fix(security): add OpenSSF Scorecard workflow and harden SECURITY.md

[docdyhr]

Summary

Addresses the three OpenSSF Scorecard findings from the latest scan.

• Branch-Protection (score 3→expected improvement): Adds scorecard.yml so Scorecard runs with GITHUB_TOKEN and can read the existing repository ruleset. Results are published to the OpenSSF API and uploaded to GitHub Code Scanning (SARIF).
• CII-Best-Practices: Enables GitHub private vulnerability reporting (GHSA) and removes placeholder emails from SECURITY.md, replacing them with the GitHub Security Advisories URL.
• Code-Review (score 0): No automated fix possible for a solo project — approved Dependabot merges will accumulate over time. The Scorecard workflow will track this going forward.

Changes

• .github/workflows/scorecard.yml — new workflow using ossf/scorecard-action@v2.4.3 (pinned SHA), runs weekly + on push to main + on branch-protection-rule events
• SECURITY.md — remove [security@batless.dev], [INSERT EMAIL], [INSERT PGP KEY ID] placeholders; replace with https://github.com/docdyhr/batless/security/advisories/new
• README.md — add OpenSSF Scorecard badge
• Private vulnerability reporting enabled on the repository via API

Test plan

• CI passes on this PR
• Scorecard workflow runs successfully after merge (visible in Actions tab)
• OpenSSF Scorecard badge resolves after first successful run

🤖 Generated with Claude Code

Summary by Sourcery

Add automated OpenSSF Scorecard supply-chain security analysis and tighten documented security reporting channels.

New Features:

• Introduce a GitHub Actions workflow to run OpenSSF Scorecard on a schedule and on key repository events, publishing results to code scanning and the OpenSSF API.

Enhancements:

• Update SECURITY.md to direct reporters to GitHub's private vulnerability reporting workflow instead of email-based placeholders.
• Add an OpenSSF Scorecard status badge to the README to surface supply-chain security posture.

[sourcery-ai]

Reviewer's Guide

Adds an OpenSSF Scorecard GitHub Actions workflow, surfaces its results via a README badge and SARIF uploads, and hardens SECURITY.md to use GitHub private vulnerability reporting instead of placeholder contact details.

Sequence diagram for OpenSSF Scorecard GitHub Actions workflow

sequenceDiagram
  actor Developer
  participant GitHub
  participant ActionsRunner
  participant actions_checkout
  participant scorecard_action
  participant OpenSSF_API
  participant codeql_upload_sarif
  participant Code_Scanning

  Developer->>GitHub: push main / schedule / branch_protection_rule
  GitHub-->>ActionsRunner: start workflow scorecard.yml
  ActionsRunner->>actions_checkout: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
  actions_checkout-->>ActionsRunner: repository contents
  ActionsRunner->>scorecard_action: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2
  scorecard_action-->>OpenSSF_API: publish_results true
  scorecard_action-->>ActionsRunner: results.sarif
  ActionsRunner->>codeql_upload_sarif: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57
  codeql_upload_sarif-->>Code_Scanning: upload results.sarif category scorecard

Loading

File-Level Changes

Change	Details	Files
Introduce OpenSSF Scorecard GitHub Actions workflow and wire it to code scanning.	Add a scheduled and on-push Scorecard workflow that also triggers on branch protection rule changes. Use pinned SHAs for actions/checkout, ossf/scorecard-action, and github/codeql-action/upload-sarif. Configure the workflow to run Scorecard with SARIF output, publish results to OpenSSF, and upload SARIF to GitHub code scanning with a dedicated category.	.github/workflows/scorecard.yml
Update security policy to rely on GitHub private vulnerability reporting instead of email/PGP placeholders.	Replace direct security email contact with explicit instructions and link to GitHub's private vulnerability reporting URL. Remove placeholder security contact email and PGP key fields. Standardize references to GitHub Security Advisories on the concrete advisories/new URL.	SECURITY.md
Expose OpenSSF Scorecard status via README badge.	Add an OpenSSF Scorecard badge that points to the project’s page on securityscorecards.dev. Place the badge alongside existing CI and coverage badges at the top of the README.	README.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider replacing the top-level permissions: read-all with the minimal permissions actually required (and inheriting job-level overrides as needed) to further tighten the workflow’s security posture.
• In SECURITY.md, you might use a repository-relative link (./security/advisories/new) instead of a fully qualified URL so the advisory link continues to work if the repo is renamed or forked.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider replacing the top-level `permissions: read-all` with the minimal permissions actually required (and inheriting job-level overrides as needed) to further tighten the workflow’s security posture.
- In `SECURITY.md`, you might use a repository-relative link (`./security/advisories/new`) instead of a fully qualified URL so the advisory link continues to work if the repo is renamed or forked.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR improves the repository’s supply-chain/security posture by adding a dedicated OpenSSF Scorecard workflow (with publishing + SARIF upload) and by updating public security reporting guidance and documentation to point to GitHub’s private vulnerability reporting flow.

Changes:

• Add a new GitHub Actions workflow to run OpenSSF Scorecard on schedule, on pushes to main, and on branch_protection_rule events, publishing results and uploading SARIF.
• Update SECURITY.md to remove placeholder email/PGP fields and direct reporters to GitHub Security Advisories.
• Add an OpenSSF Scorecard badge to README.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/scorecard.yml	Adds a dedicated Scorecard workflow intended to publish results and upload SARIF to Code Scanning.
SECURITY.md	Replaces placeholder contact info with a direct link to GitHub private vulnerability reporting.
README.md	Adds an OpenSSF Scorecard badge to surface the project’s Scorecard status.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 75003ef617

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use the actual Scorecard v2.4.3 ref

This pinned SHA is not the ossf/scorecard-action v2.4.3 release ref; the upstream v2.4.3 release points at 4eaacf0543bb3f2c246792bd56e8cdeffafb205a, while 99c09fe975337306107572b4fdf4db224cf8e2f2 does not resolve as that action release. With this uses value, GitHub Actions will fail while downloading the action, so the new workflow will never produce SARIF or publish badge results. Pin this step to a valid Scorecard action commit or tag.

Useful? React with 👍 / 👎.