chore(ci): secret scanning + vulnerable-package check + coverage (Tier 1)

[phuongnse]

Summary

Tier 1 security + coverage additions to PR CI. All three run automatically without GHAS provisioning.

• Gitleaks (new secret-scan job) — scans full diff for committed secrets. Free for personal accounts on private repos; license note added for future org move.
• Vulnerable packages (step in existing dotnet job) — dotnet list package --vulnerable --include-transitive fails CI on any known CVE, catching the contributor-adds-bad-package-at-PR-time case that Dependabot only catches post-merge.
• Coverage collection — appends --collect:"XPlat Code Coverage" to dotnet test and uploads cobertura as artifact (dotnet-coverage). No threshold enforced yet — see CONTRIBUTING.md § Coverage for why (need measured baseline first).

Linked spec

No feature — Tier 1 follow-up to PR #95 (architecture conventions). References:

• CONTRIBUTING.md § Coverage — new section explaining the defer-threshold rationale.
• agent-checklist.md § Gates — updated CI-only gates list (now 6 automated checks).

Requirements & rules followed

• Spec → code — no AC. Process additions.
• Gate 0 — N/A.
• Gate 1 — workflow YAML lint clean (no local action; CI will validate). Drift script green.
• Gate 2 — Docs updated in same PR: CONTRIBUTING.md, agent-checklist.md.
• Gate 3 — no new durable rule.
• Workarounds — none.
• No new TODO / FIXME / NotImplementedException / placeholder / stub under src/, tests/, frontend/src/

What's next

• PR test(arch): runtime endpoint authorization presence check (Tier 2) #97 — DI registration scanner (catches runtime coupling) + endpoint-authorization-presence check (uses WebApplicationFactory).
• PR chore(drift): hardcoded conn-string + DateTime.Now greps (Tier 2) #98 — Custom Roslyn analyzer (cross-module GetRequiredService, hardcoded connection strings, DateTime.Now, plus .Result/.Wait() with Task type info).
• Future — coverage threshold: read baseline from this PR's dotnet-coverage artifact, set <Threshold> to baseline minus 5pp in tests/Directory.Build.props.

Summary by CodeRabbit

• Chores

  • Enabled automated .NET code coverage collection and upload as a CI artifact.
  • Added PR secret scanning that blocks commits with detected secrets.
  • Added automated vulnerability detection for dependencies that can fail CI on findings.
  • Added an explicit package pin to mitigate a reported high-severity dependency issue.

• Documentation

  • Updated contribution guide with coverage collection details and guidance for future thresholds.
  • Updated CI gate playbook to reflect the new automated security and quality checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d0354d83-e325-4d36-a5df-e3d45b584a37

📥 Commits

Reviewing files that changed from the base of the PR and between 0192990 and 8c830c9.

📒 Files selected for processing (2)

• Directory.Packages.props
• src/Shared/Axis.Shared.Infrastructure/Axis.Shared.Infrastructure.csproj

---

📝 Walkthrough

Walkthrough

Adds CI gates: enable XPlat coverage collection and upload Cobertura XML; run NuGet vulnerable-package detection to fail on advisories; add a TruffleHog secret-scan job for PRs; add a central System.Formats.Asn1 pin; and update CONTRIBUTING.md and agent checklist to document these gates.

Changes

CI Quality and Security Gates

Layer / File(s)	Summary
Code coverage collection and artifact upload .github/workflows/build-and-test.yml	dotnet test adds --collect:"XPlat Code Coverage"; coverage.cobertura.xml files from TestResults/**/ are uploaded as a dotnet-coverage artifact always; a step runs dotnet list package --vulnerable --include-transitive and fails the job when advisories appear.
Secret scanning job with TruffleHog .github/workflows/build-and-test.yml	New secret-scan job checks out with full history (fetch-depth: 0) and runs trufflesecurity/trufflehog across the PR base..head commit range with --only-verified, failing on findings.
Documentation updates for new CI gates CONTRIBUTING.md, docs/playbooks/agent-checklist.md	Adds a “Coverage” subsection to CONTRIBUTING.md describing coverlet collection and artifact upload (no threshold enforced yet); expands agent-checklist CI-only gates to include secret scanning, vulnerable-package detection, coverage artifact upload, and expanded doc-drift rules.
Central security package pin Directory.Packages.props, src/Shared/Axis.Shared.Infrastructure/Axis.Shared.Infrastructure.csproj	Adds an ItemGroup pinning System.Formats.Asn1 to 8.0.1 and an explicit PackageReference in Axis.Shared.Infrastructure with CVE commentary to force the patched version across project references.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant DotnetTest
  participant ArtifactUpload
  participant NuGetScanner
  participant TruffleHog
  GitHubActions->>DotnetTest: run `dotnet test --collect:"XPlat Code Coverage"`
  DotnetTest->>ArtifactUpload: emit `coverage.cobertura.xml` in TestResults/**
  GitHubActions->>ArtifactUpload: upload `dotnet-coverage` artifact
  GitHubActions->>NuGetScanner: run `dotnet list package --vulnerable --include-transitive`
  NuGetScanner->>GitHubActions: advisory rows -> fail job if any
  GitHubActions->>TruffleHog: run trufflesecurity/trufflehog on base..head (--only-verified)
  TruffleHog->>GitHubActions: findings -> fail job

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• phuong-labs/axis#95: Related enforcement of the GetAwaiter().GetResult() ban in CI checks and scripts.
• phuong-labs/axis#48: Earlier updates to agent checklist and CI gate definitions that this PR extends.

Poem

🐰 I hopped through CI with a gentle tap,

TruffleHog sniffed every branch and gap,
Coverlet splashed Cobertura light,
Artifacts boxed and sent at night,
A rabbit cheers — secure and apt.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: adding three Tier 1 CI checks (secret scanning, vulnerable-package detection, and coverage collection) with supporting documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/tier1-security-coverage

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}