Add Security CI workflow and comprehensive documentation

- Enhanced security-ci.yml with improved formatting and artifact handling
- Added OSV-Scanner JSON output and artifact upload
- Added if: always() to SARIF upload for reliability
- Created docs/security-ci-review.md with integration guidance
- Updated README.md to document Security CI workflow
- Documented parallel execution pattern (recommended approach)
- Updated security features table with CI scanning capabilities
- Fixed markdown linting issues (line length, indentation, code blocks)
- All pre-commit checks passing

Author: christopherpaquin

.github/workflows/security-ci.yml

@@ -0,0 +1,70 @@
+name: Security CI
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write # Required for SARIF uploads to GitHub Security
+
+jobs:
+  gitleaks:
+    name: Secret scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Scan full git history for secrets
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        # By default, fails the job when leaks are found
+        # This complements detect-secrets.sh in pre-commit
+
+  semgrep:
+    name: SAST (Semgrep CE)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/owasp-top-ten
+          generateSarif: "1"
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() # Upload even if Semgrep finds issues
+        with:
+          sarif_file: semgrep.sarif
+
+  osv-scanner:
+    name: Dependency vulns (OSV-Scanner)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: OSV-Scanner
+        uses: google/osv-scanner-action@v2
+        with:
+          scan-args: |-
+            -r .
+            --format json
+            --output osv-results.json
+
+      - name: Upload OSV results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: osv-scan-results
+          path: osv-results.json
+          retention-days: 7

README.md

@@ -573,8 +573,14 @@ If secrets are detected, the commit will be blocked. Use example placeholders li
 
 ### CI/CD Configuration
 
-CI workflows are defined in `.github/workflows/ci.yaml`. The workflow consists
-of two jobs that run sequentially:
+This framework includes **two complementary CI workflows** that run in parallel:
+
+1. **`ci.yaml`**: Code quality and testing (pre-commit checks, unit tests)
+2. **`security-ci.yml`**: Security scanning (secret detection, SAST, dependency scanning)
+
+#### Main CI Workflow (`ci.yaml`)
+
+The main CI workflow consists of two jobs that run sequentially:
 
 **Job 1: Pre-commit Checks** (runs first):
 
@@ -601,6 +607,42 @@ of two jobs that run sequentially:
 - ⚡ **Efficient**: Tests only run if pre-commit passes
 - 🔄 **Consistent**: Same checks run locally and in CI
 
+#### Security CI Workflow (`security-ci.yml`)
+
+The security CI workflow runs **in parallel** with the main CI workflow and
+provides comprehensive security scanning:
+
+**Job 1: Gitleaks Secret Scanning**:
+
+- ✅ Scans full git history for secrets and credentials
+- ✅ Complements pre-commit `detect-secrets.sh` (defense in depth)
+- ✅ Catches secrets that may have slipped through pre-commit
+- ✅ Fails the workflow if secrets are detected
+
+**Job 2: Semgrep SAST**:
+
+- ✅ Static Application Security Testing (SAST)
+- ✅ Security audit rules (`p/security-audit`)
+- ✅ OWASP Top 10 vulnerability detection (`p/owasp-top-ten`)
+- ✅ Uploads results to GitHub Security tab (SARIF format)
+
+**Job 3: OSV-Scanner Dependency Scanning**:
+
+- ✅ Scans dependencies for known vulnerabilities
+- ✅ Uses Open Source Vulnerabilities (OSV) database
+- ✅ Generates JSON report with findings
+- ✅ Uploads results as workflow artifact
+
+**Key Features**:
+
+- 🔒 **Defense in Depth**: Multiple layers of security scanning
+- 📊 **GitHub Integration**: SARIF results appear in Security tab
+- ⚡ **Parallel Execution**: Runs simultaneously with main CI (faster)
+- 🔍 **Comprehensive**: Covers secrets, code vulnerabilities, and dependencies
+
+**Note**: Both workflows must pass for PRs to be mergeable. See
+`docs/security-ci-review.md` for detailed integration guidance.
+
 ### Markdown Configuration
 
