chore(security): revert to OSS-CLI stack (RAN-46 path B board ruling)

Closes the RAN-46 board ruling (comment fa5ba510): swap shipped Sonar +
CodeQL + OWASP Dependency-Check (path A) for the AC-mandated OSS-CLI
stack (path B).

What lands:

  + .github/workflows/security.yml — six SHA-pinned jobs: OSV-Scanner
    (SCA via OSV.dev / GHSA, not NVD), Trivy (filesystem + container),
    Semgrep (SAST: p/security-audit + p/owasp-top-ten + p/java),
    Gitleaks (secret scan over full git history), jscpd (duplication
    < 3% on Java/JS/TS), anchore/sbom-action (SPDX + CycloneDX SBOM
    artifacts). Top-level `permissions: read-all`. Runs on push to
    main, every PR, and Mondays 04:21 UTC cron.

What's removed:

  - .github/workflows/ci-java.yml — strips the SonarCloud step and the
    OWASP Dependency-Check NVD prewarm + cache step. ci-java.yml now
    just runs `mvn -B -ntp clean verify` (tests + jacoco 85% +
    SpotBugs) and uploads test/coverage artifacts.
  - pom.xml — drops `dependency-check-maven` plugin block + its
    `<owasp.dependency-check.version>` property. JaCoCo 85% gate
    + SpotBugs binding stay.
  - dependency-check-suppressions.xml — deleted (no longer needed; OSV
    + Trivy use their own suppression mechanisms).
  - README.md — drops Sonar `security_rating` + `reliability_rating`
    badges, replaces with a Security (OSS-CLI) workflow-status badge.
  - shared/runbooks/engineering-standards.md §1 quality-gate table —
    rewritten to list the OSS-CLI gates (OSV / Trivy / Semgrep /
    Gitleaks / jscpd / SBOM); §5 Security expanded with explicit "OSS-CLI
    only — do not re-introduce Sonar/CodeQL/NVD without an explicit
    board ruling reversal" guard; §9 References updated.

Coverage gate stays at 85% (jacoco BUNDLE LINE COVEREDRATIO). SpotBugs
stays as the Java lint gate (per AC §5 — checkstyle/spotbugs/error-prone
are the eligible Java linters).

Followups (not in this PR):

  * Disable CodeQL default-setup via repo Settings → Code security →
    Code scanning (or `gh api -X DELETE /repos/.../code-scanning/
    default-setup` once available). Tracked under post-merge action.
  * Branch-protection `required_status_checks` will be updated post-
    merge to require the new security.yml jobs in place of `build` +
    Sonar + CodeQL.

References:

  * RAN-46 AC §3 (security tooling — OSS-CLI ONLY)
  * Board ruling comment fa5ba510 on RAN-46 (path B)
  * OpenSSF Scorecard: Pinned-Dependencies, Token-Permissions

Author: aksOps

.github/workflows/ci-java.yml

@@ -22,39 +22,7 @@ jobs:
           distribution: 'temurin'
           java-version: '25'
           cache: 'maven'
-      # Cache the OWASP Dependency-Check NVD data directory across runs so the
-      # CVE gate does not need to re-download the full feed on every PR.
-      # `key` is unique per run (forces a save on every run), `restore-keys`
-      # falls back to the most recent prior cache so the H2 DB is incrementally
-      # updated rather than rebuilt.
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: ~/.m2/repository/org/owasp/dependency-check-data
-          key: dependency-check-${{ runner.os }}-${{ github.run_id }}
-          restore-keys: |
-            dependency-check-${{ runner.os }}-
-      # Pre-warm the OWASP Dependency-Check NVD cache as a SEPARATE Maven
-      # invocation. On a cold cache (first run on a branch / cache eviction)
-      # running `update-only` first avoids the dependency-check-maven 12.2.0
-      # H2 init race that surfaces as `NullPointerException: Cannot invoke
-      # BasicDataSource.getConnection() because connectionPool is null`
-      # during the verify phase (observed on PR #74 build run 24930518462).
-      # When the cache is warm this step short-circuits via the H2 incremental
-      # update path. `failOnError=false` so a transient NVD-feed problem here
-      # does not mask the real CVSS>=7 gate enforced in the verify step
-      # below — that step still hard-fails on operational scanner failures
-      # (Reviewer round-3 finding #1).
-      - name: Pre-warm dependency-check NVD cache
-        env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: mvn -B -ntp dependency-check:update-only -DfailOnError=false
-      - name: Build + verify (jacoco 85% + SpotBugs + dependency-check)
-        env:
-          # When the NVD_API_KEY secret is unset, dependency-check falls back
-          # to the unauthenticated NVD endpoint (rate-limited but functional
-          # once the cache is warm). Provisioning the secret is tracked under
-          # RAN-42.
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+      - name: Build + verify (jacoco 85% + SpotBugs)
         run: mvn -B -ntp clean verify
       - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2
         if: always()
@@ -65,14 +33,3 @@ jobs:
         with:
           name: coverage-report
           path: target/site/jacoco/
-      - name: SonarCloud analysis
-        if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: >
-          mvn sonar:sonar -B
-          -Dsonar.projectKey=RandomCodeSpace_codeiq
-          -Dsonar.organization=randomcodespace
-          -Dsonar.host.url=https://sonarcloud.io
-          "-Dsonar.exclusions=**/grammar/**,target/generated-sources/**"
-          "-Dsonar.coverage.exclusions=**/grammar/**,target/generated-sources/**"

