diff --git a/.coveragerc b/.coveragerc
new file mode 100644
index 00000000..49bb0597
--- /dev/null
+++ b/.coveragerc
@@ -0,0 +1,3 @@
+[coverage:report]
+omit =
+    */test_*
diff --git a/.github/codeql.yml b/.github/codeql.yml
new file mode 100644
index 00000000..0f2f9828
--- /dev/null
+++ b/.github/codeql.yml
@@ -0,0 +1,52 @@
+name: "Code scanning - action"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  CodeQL-Build:
+
+    # CodeQL runs on ubuntu-latest and windows-latest
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+      
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      # Override language selection by uncommenting this and choosing your languages
+      # with:
+      #   languages: go, javascript, csharp, python, cpp, java
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1db33f44..a7eea975 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,8 +5,24 @@
 
 version: 2
 updates:
-  - package-ecosystem: pip # See documentation for possible values
+
+  # Docker
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
+
+  # Python
+  - package-ecosystem: "pip" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
       interval: "monthly"
-      time: '11:00'
+    open-pull-requests-limit: 25
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: ".github/workflows"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
diff --git a/.github/workflows/manual-build.yml b/.github/workflows/manual-build.yml
new file mode 100644
index 00000000..944f9035
--- /dev/null
+++ b/.github/workflows/manual-build.yml
@@ -0,0 +1,11 @@
+---
+name: Manual Build & Push
+on:
+ workflow_dispatch:
+jobs:
+  build-push:
+    uses: kbase/.github/.github/workflows/reusable_build-push.yml@main
+    with:
+      name: '${{ github.event.repository.name }}-develop'
+      tags: br-${{ github.ref_name }}
+    secrets: inherit
diff --git a/.github/workflows/run_tests.yaml b/.github/workflows/run_tests.yaml
index e6f56d16..604edddf 100644
--- a/.github/workflows/run_tests.yaml
+++ b/.github/workflows/run_tests.yaml
@@ -11,44 +11,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: checkout git repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: run tests
       shell: bash
       env:
         GITHUB_ACTIONS_CI: 1
       run: |
-        docker-compose build
-        docker-compose run re_api sh scripts/run_tests.sh
-        docker-compose down --remove-orphans
+        docker compose build
+        docker compose run re_api sh scripts/run_tests.sh
+        docker compose down --remove-orphans
 
-  docker_build_and_push:
-    runs-on: ubuntu-latest
-    needs: run_tests
-    if: (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') && github.event_name == 'push' && !contains(github.event.head_commit.message, 'skip_docker_build')
-    steps:
-    - name: checkout git repo
-      uses: actions/checkout@v2
-
-    - name: copy VERSION to TAG_NAME
-      shell: bash
-      run: |
-        mkdir -p .target
-        cp VERSION .target/TAG_NAME
-
-    - name: set env vars
-      shell: bash
-      run: |
-        echo "DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
-        echo "BRANCH=$(git symbolic-ref --short HEAD)" >> $GITHUB_ENV
-        echo "COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-    - name: build and push to dockerhub
-      uses: opspresso/action-docker@master
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v5
       with:
-        args: --docker
-      env:
-        USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        DOCKERFILE: "Dockerfile"
-        IMAGE_NAME: "kbase/relation_engine_api"
+        token: ${{ secrets.CODECOV_TOKEN }}
+        fail_ci_if_error: true
diff --git a/dev-requirements.txt b/dev-requirements.txt
index fea372d0..8a8452ea 100644
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -4,8 +4,8 @@ bandit==1.7.4
 mccabe==0.6.1
 flake8==4.0.1
 grequests==0.6.0
-coverage==6.4.2
 black==22.6.0
-pytest==7.1.2
+pytest==7.4.0
+pytest-cov==4.1.0
 python-arango==7.4.1
 frozendict==2.3.4
diff --git a/requirements.txt b/requirements.txt
index 1996dfed..88791d31 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,14 +1,15 @@
 Flask==2.1.3
 itsdangerous==2.1.2
-greenlet==1.1.2
+greenlet==3.1.1
 gunicorn==20.1.0
-gevent==21.12.0
+gevent==24.11.1
 simplejson==3.17.6
 python-dotenv==0.20.0
 requests==2.28.1
 jsonpointer==2.3
 jsonschema==4.8.0
 jsonschema[format]==4.8.0
-pyyaml==6.0
+pyyaml==6.0.1
 rfc3987==1.3.8
 jinja2==3.1.2
+werkzeug==2.0.3
diff --git a/scripts/run_tests.sh b/scripts/run_tests.sh
index cfc9c4e8..3b511b3d 100644
--- a/scripts/run_tests.sh
+++ b/scripts/run_tests.sh
@@ -10,20 +10,18 @@ echo "> black"
 black .
 echo "> flake8"
 flake8 --max-complexity 20 /app
-echo "> mypy"
-mypy --ignore-missing-imports /app
+# echo "> mypy"
+# mypy --ignore-missing-imports /app
 echo "> bandit"
 bandit -r -c .bandit.yaml /app
 
 # start server, using the specs in /spec/repo
 sh /app/scripts/start_server.sh &
-coverage erase
+
 # spec validation
 python -m spec.validate
 # wait for the RE service to be up so integration tests can pass
 python -m relation_engine_server.utils.wait_for api
-# run importer/, relation_engine_server/, and spec/ tests
-coverage run --branch -m pytest -vv
-# RE client tests - seems like these tests were already run in the line above, why run them again?
-PYTHONPATH=client_src python -m pytest client_src/test
-coverage html --omit=*/test_*
+
+# run importer/, relation_engine_server/, spec/, scripts/, and client_src/ tests
+pytest -vv --cov=. --cov-branch --cov-report=term --cov-report=xml