QASP: Add Security automation

[jpmckinney]

QASP already has the policy; this issue is about automating it.

Consider adding CodeQL workflows, e.g. https://github.com/open-contracting/ocdskit/security/code-scanning See also https://lgtm.com (https://blog.semmle.com/secure-software-github-semmle/)

Can also consider https://bandit.readthedocs.io/en/latest/ from PyCQA. 2024 update: now covered by ruff

---

From https://guides.18f.gov/derisking/qasp/

Deliverable	Performance Standard(s)	Acceptable Quality Level	Method of Assessment
Security	OWASP Application Security Verification Standard 4.0, Level 2	Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities	Clean tests from a static testing SaaS (such as npm audit) and from ZAP, along with documentation explaining any false positives

QASP: https://docs.google.com/document/d/1s-PJSdX43_DMAcXYalG9Upm31XvWCp31j_QGCzFJ7qY/edit

[jpmckinney]

SSRF comes up in a few tools (Data Review Tool, Spoonbill).

To check for all requests across repositories:

\brequests\.(?!(adapters|codes|org)\b)[a-z]|\bsession\.(?!(add|commit|expire_all|flush|mount|query|rollback)\b)\w

I've added Security: comments (or .. attention:: docs mentioning SSRF) where relevant.