.github/workflows/security.yml

@@ -0,0 +1,118 @@
+name: Security (OSS-CLI)
+# OSS-CLI security stack per RAN-46 AC §3 (board ruling, comment fa5ba510).
+# Replaces Sonar + CodeQL + OWASP Dependency-Check.
+#
+# Six independent jobs — fail-fast off so all signals surface on a single run.
+# All actions SHA-pinned per Scorecard `Pinned-Dependencies`. Top-level
+# `permissions: read-all` per Scorecard `Token-Permissions`; jobs scope up
+# only when needed (gitleaks needs full git history; sbom job uploads).
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '21 4 * * 1'  # Mondays 04:21 UTC — catch newly-disclosed CVEs
+
+permissions: read-all
+
+jobs:
+  osv-scanner:
+    name: OSV-Scanner (SCA)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - uses: google/osv-scanner-action@c51854704019a247608d928f370c98740469d4b5 # v2.3.5
+        with:
+          scan-args: |-
+            --recursive
+            --skip-git
+            ./
+
+  trivy:
+    name: Trivy (filesystem + container scan)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          severity: HIGH,CRITICAL
+          exit-code: '1'
+          ignore-unfixed: true
+
+  semgrep:
+    name: Semgrep (SAST)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    container:
+      image: semgrep/semgrep@sha256:6f5ee7e5c4c8e09e25a3cabf61a4df04df80e11e82e7e3d6ea8cb6dfbf9e2a0d
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - run: semgrep ci --error --config p/security-audit --config p/owasp-top-ten --config p/java
+        env:
+          SEMGREP_RULES: p/security-audit p/owasp-top-ten p/java
+
+  gitleaks:
+    name: Gitleaks (secret scan)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  jscpd:
+    name: jscpd (duplication < 3% on touched code)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20'
+      - run: |
+          npx --yes jscpd@4 \
+            --threshold 3 \
+            --reporters consoleFull \
+            --languages java,javascript,typescript \
+            --ignore "**/target/**,**/node_modules/**,**/grammar/**,**/generated-sources/**,**/dist/**" \
+            ./
+
+  sbom:
+    name: SBOM (SPDX + CycloneDX)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+      - name: Generate SPDX SBOM
+        uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: false
+      - name: Generate CycloneDX SBOM
+        uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        with:
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+          upload-artifact: false
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2
+        with:
+          name: sbom
+          path: |
+            sbom.spdx.json
+            sbom.cdx.json
+          retention-days: 90

README.md

@@ -10,8 +10,7 @@
   <a href="https://github.com/RandomCodeSpace/codeiq/actions/workflows/ci-java.yml"><img src="https://img.shields.io/github/actions/workflow/status/RandomCodeSpace/codeiq/ci-java.yml?branch=main&style=flat-square&logo=github&label=CI" alt="CI"></a>
   <a href="https://www.oracle.com/java/technologies/downloads/"><img src="https://img.shields.io/badge/Java-25-orange?style=flat-square&logo=openjdk&logoColor=white" alt="Java 25"></a>
   <a href="https://github.com/RandomCodeSpace/codeiq/blob/main/LICENSE"><img src="https://img.shields.io/github/license/RandomCodeSpace/codeiq?style=flat-square&label=License" alt="MIT License"></a>
-  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_codeiq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_codeiq&metric=security_rating" alt="Security"></a>
-  <a href="https://sonarcloud.io/summary/overall?id=RandomCodeSpace_codeiq"><img src="https://sonarcloud.io/api/project_badges/measure?project=RandomCodeSpace_codeiq&metric=reliability_rating" alt="Reliability"></a>
+  <a href="https://github.com/RandomCodeSpace/codeiq/actions/workflows/security.yml"><img src="https://img.shields.io/github/actions/workflow/status/RandomCodeSpace/codeiq/security.yml?branch=main&style=flat-square&logo=github&label=Security%20%28OSS-CLI%29" alt="Security (OSV-Scanner + Trivy + Semgrep + Gitleaks + jscpd + SBOM)"></a>
   <a href="https://api.securityscorecards.dev/projects/github.com/RandomCodeSpace/codeiq"><img src="https://api.securityscorecards.dev/projects/github.com/RandomCodeSpace/codeiq/badge" alt="OpenSSF Scorecard"></a>
   <a href="https://www.bestpractices.dev/projects/codeiq"><img src="https://img.shields.io/badge/OpenSSF%20Best%20Practices-pending%20registration-lightgrey?style=flat-square&logo=openssf&logoColor=white" alt="OpenSSF Best Practices (pending registration — RAN-46 AC #8)"></a>
   <a href="https://github.com/RandomCodeSpace/codeiq"><img src="https://img.shields.io/badge/detectors-97-brightgreen?style=flat-square&logo=codefactor&logoColor=white" alt="97 Detectors"></a>