feat: add qb-security workflow, remove mobsfscan and nuclei

.github/workflows/qb-security.yml

@@ -0,0 +1,40 @@
+name: QB Security
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: 'Runner label for the scan job.'
+        type: string
+        default: 'default-k8s-runner'
+      search-directory:
+        description: 'Directory to scan recursively for invisible Unicode characters.'
+        type: string
+        default: '.'
+      exclude-dirs:
+        description: 'Comma-separated directory names to exclude from the scan.'
+        type: string
+        default: '.git,node_modules,.idea,build,dist'
+      exclude-patterns:
+        description: 'Comma-separated file glob patterns to exclude from the scan.'
+        type: string
+        default: '*.png,*.jpg,*.jpeg,*.gif,*.ico,*.pdf,*.zip,*.tar,*.gz,*.bin,*.dill'
+      fail-on-found:
+        description: 'Fail the workflow when invisible Unicode characters are found.'
+        type: boolean
+        default: true
+
+jobs:
+  unicode-security-scan:
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect Invisible Unicode
+        uses: QuickBirdEng/actions/detect-invisible-unicode@main
+        with:
+          search-directory: ${{ inputs.search-directory }}
+          exclude-dirs: ${{ inputs.exclude-dirs }}
+          exclude-patterns: ${{ inputs.exclude-patterns }}
+          fail-on-found: ${{ inputs.fail-on-found }}

README.md

@@ -8,3 +8,11 @@ The examples in [The docs folder](docs/) are provided as examples of calling wor
 
 From the root of your project repo, place the calling workflow in `.github/workflows`.
 
+## Workflows
+
+| Workflow | Description | Docs |
+|---|---|---|
+| `qb-security` | Invisible Unicode detection + verified secret scanning on pull requests | [docs/qb-security](docs/qb-security/explanation.md) |
+| `sanity-requirements` | LoC delta check and branch-ticket check for feature branches | [docs/sanity-requirements](docs/sanity-requirements/explanation.md) |
+| `flutter-package-branch` / `flutter-package-release` | Flutter lint, test, and Slack notification for package repos | [docs/flutter-packages](docs/flutter-packages/explanation.md) |
+

docs/qb-security/explanation.md

@@ -0,0 +1,89 @@
+# QB Security
+
+A reusable workflow that runs supply-chain security checks on every pull request.
+
+## What it checks
+
+### Invisible Unicode detection
+
+Scans every source file in the PR for invisible Unicode characters used in two known supply-chain attacks:
+
+- **GlassWorm** — embeds Unicode Variation Selectors (U+FE00–U+FE0F, U+E0100–U+E01EF) inside commits. The characters are invisible in code editors, terminals, and GitHub's diff view, allowing payloads to hide inside what appear to be legitimate changes.
+- **Trojan Source** — uses bidirectional control characters (U+202A–U+202E, U+2066–U+2069) to visually reorder code during review so that what a reviewer sees differs from what the compiler executes.
+
+Binary files are skipped automatically. Findings are emitted as inline PR annotations pointing to the exact file and line.
+
+### Secret scanning (TruffleHog)
+
+Scans the commits introduced by the PR for verified secrets using [TruffleHog OSS](https://github.com/trufflesecurity/trufflehog). Only **verified** secrets (credentials that TruffleHog can confirm are active against the real service) are reported, which eliminates false positives from example keys or already-rotated credentials. Findings are emitted as inline PR annotations.
+
+## Usage
+
+```yaml
+name: Security
+
+on:
+  pull_request:
+
+jobs:
+  # Invisible Unicode detection — no secrets needed
+  security:
+    uses: QuickBirdEng/workflows/.github/workflows/qb-security.yml@main
+
+  # Secret scanning — separate job, passes only the token it needs
+  trufflehog-scan:
+    runs-on: default-k8s-runner
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: QuickBirdEng/actions/trufflehog-scan@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
+
+The unicode scan requires no secrets. TruffleHog runs as a separate job and receives only `GITHUB_TOKEN` — no `secrets: inherit` needed.
+
+## Inputs
+
+All inputs are optional. Defaults are intentionally broad so most repos need no configuration.
+
+| Input | Type | Default | Description |
+|---|---|---|---|
+| `runs-on` | string | `default-k8s-runner` | Runner label |
+| `search-directory` | string | `.` | Root directory for the invisible Unicode scan |
+| `exclude-dirs` | string | `.git,node_modules,.idea,build,dist` | Directory names to skip |
+| `exclude-patterns` | string | `*.png,*.jpg,*.jpeg,*.gif,*.ico,*.pdf,*.zip,*.tar,*.gz,*.bin,*.dill` | File glob patterns to skip |
+| `fail-on-found` | boolean | `true` | Fail the check when invisible Unicode is detected |
+
+## Typical overrides
+
+**Exclude an additional generated directory:**
+```yaml
+jobs:
+  security:
+    uses: QuickBirdEng/workflows/.github/workflows/qb-security.yml@main
+    with:
+      exclude-dirs: '.git,node_modules,.idea,build,dist,generated'
+    secrets: inherit
+```
+
+**Run on a self-hosted runner:**
+```yaml
+jobs:
+  security:
+    uses: QuickBirdEng/workflows/.github/workflows/qb-security.yml@main
+    with:
+      runs-on: 'self-hosted'
+    secrets: inherit
+```
+
+**Audit mode (report but do not fail):**
+```yaml
+jobs:
+  security:
+    uses: QuickBirdEng/workflows/.github/workflows/qb-security.yml@main
+    with:
+      fail-on-found: false
+    secrets: inherit
+```

docs/qb-security/qb-security-calling-example.yml

@@ -0,0 +1,18 @@
+name: Security
+
+on:
+  pull_request:
+
+jobs:
+  security:
+    uses: QuickBirdEng/workflows/.github/workflows/qb-security.yml@main
+
+  trufflehog-scan:
+    runs-on: default-k8s-runner
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: QuickBirdEng/actions/trufflehog-scan@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}