From 9196fe0d8a8271f046b5cd0cd5957e8c4b3c83d8 Mon Sep 17 00:00:00 2001
From: Guillermo Lam <guillermo.lam@maisa.ai>
Date: Sun, 22 Feb 2026 19:49:30 +0100
Subject: [PATCH 1/2] feat: add supply chain security pipeline

- Add PR and release supply chain security workflows
- Add MegaLinter v9 configuration with profile-specific linters
- Add SECURITY.md vulnerability reporting policy
- Update CODEOWNERS with SRE ownership of CI/security files
- Update README.md with SonarCloud, Dependabot, and workflow badges
- Remove legacy supply-chain-pr/release-caller.yaml files

Implements reusable workflow callers from maisa-ci-cd that provide:
- SBOM generation (Syft, CycloneDX)
- Vulnerability scanning (Trivy, Grype, OSV)
- License compliance (ScanCode, Grant, ORT)
- Supply chain attestation (Cosign, in-toto)
- Security posture scoring (OpenSSF Scorecard)
- Policy enforcement (Conftest, Gatekeeper) [IaC repos]
- Static analysis (MegaLinter + SonarCloud)
- Dependency graph enrichment (GUAC, Trustify)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/CODEOWNERS                            | 16 ++++++++++
 .../workflows/pr-supply-chain-security.yaml   | 28 ++++++++++++++++++
 .../release-supply-chain-security.yaml        | 29 +++++++++++++++++++
 .mega-linter.yml                              | 18 ++++++++++++
 README.md                                     | 16 ++++++++++
 SECURITY.md                                   | 19 ++++++++++++
 6 files changed, 126 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/pr-supply-chain-security.yaml
 create mode 100644 .github/workflows/release-supply-chain-security.yaml
 create mode 100644 .mega-linter.yml
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..07ce83d
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,16 @@
+* @maisaai/developers
+.dockerignore @maisaai/sre
+.github/workflows/ @maisaai/sre
+.github/CODEOWNERS @maisaai/sre
+.gitignore @maisaai/sre
+.mega-linter.yml @maisaai/sre
+.maisa/ @maisaai/sre
+CHANGELOG.md @maisaai/sre
+Dockerfile @maisaai/sre
+LICENSE.md @maisaai/sre
+SECURITY.md @maisaai/sre
+VERSION @maisaai/sre
+dependabot.yaml @maisaai/sre
+sonar-project.properties @maisaai/sre
+.golang-ci.yaml @maisaai/sre
+.releaserc @maisaai/sre
diff --git a/.github/workflows/pr-supply-chain-security.yaml b/.github/workflows/pr-supply-chain-security.yaml
new file mode 100644
index 0000000..37fcec6
--- /dev/null
+++ b/.github/workflows/pr-supply-chain-security.yaml
@@ -0,0 +1,28 @@
+name: PR Supply Chain Security
+run-name: PR supply chain for ${{ github.ref_name }}
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  id-token: write
+  security-events: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  supply-chain:
+    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-pr.yml@feature/supply-chain-sbom-attestation
+    with:
+      ci_cd_ref: feature/supply-chain-sbom-attestation
+      fail_on_findings: false
+      enable_issue_sync: false
+    secrets:
+      SHARED_ACCOUNT_AWS_ROLE_ARN: ${{ secrets.SHARED_ACCOUNT_AWS_ROLE_ARN }}
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/release-supply-chain-security.yaml b/.github/workflows/release-supply-chain-security.yaml
new file mode 100644
index 0000000..dbcdd68
--- /dev/null
+++ b/.github/workflows/release-supply-chain-security.yaml
@@ -0,0 +1,29 @@
+name: Release Supply Chain Security
+run-name: Release supply chain for ${{ github.ref_name }}
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*.*.*'
+
+permissions:
+  actions: read
+  contents: read
+  id-token: write
+  security-events: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  supply-chain:
+    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-release.yml@feature/supply-chain-sbom-attestation
+    with:
+      ci_cd_ref: feature/supply-chain-sbom-attestation
+      fail_on_findings: true
+      enable_issue_sync: false
+    secrets:
+      SHARED_ACCOUNT_AWS_ROLE_ARN: ${{ secrets.SHARED_ACCOUNT_AWS_ROLE_ARN }}
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.mega-linter.yml b/.mega-linter.yml
new file mode 100644
index 0000000..8962e50
--- /dev/null
+++ b/.mega-linter.yml
@@ -0,0 +1,18 @@
+# MegaLinter v9 Configuration
+# Profile: service-typescript-template
+# Applied via supply-chain-pr.yml SAST lane
+APPLY_FIXES: none
+ENABLE_LINTERS:
+  - REPOSITORY_SEMGREP
+  - REPOSITORY_DEVSKIM
+  - REPOSITORY_GITLEAKS
+  - TYPESCRIPT_ES
+  - JAVASCRIPT_ES
+  - DOCKERFILE_HADOLINT
+DISABLE_LINTERS: []
+SHOW_ELAPSED_TIME: true
+FILEIO_REPORTER: false
+SARIF_REPORTER: true
+GITHUB_STATUS_REPORTER: true
+FLAVOR_SUGGESTIONS: false
+FILTER_REGEX_EXCLUDE: '(node_modules/|dist/|\.next/|coverage/)'
diff --git a/README.md b/README.md
index e3bb179..de53c0a 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,21 @@
 # Maisa Node API Library
 