 Markdown linting rules are configured in `.pymarkdown.json`:
@@ -653,10 +695,13 @@ This framework is designed with security as the highest priority:
 | Security Feature | Status | Description |
 |-----------------|--------|-------------|
 | 🔐 Secrets Protection | ✅ Active | Comprehensive `.gitignore` prevents accidental secret commits |
-| 🔍 Automated Detection | ✅ Active | Pre-commit hooks detect secrets via detect-secrets.sh |
+| 🔍 Pre-commit Detection | ✅ Active | Pre-commit hooks detect secrets via `detect-secrets.sh` |
+| 🔒 CI Secret Scanning | ✅ Active | Gitleaks scans full git history in CI (defense in depth) |
+| 🛡️ SAST Scanning | ✅ Active | Semgrep performs static security analysis (OWASP, security audit) |
+| 📦 Dependency Scanning | ✅ Active | OSV-Scanner checks dependencies for known vulnerabilities |
 | 🛡️ Least Privilege | ✅ Active | All scripts should use least privilege principles |
 | ✅ Input Validation | ✅ Active | All inputs should be treated as untrusted |
-| 📋 Audit Trail | ✅ Active | Pre-commit logs provide an audit trail of quality checks |
+| 📋 Audit Trail | ✅ Active | Pre-commit logs and CI artifacts provide audit trails |
 
