## Context Automate security scanning in CI. ## Acceptance criteria - [ ] CodeQL (Python) on PRs + main. - [ ] pip-audit + Dependabot config. - [ ] gitleaks secret scan on PRs. - [ ] Findings gate the build or are triaged.
Context
Automate security scanning in CI.
Acceptance criteria