CompassSecurity · fxai · Dec 10, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 8, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,15 @@
+# Exclude the Git version control folder
+.git
+.gitignore
+.github/
+
+# General exclusions
+pytest.ini
+README.md
+TODO.md
+tests/
+compose.yml
+
+# Nix develop
+flake.lock
+flake.nix
diff --git a/.github/workflows/dev_build_push.yml b/.github/workflows/dev_build_push.yml
@@ -9,6 +9,11 @@ jobs:
     # Only allow running on the dev branch
     if: github.ref == 'refs/heads/dev'
 
+    permissions:
+      contents: write      # Needed to create tags and releases
+      packages: write      # Needed to push to GHCR
+      id-token: write      # For trusted publishing
+
     steps:
       - name: Checkout dev branch
         uses: actions/checkout@v4
@@ -25,11 +30,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Create lowercase repository name
+        id: repo
+        run: echo "name=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT
+
       - name: Build and push :dev image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          tags: ghcr.io/${{ github.repository }}:dev
+          tags: ghcr.io/${{ steps.repo.outputs.name }}:dev
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml
@@ -0,0 +1,42 @@
+name: security scan
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  gosec_zizmor:
+    name: security scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
+        with:
+          args: "-no-fail -fmt json -out results.json ./..."
+
+      - name: Check Gosec Results
+        run: |
+          FOUND=$(jq '.Stats.found // 0' results.json)
+          echo "Gosec found $FOUND issue(s)"
+          if [ "$FOUND" -gt 0 ]; then
+            echo "❌ Security issues detected! Please fix them before merging."
+            exit 1
+          else
+            echo "✅ No security issues found."
+          fi
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          inputs: .