
+      PR_number:
+        description: 'Pull request number'
+        required: true
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: sdle-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+# -----------------------------
+# 1) Trivy Scan (fixed)
+# -----------------------------
+  trivy_scan:
+    name: Trivy Vulnerability Scan
+    runs-on: ubuntu-latest
+    env:
+      TRIVY_REPORT_FORMAT: table
+      TRIVY_SCAN_TYPE: fs
+      TRIVY_SCAN_PATH: .
+      TRIVY_EXIT_CODE: '1'
+      TRIVY_VULN_TYPE: os,library
+      TRIVY_SEVERITY: CRITICAL,HIGH
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create report directory
+        run: mkdir -p trivy-reports
+
+      - name: Run Trivy FS Scan
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,misconfig,secret,license'
+          ignore-unfixed: true
+          format: 'table'
+          exit-code: '1'
+          output: 'trivy-reports/trivy_scan_report.txt'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-reports/trivy_scan_report.txt
+      - name: Show Trivy Report in Logs
+        if: failure()
+        run: |
+          echo "========= TRIVY FINDINGS ========="
+          cat trivy-reports/trivy_scan_report.txt
+          echo "================================="
+
+# -----------------------------
+# 2) Bandit Scan
+# -----------------------------
+  bandit_scan:
+    name: Bandit security scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        submodules: 'recursive'
+        fetch-depth: 0
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.x"
+    - name: Install Bandit
+      run: pip install bandit
+    - name: Create Bandit configuration
+      run: |
+        cat > .bandit << 'EOF'
+        [bandit]
+        exclude_dirs = tests,test,venv,.venv,node_modules
+        skips = B101
+        EOF
+      shell: bash
+    - name: Run Bandit scan
+      run: |
+        bandit -r . -ll -iii -f screen
+        bandit -r . -ll -iii -f html -o bandit-report.html
+    - name: Upload Bandit Report
+      uses: actions/upload-artifact@v4
+      with:
+        name: bandit-report
+        path: bandit-report.html
+        retention-days: 30
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -1,27 +1,27 @@
-# Core Web Framework
-fastapi==0.109.0
-uvicorn[standard]==0.27.0
-python-multipart==0.0.6
-
-# LLM & AI APIs
-httpx==0.27.2
-requests==2.31.0
-openai>=1.0.0
-
-# Document Processing
-pypdf==6.1.1
-python-docx==1.1.0
-pdf2image==1.16.3
-pytesseract==0.3.10
-Pillow==10.2.0
-
-# Configuration Management
-python-dotenv==1.0.0
-pydantic==2.5.3
-
-# RAG / Vector Search
-numpy==1.26.4
-faiss-cpu==1.8.0
-
-# Utilities
-aiofiles==23.2.1
+# Core Web Framework
+fastapi==0.109.0
+uvicorn[standard]==0.27.0
+python-multipart==0.0.22
+
+# LLM & AI APIs
+httpx==0.27.2
+requests==2.31.0
+openai>=1.0.0
+
+# Document Processing
+pypdf==6.1.1
+python-docx==1.1.0
+pdf2image==1.16.3
+pytesseract==0.3.10
+Pillow==12.1.1
+
+# Configuration Management
+python-dotenv==1.0.0
+pydantic==2.5.3
+
+# RAG / Vector Search
+numpy==1.26.4
+faiss-cpu==1.8.0
+
+# Utilities
+aiofiles==23.2.1