 ### Security Best Practices
 

docs/security-ci-review.md

@@ -0,0 +1,204 @@
+# Security CI Workflow Review and Integration Guide
+
+## 📋 Review Summary
+
+Your `security-ci.yml` workflow is **well-structured** and adds valuable security scanning
+capabilities. This document provides feedback, improvements, and integration recommendations.
+
+---
+
+## ✅ What's Good
+
+1. **Comprehensive Coverage**: Three complementary security tools:
+   - **Gitleaks**: Secret scanning (complements `detect-secrets.sh`)
+   - **Semgrep**: SAST with security audit and OWASP Top 10 rules
+   - **OSV-Scanner**: Dependency vulnerability scanning
+
+2. **Proper Permissions**: `security-events: write` enables SARIF uploads to GitHub Security tab
+
+3. **Appropriate Triggers**: Runs on PRs, pushes to main, and manual dispatch
+
+4. **Git History Scanning**: `fetch-depth: 0` allows Gitleaks to scan full history
+
+---
+
+## 🔧 Improvements Made
+
+### 1. **Consistent Naming and Formatting**
+
+- Changed workflow name to "Security CI" (matches "CI" naming pattern)
+- Added consistent step names ("Checkout" instead of just using action)
+- Improved YAML formatting consistency
+
+### 2. **OSV-Scanner Enhancements**
+
+- Added JSON output format for better artifact handling
+- Added artifact upload for scan results (7-day retention)
+- Changed job name from `osv` to `osv-scanner` for clarity
+
+### 3. **SARIF Upload Reliability**
+
+- Added `if: always()` to SARIF upload to ensure results are uploaded even if Semgrep finds issues
+
+---
+
+## 🔄 Integration Options
+
+You have **three integration approaches**:
+
+### Option 1: Parallel Execution (Recommended) ⭐
+
+**Keep workflows separate** - they run in parallel automatically.
+
+**Pros**:
+- ✅ Security checks don't block code quality checks
+- ✅ Faster overall CI time (parallel execution)
+- ✅ Clear separation of concerns
+- ✅ Easy to disable security checks independently if needed
+- ✅ Matches GitHub's recommended pattern
+
+**Cons**:
+- ⚠️ Two separate workflow statuses in PR checks
+
+**Implementation**: No changes needed - workflows already run in parallel!
+
+**Status Checks**: PRs will show:
+- ✅ CI (pre-commit + tests)
+- ✅ Security CI (gitleaks + semgrep + osv-scanner)
+
+---
+
+### Option 2: Sequential Integration
+
+Make security checks a **dependency** of the main CI workflow.
+
+**Pros**:
+- ✅ Single workflow status in PR
+- ✅ Security checks run before tests (fail fast)
+
+**Cons**:
+- ⚠️ Slower overall CI time (sequential execution)
+- ⚠️ Security failures block tests
+- ⚠️ More complex workflow structure
+
+**Implementation**: Modify `ci.yaml`:
+
+```yaml
+jobs:
+  security-checks:
+    name: Security Checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # ... (copy security jobs here or use workflow_call)
+
+  pre-commit:
+    name: Pre-commit Checks
+    runs-on: ubuntu-latest
+    needs: [security-checks]  # Add dependency
+    # ... rest of job
+```
+
+---
+
+### Option 3: Unified Workflow
+
+Merge both workflows into a single `ci.yaml` file.
+
+**Pros**:
+- ✅ Single workflow file to maintain
+- ✅ Single status check in PR
+
+**Cons**:
+- ⚠️ Larger, more complex workflow file
+- ⚠️ Less modular
+- ⚠️ Harder to run security checks independently
+
+**Implementation**: Copy all security jobs into `ci.yaml` and remove `security-ci.yml`.
+
+---
+
+## 🎯 Recommendation: Option 1 (Parallel Execution)
+
+**Why**:
+1. **Best Practice**: GitHub recommends separate workflows for different concerns
+2. **Performance**: Parallel execution is faster
+3. **Flexibility**: Can run security checks independently via `workflow_dispatch`
+4. **Clarity**: Clear separation between code quality and security
+5. **No Changes Needed**: Your current setup already works this way!
+
+---
+
+## 🔍 How It Works Together
+
+### Current Setup (Parallel Execution)
+
+```text
+Pull Request / Push
+    │
+    ├─→ CI Workflow (ci.yaml)
+    │   ├─→ pre-commit job
+    │   └─→ tests job (depends on pre-commit)
+    │
+    └─→ Security CI Workflow (security-ci.yml)
+        ├─→ gitleaks job
+        ├─→ semgrep job
+        └─→ osv-scanner job
+```
+
+**Both workflows run simultaneously**, and the PR requires both to pass.
+
+### Secret Detection Overlap
+
+You have **two layers** of secret detection:
+
+1. **Pre-commit (`detect-secrets.sh`)**: Fast, local, prevents secrets from being committed
+2. **CI (Gitleaks)**: Comprehensive, scans full git history, catches anything that slipped through
+
+**This is intentional and recommended** - defense in depth!
+
+---
+
+## 📊 Workflow Comparison
+
+| Aspect | Current Setup (Parallel) | Sequential | Unified |
+|--------|-------------------------|------------|---------|
+| **CI Time** | ⚡ Fastest (parallel) | 🐌 Slower (sequential) | 🐌 Slower (sequential) |
+| **Status Checks** | 2 separate | 1 combined | 1 combined |
+| **Maintainability** | ✅ High | ⚠️ Medium | ⚠️ Lower |
+| **Flexibility** | ✅ High | ⚠️ Medium | ⚠️ Lower |
+| **Best Practice** | ✅ Yes | ⚠️ Acceptable | ⚠️ Less ideal |
+
+---
+
+## 🚀 Next Steps
+
+1. **Keep the workflows separate** (Option 1) - no changes needed!
+2. **Test the workflow** by creating a test PR
+3. **Monitor results** in the GitHub Security tab (Semgrep SARIF uploads)
+4. **Review OSV-Scanner results** in workflow artifacts
+
+---
+
+## 📝 Documentation Updates Needed
+
+Consider updating:
+
+1. **README.md**: Add a section about the Security CI workflow
+2. **CONTEXT.md**: Document that security scanning runs in CI (complements pre-commit)
+3. **ci-and-precommit.md**: Mention the security CI workflow
+
+---
+
+## 🔒 Security Posture
+
+With this workflow, you now have:
+
+| Layer | Tool | Purpose |
+|-------|------|---------|
+| **Pre-commit** | `detect-secrets.sh` | Fast local secret detection |
+| **CI - Secrets** | Gitleaks | Comprehensive secret scanning (full history) |
+| **CI - SAST** | Semgrep | Static code analysis (security audit, OWASP) |
+| **CI - Dependencies** | OSV-Scanner | Dependency vulnerability scanning |
+
+**This is a robust, defense-in-depth security approach!** 🛡️