fix(security): add OpenSSF Scorecard workflow and harden SECURITY.md

.github/workflows/scorecard.yml

@@ -0,0 +1,38 @@
+name: Scorecard supply-chain security
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '20 14 * * 1'
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
+        with:
+          sarif_file: results.sarif
+          category: scorecard

README.md

@@ -16,6 +16,7 @@ Symbol indexes, token-estimated context, semantic chunks — structured output t
 [![Security](https://github.com/docdyhr/batless/actions/workflows/security.yml/badge.svg?branch=main)](https://github.com/docdyhr/batless/actions/workflows/security.yml)
 [![Fuzz Testing](https://github.com/docdyhr/batless/actions/workflows/fuzz.yml/badge.svg?branch=main)](https://github.com/docdyhr/batless/actions/workflows/fuzz.yml)
 [![Codecov](https://codecov.io/gh/docdyhr/batless/branch/main/graph/badge.svg?logo=codecov&logoColor=white)](https://codecov.io/gh/docdyhr/batless)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/docdyhr/batless/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docdyhr/batless)
 
 [![Rust](https://img.shields.io/badge/Rust-100%25-orange?logo=rust&logoColor=white)](https://github.com/docdyhr/batless)
 [![Security Tests](https://img.shields.io/badge/security%20tests-passing-brightgreen?logo=shield&logoColor=white)](https://github.com/docdyhr/batless)

SECURITY.md

@@ -15,7 +15,7 @@ We take security vulnerabilities seriously. If you discover a security issue in
 ### Reporting Process
 
 1. **Do NOT create a public issue** for security vulnerabilities
-2. Email security concerns to: [security@batless.dev] (or create a private security advisory on GitHub)
+2. **Use GitHub's private vulnerability reporting**: https://github.com/docdyhr/batless/security/advisories/new
 3. Include the following information:
    - Description of the vulnerability
    - Steps to reproduce the issue
@@ -91,9 +91,7 @@ We recognize security researchers who help improve batless security:
 
 ### Contact Information
 
-- **Security Email**: [INSERT EMAIL]
-- **PGP Key**: [INSERT PGP KEY ID if available]
-- **GitHub Security Advisories**: Use GitHub's private vulnerability reporting feature
+- **GitHub Security Advisories**: https://github.com/docdyhr/batless/security/advisories/new
 
 ### Legal