fix: remediate scanner security alerts

[kantorcodes]

Summary

• pin ClusterFuzzLite installs and the base image to clear the container and pip hash findings
• preserve Cisco scanning by sourcing the dependency from a pinned patched fork commit instead of the vulnerable published release
• update the action install path, lockfile, and regression coverage for the Cisco-enabled path

Verification

• uv sync --frozen --extra dev --extra cisco --group publish
• uv run --no-sync ruff check .
• uv run --no-sync ruff format --check .
• uv run --no-sync pytest -q
• uv run --no-sync python -m build
• uv run --no-sync codex-plugin-scanner scan tests/fixtures/good-plugin --format json --cisco-skill-scan on --cisco-policy balanced

Notes

• branch protection on main was already updated separately to 2 required approvals, which should address the repo-level BranchProtection scorecard finding after rescans
• remaining scorecard findings like CII Best Practices, Maintained, and CodeReview are repo-level or time-based rather than code changes in this PR

[gemini-code-assist]

Code Review

This pull request updates the cisco-ai-skill-scanner dependency to a pinned patched fork to mitigate a vulnerable LiteLLM pin in the upstream release. The changes include updates to the Dockerfile, pyproject.toml, action.yml, and uv.lock, along with corresponding documentation updates and a new test case to verify handling of the missing dependency. I have provided feedback suggesting the addition of TODO comments for better maintainability and a more idiomatic approach to testing missing modules using sys.modules instead of patching builtins.__import__.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This PR addresses security vulnerabilities (LiteLLM CVE) by:

• Pinning Docker base image and pip installs with hashes for reproducible builds
• Switching Cisco skill-scanner dependency to a patched fork until upstream fixes the vulnerability

The changes follow security best practices and the implementation appears sound.

Files Reviewed (7 files)

• .clusterfuzzlite/Dockerfile - Security hardening with hash pinning
• README.md - Documentation update
• action/README.md - Documentation update
• action/action.yml - Fork dependency pin
• pyproject.toml - Fork dependency + hatch config
• tests/test_action_bundle.py - Test updates
• tests/test_skill_security.py - New regression test

Note: The existing inline comments on pyproject.toml:36 and action/action.yml:187 (medium priority) already cover the dependency change. No new issues found in diff.

---

_{Reviewed by minimax-m2.5-20260211 · 327,772 tokens}