fix(security): replace broken jobs in OSS-CLI security workflow

PR #91's first run surfaced four breakages in the new security.yml; this
commit fixes each in place so the (B) stack actually runs:

  - osv-scanner: google/osv-scanner-action's action.yml has no top-level
    `runs:` (it is meta-only). Replace the action with a `gh release
    download` of the official `osv-scanner_linux_amd64` v2.3.5 binary,
    then run `osv-scanner --recursive --skip-git ./`. Uses the
    preinstalled `gh` CLI so no curl/wget per CLAUDE.md.

  - semgrep: the pinned `semgrep/semgrep@sha256:...` digest does not
    exist in the registry, so `Initialize containers` fails before any
    code runs. Drop the container and install Semgrep via
    `actions/setup-python@v6.2.0` (SHA-pinned) + `pip install semgrep`,
    then `semgrep scan --error --severity ERROR --metrics off` against
    p/security-audit + p/owasp-top-ten + p/java.

  - gitleaks: gitleaks-action requires a paid license for orgs
    (RandomCodeSpace is an org → upstream blocks the run). The CLI
    itself is MIT-licensed and free. Replace the action with a
    `gh release download` of the v8.30.1 linux_x64 tarball and run
    `gitleaks detect --redact --no-banner --exit-code 1`.

  - jscpd: `--languages` is not a valid CLI option in jscpd@4. Use
    `--format "java,javascript,typescript"` (the documented flag).

Trivy + SBOM jobs already pass and are unchanged.

References:
  * RAN-46 board ruling comment fa5ba510 (path B)
  * PR #91 first-run failures: OSV/Semgrep/Gitleaks/jscpd
  * /home/dev/.claude/CLAUDE.md (no-curl, ctx fetch policy)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Author: aksOps

.github/workflows/security.yml

@@ -22,14 +22,24 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    env:
+      OSV_SCANNER_VERSION: 2.3.5
+      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
-      - uses: google/osv-scanner-action@c51854704019a247608d928f370c98740469d4b5 # v2.3.5
-        with:
-          scan-args: |-
-            --recursive
-            --skip-git
-            ./
+      # Install osv-scanner from the official GitHub release (binary, not the
+      # action — google/osv-scanner-action's `action.yml` is composite-only and
+      # fails when invoked as a job step). Using the preinstalled `gh` CLI
+      # avoids any external `curl`/`wget` per /home/dev/.claude/CLAUDE.md.
+      - name: Install osv-scanner
+        run: |
+          gh release download "v${OSV_SCANNER_VERSION}" \
+            --repo google/osv-scanner \
+            --pattern 'osv-scanner_linux_amd64' \
+            --output osv-scanner
+          chmod +x osv-scanner
+      - name: Run osv-scanner (recursive, skip git history)
+        run: ./osv-scanner --recursive --skip-git ./
 
   trivy:
     name: Trivy (filesystem + container scan)
@@ -51,26 +61,49 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-    container:
-      image: semgrep/semgrep@sha256:6f5ee7e5c4c8e09e25a3cabf61a4df04df80e11e82e7e3d6ea8cb6dfbf9e2a0d
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
-      - run: semgrep ci --error --config p/security-audit --config p/owasp-top-ten --config p/java
-        env:
-          SEMGREP_RULES: p/security-audit p/owasp-top-ten p/java
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.12'
+      - name: Install semgrep
+        run: python -m pip install --quiet --upgrade pip semgrep
+      - name: Run semgrep (security-audit + owasp-top-ten + java)
+        run: |
+          semgrep scan \
+            --error \
+            --config p/security-audit \
+            --config p/owasp-top-ten \
+            --config p/java \
+            --severity ERROR \
+            --metrics off
 
   gitleaks:
     name: Gitleaks (secret scan)
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    env:
+      GITLEAKS_VERSION: 8.30.1
+      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # The official `gitleaks/gitleaks-action` requires a paid license for
+      # GitHub organisations. The underlying gitleaks CLI is MIT-licensed and
+      # free; install it directly from the upstream release. Using the
+      # preinstalled `gh` CLI avoids any external `curl`/`wget`.
+      - name: Install gitleaks
+        run: |
+          gh release download "v${GITLEAKS_VERSION}" \
+            --repo gitleaks/gitleaks \
+            --pattern "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            --output gitleaks.tar.gz
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+      - name: Run gitleaks (full git history)
+        run: ./gitleaks detect --source . --redact --no-banner --exit-code 1
 
   jscpd:
     name: jscpd (duplication < 3% on touched code)
@@ -86,7 +119,7 @@ jobs:
           npx --yes jscpd@4 \
             --threshold 3 \
             --reporters consoleFull \
-            --languages java,javascript,typescript \
+            --format "java,javascript,typescript" \
             --ignore "**/target/**,**/node_modules/**,**/grammar/**,**/generated-sources/**,**/dist/**" \
             ./