+[![Supply Chain PR](https://github.com/maisaai/node-sdk/actions/workflows/pr-supply-chain-security.yaml/badge.svg)](https://github.com/maisaai/node-sdk/actions/workflows/pr-supply-chain-security.yaml)
+[![Supply Chain Release](https://github.com/maisaai/node-sdk/actions/workflows/release-supply-chain-security.yaml/badge.svg)](https://github.com/maisaai/node-sdk/actions/workflows/release-supply-chain-security.yaml)
+
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=security_rating)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+[![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=reliability_rating)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=sqale_rating)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=coverage)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+[![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=duplicated_lines_density)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+[![Security Hotspots](https://sonarcloud.io/api/project_badges/measure?project=maisaai_node-sdk&metric=security_hotspots)](https://sonarcloud.io/summary/overall?id=maisaai_node-sdk)
+
+[![GitHub issues](https://img.shields.io/github/issues/maisaai/node-sdk)](https://github.com/maisaai/node-sdk/issues)
+[![Dependabot Status](https://img.shields.io/badge/dependabot-enabled-025E8C?logo=dependabot)](https://github.com/maisaai/node-sdk/network/updates)
+
+---
+
+
 [![NPM version](https://img.shields.io/npm/v/maisa.svg)](https://npmjs.org/package/maisa)
 
 This library provides convenient access to the Maisa REST API from server-side TypeScript or JavaScript.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2724cb2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are applied to the `main` branch.
+
+## Reporting a Vulnerability
+
+Do not open public issues for security reports.
+
+Use GitHub private vulnerability reporting for this repository, or contact the maintainers directly through internal security channels.
+
+Include:
+- A clear impact statement
+- Reproduction steps or proof of concept
+- Affected paths and versions
+- Suggested remediation if available
+
+We will acknowledge receipt, triage severity, and coordinate a fix and disclosure timeline.

From 5279e62f7548b27d066d0e51b2c50d99bb2ad3e3 Mon Sep 17 00:00:00 2001
From: Guillermo Lam <guillermo.lam@maisa.ai>
Date: Mon, 23 Feb 2026 01:50:09 +0100
Subject: [PATCH 2/2] feat: add supply-chain security pipeline

Add PR and release workflow callers for the centralized supply-chain
security pipeline.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/pr-supply-chain-security.yaml      | 4 ++--
 .github/workflows/release-supply-chain-security.yaml | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pr-supply-chain-security.yaml b/.github/workflows/pr-supply-chain-security.yaml
index 37fcec6..5d2879d 100644
--- a/.github/workflows/pr-supply-chain-security.yaml
+++ b/.github/workflows/pr-supply-chain-security.yaml
@@ -16,9 +16,9 @@ permissions:
 
 jobs:
   supply-chain:
-    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-pr.yml@feature/supply-chain-sbom-attestation
+    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-pr.yml@main
     with:
-      ci_cd_ref: feature/supply-chain-sbom-attestation
+      ci_cd_ref: main
       fail_on_findings: false
       enable_issue_sync: false
     secrets:
diff --git a/.github/workflows/release-supply-chain-security.yaml b/.github/workflows/release-supply-chain-security.yaml
index dbcdd68..a1e2a7f 100644
--- a/.github/workflows/release-supply-chain-security.yaml
+++ b/.github/workflows/release-supply-chain-security.yaml
@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
   push:
     tags:
-      - 'v*.*.*'
+      - "v*.*.*"
 
 permissions:
   actions: read
@@ -17,9 +17,9 @@ permissions:
 
 jobs:
   supply-chain:
-    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-release.yml@feature/supply-chain-sbom-attestation
+    uses: maisaai/maisa-ci-cd/.github/workflows/supply-chain-release.yml@main
     with:
-      ci_cd_ref: feature/supply-chain-sbom-attestation
+      ci_cd_ref: main
       fail_on_findings: true
       enable_issue_sync: false
     secrets: