ci: add security and quality hardening workflows

[kaio6fellipe]

Summary

• Add CodeQL SAST workflow for Go analysis (weekly + push/PR to main, explicit lambda/ build)
• Add OSSF Scorecard supply chain analysis (weekly + push to main)
• Add Scorecard PR Check with 7.0 threshold enforcement and PR comments
• Add security scanning workflow (gitleaks secret scan + govulncheck v1.1.4, scoped to lambda/ module)
• Add CODEOWNERS with @kaio6fellipe as default owner
• Enhance golangci-lint config: add gosec, revive, gocyclo, misspell, unconvert linters and goimports formatter

Context

Replicates security and quality configurations from event-driven-bookinfo. All actions SHA-pinned. Least-privilege permissions throughout. Keeps existing Renovate config (no Dependabot).

CodeQL uses explicit cd lambda && go build ./... instead of autobuild to ensure the lambda/go.mod module is correctly discovered. Govulncheck runs with working-directory: lambda.

Spec: docs/superpowers/specs/2026-04-20-security-quality-hardening-design.md in code-agent-hub.

Test plan

• CodeQL workflow triggers on push to main and runs successfully
• Scorecard workflow runs on manual dispatch
• Scorecard PR check posts comment and enforces threshold on this PR
• Gitleaks scan passes on this PR
• Govulncheck scan passes on this PR
• golangci-lint with new linters passes (or surfaces known violations to address separately)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[coderabbitai]

Warning

Rate limit exceeded

@kaio6fellipe has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ed13388c-cfa2-4c87-a000-0e0800efd6f2

📥 Commits

Reviewing files that changed from the base of the PR and between a97c28f and c904a73.

📒 Files selected for processing (16)

• .github/CODEOWNERS
• .github/workflows/ami-build.yml
• .github/workflows/codeql.yml
• .github/workflows/label-old-prs.yml
• .github/workflows/labeler.yml
• .github/workflows/release.yml
• .github/workflows/scorecard-pr.yml
• .github/workflows/scorecard.yml
• .github/workflows/security.yml
• .github/workflows/test.yml
• .golangci.yml
• lambda/internal/config/config.go
• lambda/internal/ec2/launcher.go
• lambda/internal/github/client.go
• lambda/internal/runner/cleanup.go
• lambda/internal/sqs/publisher.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/security-quality-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

OpenSSF Scorecard — 8.4/10 ✅

Check	Score	Details
Binary-Artifacts	10/10	no binaries found in the repo
CI-Tests	10/10	16 out of 16 merged PRs checked by a CI test -- score normalized to 10
Code-Review	0/10	Found 0/29 approved changesets -- score normalized to 0
Dangerous-Workflow	10/10	no dangerous workflow patterns detected
License	10/10	license file detected
Pinned-Dependencies	7/10	dependency not pinned by hash detected -- score normalized to 7
Security-Policy	10/10	security policy file detected
Token-Permissions	10/10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	10/10	0 existing vulnerabilities detected

Threshold: 7 | Full report

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.