Add comprehensive security tooling for secret inventory and git history scanning

[Copilot]

This PR implements enterprise-grade security tooling to address secret management and exposure risks by adding comprehensive inventory and scanning capabilities.

Problem Statement

The repository needed robust tooling to:

• Inventory all secret and variable names across GitHub repositories, environments, and organizations
• Scan complete git history and all branches for accidentally committed .env files and secrets
• Provide safe workflows and documentation for security teams to use these tools

Solution

Added a complete security toolkit with three main components:

1. Secret Inventory System (scripts/export/)

GitHub Inventory Script (github_inventory.sh):

• Enumerates secret and variable names only (never values) using GitHub CLI
• Covers repository, environment, and organization scopes
• Generates structured JSON reports with metadata (creation dates, visibility)
• Handles permissions gracefully with fallback for insufficient access

Encryption Helper (encrypt.sh):

• Supports age (preferred) or GPG encryption for secure archive storage
• Creates compressed archives with timestamp naming
• Provides symmetric encryption fallback when no recipient specified

2. History & Branch Scanner (scripts/security/)

Comprehensive History Scanner (scan-history.sh):

• Fetches all remote branches and scans full git history
• Detects .env files committed across any branch (excluding examples/templates)
• Auto-installs and runs gitleaks for additional secret pattern detection
• Generates both JSON data and markdown summary reports

Gitleaks Configuration (.gitleaks.toml):

• Custom configuration allowing example/template files
• Scans entire repository for secret patterns
• Integrates with GitHub Actions gitleaks action

3. Automated Workflows (.github/workflows/)

Secrets Inventory Workflow:

• Manual trigger for on-demand secret name inventory
• Uploads artifacts for secure CI usage
• Installs dependencies and handles authentication

History Secret Scan Workflow:

• Weekly scheduled scans plus manual trigger capability
• Full history checkout with artifact preservation
• Dual scanning approach (custom script + gitleaks action)

Repository Hygiene Improvements

• Updated .gitignore: Prevents accidental commit of .env files and secret exports
• Enhanced .env.example: Simplified, aligned with current application needs
• DigitalOcean App Spec: Updated with proper SECRET type environment variables

Documentation & Response Procedures

• Inventory Runbook (docs/runbooks/secrets-inventory.md): Step-by-step usage guide
• Incident Response (docs/security/secret-spill-response.md): 4-phase response procedure (Contain, Eradicate, Recover, Learn)

Security Validation

Comprehensive testing confirmed:

• ✅ No secret exposure: Scripts never log or export secret values
• ✅ Clean history: Zero .env files found in repository history
• ✅ No current leaks: Gitleaks scan of 502MB repository found no secrets
• ✅ Secure automation: Workflows use minimal permissions with artifact isolation

Key Security Features

• Names-only inventory: GitHub API limitations ensure values are never exposed
• Full history coverage: Scans all branches and complete git history
• Automated scheduling: Weekly scans with manual override capability
• Encryption ready: Built-in support for secure backup of inventory data
• Incident response: Clear procedures for handling discovered exposures

This implementation provides security teams with production-ready tools for comprehensive secret management and exposure detection across the entire repository lifecycle.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[bito-code-review]

Bito Automatic Review Skipped - Draft PR

Bito didn't auto-review because this pull request is in draft status.
No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change draft PR review settings here, or contact your Bito workspace admin at dxp51037@hawkmail.hacc.edu.

[bito-code-review]

Bito Automatic Review Skipped - Draft PR

Bito didn't auto-review because this pull request is in draft status.
No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change draft PR review settings here, or contact your Bito workspace admin at dxp51037@hawkmail.hacc.edu.