feat: implement log scrubbing and security workflows

Author: Miyamura80

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '34 20 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript-typescript', 'python' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/dast.yml

@@ -0,0 +1,17 @@
+name: DAST Scan
+
+on:
+  workflow_dispatch:
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      - name: ZAP Baseline Scan
+        uses: zaproxy/action-baseline-scan@v0.12.0
+        with:
+          target: 'http://localhost:8000'

src/utils/logging_config.py

@@ -1,5 +1,6 @@
 import asyncio
 import os
+import re
 import sys
 import threading
 
@@ -12,6 +13,26 @@
 _logging_initialized = False
 _logging_lock = threading.Lock()
 
+# PII Patterns for redaction
+PII_PATTERNS = {
+    # Email pattern
+    r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b": "[REDACTED_EMAIL]",
+    # Generic API Key-like pattern (starts with sk- or similar, long alphanumeric)
+    r"(sk-[a-zA-Z0-9]{20,})": "[REDACTED_API_KEY]",
+}
+
+
+def scrub_sensitive_data(record):
+    """
+    Patch function to scrub sensitive data from the log record.
+    Modifies record["message"] in place.
+    """
+    message = record["message"]
+    for pattern, placeholder in PII_PATTERNS.items():
+        if re.search(pattern, message):
+            message = re.sub(pattern, placeholder, message)
+    record["message"] = message
+
 
 def _should_show_location(level: str) -> bool:
     """Determine if location should be shown for given log level"""
@@ -152,6 +173,9 @@ def setup_logging(*, debug=None, info=None, warning=None, error=None, critical=N
         # Remove any existing handlers
         logger.remove()
 
+        # Configure global patcher for log scrubbing
+        logger.configure(patcher=scrub_sensitive_data)
+
         # Initialize session_id if not already set
         if session_id.get() is None:
             session_id.set(generate_id())