feat: add Secret Scanning policy

[bmendonca3]

Summary

Adds a Secret Scanning policy for Allstar.

This policy:

• uses secret_scanning.yaml for org/repo configuration
• checks whether GitHub reports repository secret scanning as enabled
• reports a violation only when the setting is explicitly disabled
• treats missing or unavailable security_and_analysis data as unavailable, not as disabled
• supports the fix action by enabling secret scanning when GitHub reports it as disabled
• documents the policy in the README

This intentionally leaves push protection out of scope for the first pass.

Fixes #363

Testing

• PATH=/tmp/go/bin:$PATH go test ./pkg/policies/secretscanning
• PATH=/tmp/go/bin:$PATH go test ./pkg/policies/...
• PATH=/tmp/go/bin:$PATH go test ./...
• PATH=/tmp/go/bin:$PATH go build ./...
• PATH=/tmp/go/bin:$PATH go vet ./...
• PATH=/tmp/go/bin:$PATH /tmp/go-tools/golangci-lint run --timeout 5m --verbose

Live validation

Validated the policy-specific Check/Fix/Check path against a disposable repository:
https://github.com/bmendonca3/allstar-secret-scanning-validation-20260528152234

Using an authenticated GitHub client against this branch, the policy:

• observed GitHub API secret_scanning.status=disabled
• returned Check result enabled=true pass=false
• applied Fix
• observed GitHub API secret_scanning.status=enabled
• returned follow-up Check result enabled=true pass=true

This validates the live GitHub API Check/Fix/Check path for this policy. It does not claim full end-to-end GitHub App installation or issue-creation coverage, which remains outside this validation pass.

[justaugustus]

@bmendonca3 — While we appreciate contributions, we are sensitive to the submission of AI-assisted / AI-autonomous contributions, as they can overload maintainers. I mention this because I see 7 submissions from you across the project today alone and I can see mentions of OpenClaw on your GitHub profile.

Scorecard / Allstar currently does not have a project-specific policy, but I would strongly suggest a [human] read of the forthcoming OpenSSF AI contribution policy to understand the concerns that maintainers across the foundation have around interacting with AI submissions.

Once a human has acknowledged this note, we will consider review.

[bmendonca3]

Thanks Stephen, I understand..

I read through the policy draft and get where you're coming from

I do own the changes though. I reviewed them, ran the tests, and can explain the reasoning / tradeoffs if needed.

I’ll hold off on opening more Scorecard / Allstar PRs for now

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity