Add security workflows pre-commit hooks, dependency review, CodeQL

[rahuldevikar761]

No description provided.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	4.*.*	🟢 7.6	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/dependency-review.yml

[Copilot]

Pull request overview

This PR introduces baseline security automation for the Agent365 Node.js monorepo by adding local pre-commit checks and GitHub security scanning workflows.

Changes:

• Add a .pre-commit-config.yaml with gitleaks, whitespace/YAML/JSON checks, plus eslint and prettier hooks.
• Add a GitHub Actions “Dependency Review” workflow to block vulnerable or disallowed-license dependency changes in PRs.
• Add a GitHub Actions CodeQL workflow to run JS/TS security analysis on pushes, PRs, and a weekly schedule.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.pre-commit-config.yaml	Introduces pre-commit hooks for secrets scanning, formatting, and linting.
.github/workflows/dependency-review.yml	Adds PR-time dependency vulnerability/license review.
.github/workflows/codeql.yml	Adds CodeQL scanning for JS/TS on main/PR/schedule.

[Copilot]

The prettier hook is pinned to an alpha release (v4.0.0-alpha.8). Using prerelease formatter versions can cause unexpected formatting churn and makes it harder to keep contributors in sync. Consider pinning to the latest stable prettier (or aligning with a repo-managed prettier dependency if/when one is added).

[Copilot]

The CodeQL job uses the generic Autobuild step but doesn’t set up pnpm or install dependencies. This repo uses pnpm and pnpm-specific dependency specifiers (e.g., "catalog:"), so an npm-based autobuild/install can fail, and a pnpm-based build won’t run unless pnpm is installed. Prefer installing pnpm (pnpm/action-setup) and running pnpm i + the repo build, or configure CodeQL to skip the build step if you intentionally want buildless analysis.

Suggested change

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3
	- name: Setup pnpm
	uses: pnpm/action-setup@v4
	with:
	version: 9
	run_install: false
	- name: Install dependencies
	run: pnpm install
	- name: Build project
	run: pnpm run build --if-present

[Copilot]

The eslint pre-commit hook is running in an isolated pre-commit environment but the repo’s eslint.config.mjs imports modules that aren’t listed under additional_dependencies (e.g., "@eslint/js" and "typescript-eslint"). As-is, the hook is likely to fail with module-not-found errors. Consider either adding the missing dependencies (and pinning them to the repo’s versions) or switching to a local hook that runs the workspace’s pnpm-managed eslint.

Suggested change

	- "@typescript-eslint/eslint-plugin"
	- "@typescript-eslint/eslint-plugin"
	- "@eslint/js"
	- "typescript-eslint"

[Copilot]

The pre-commit config pins eslint to v9.5.0, but the repo currently uses eslint ^9.39.1 (and matching @typescript-eslint versions). This version skew can lead to different lint results locally vs CI. It’s better to align the pre-commit hook’s eslint/@typescript-eslint versions with the repo’s devDependencies (or run the repo’s eslint via pnpm).

Suggested change

	rev: v9.5.0
	hooks:
	- id: eslint
	files: \.[jt]sx?$
	types: [file]
	additional_dependencies:
	- eslint@9.5.0
	rev: v9.39.1
	hooks:
	- id: eslint
	files: \.[jt]sx?$
	types: [file]
	additional_dependencies:
	- eslint@9.39.1

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

[Copilot]

The workflow grants pull-requests: write and forces comment-summary-in-pr: always. If PR-commenting isn’t strictly required, consider dropping to pull-requests: read (principle of least privilege). If commenting is required, ensure this won’t break on PRs from forks where GITHUB_TOKEN typically can’t write PR comments (e.g., make commenting conditional or switch to a safer reporting mode).

[Copilot]

PR title mentions adding CodeQL, but there’s no CodeQL workflow currently under .github/workflows (only CI and dependency-review). Either add the CodeQL workflow in this PR or adjust the PR title/description to match what’s actually being introduced.

[Copilot]

This workflow only runs for PRs targeting main, but the existing CI workflow is configured for both main and master. If master is still a supported target branch in this repo, dependency review will be skipped for those PRs—consider including master here as well (or remove master from CI if it’s no longer used).

[Copilot]

This new file appears to use CRLF line endings (e.g., lines match ...prettier\r). The repo’s .editorconfig requires end_of_line = lf, so please normalize this file to LF to avoid noisy diffs and formatting churn across platforms.

[Copilot]

This workflow file appears to be committed with CRLF line endings (e.g., uses: ...@v4\r). The repo’s .editorconfig requires LF, so please normalize this file to LF to prevent cross-platform churn.