fix(si): add govulncheck, gitleaks, and gosec CI workflows

[theautoroboto]

FedRAMP Remediation — SI-02 / RA-05 / IA-05(7) / SA-11: Vulnerability Scanning and Secret Detection

Jira: ROSAENG-367, ROSAENG-368, ROSAENG-369, ROSAENG-371
Epic: ROSAENG-287

Finding

No automated vulnerability scanning, secret detection, or static analysis workflows exist in CI. This fails SI-02 (flaw remediation), RA-05 (vulnerability scanning), IA-05(7) (authenticator management), and SA-11 (developer security testing).

Change

Added .github/workflows/fedramp-security-scan.yml with three jobs:

• govulncheck — Go vulnerability scanning (SI-02, RA-05)
• secret-scan via gitleaks-action@v2 — secret/credential detection (IA-05(7))
• gosec with SARIF upload — static security analysis (SA-11(1))

Added .github/dependabot.yml — weekly automated dependency PRs for gomod and github-actions (RA-05).

Runs on push and PR to main.

References

• NIST SI-02: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-2
• NIST RA-05: https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-5
• FedRAMP Moderate baseline

🤖 Generated by fedramp-compliance agent on 2026-04-22

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9666a8de-47fb-42ee-87cd-ba080d03db5c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fedramp/SI-02-govulncheck-ci-2026-04-22

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: theautoroboto

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.