[codex] Clarify CSReview scope and add GitHub security validation

[decksoftware]

Summary

• Repositions CSReview as development-time, local-workspace security alignment instead of live penetration testing.
• Adds explicit local-only scope, prohibited DAST/live probing language, and theoretical exploitation-path wording.
• Renames the shared scoring module to src/score.js and keeps report/CLI score behavior aligned.
• Deduplicates confirmed findings, preserves readable non-secret vulnerable code, and caps scores when any finding exists.
• Hardens report output by sanitizing HTML attributes and using package/version/duration metadata in Markdown.
• Reduces detector false positives by applying language-specific rules only to matching languages and narrowing risky JavaScript patterns.
• Adds GitHub validation files for CI, Semgrep SARIF upload, Dependabot updates, and Security Policy.
• Addresses CodeQL/Semgrep findings shown on GitHub, including env-derived shell selection, regex-heavy agent-name sanitization, path traversal alerts, and the tracked vulnerable sample file.
• Keeps the npm package at 0.0.1 with Node >=18 and Semgrep documented as a required external tool for agent-assisted analysis.

GitHub Security & Quality

This PR adds repository files that feed the GitHub Security and quality area after workflows run or after the PR is merged:

• CI: .github/workflows/ci.yml runs tests on Node 20 and 24, npm audit, and package dry-run validation.
• Code scanning: .github/workflows/semgrep.yml runs Semgrep and uploads SARIF.
• Code scanning: CodeQL should remain on GitHub default setup in repository settings. The advanced CodeQL workflow was removed because this repository already has CodeQL default setup active; GitHub rejects CodeQL API/workflow uploads while default setup is enabled.
• Dependabot: .github/dependabot.yml enables weekly npm and GitHub Actions update checks.
• Security policy: SECURITY.md defines a local-workspace, white-hat reporting policy.

Native GitHub Secret scanning is controlled in repository settings and cannot be enabled only by adding a file in this PR.

Validation

• npm test - 27/27 passing
• npx -y node@20 --test test/analysis.test.js - 27/27 passing
• npm audit --audit-level=low - 0 vulnerabilities
• npm pack --dry-run - OK, package version 0.0.1
• node --check on primary source and test files - OK
• semgrep scan --config auto --quiet --error --exclude node_modules --exclude csreview-reports . - OK
• rg -n -F "automated pentest level" csreview README.md - zero matches

Notes

gh is not authenticated in the local environment, so this PR was opened and updated through the GitHub connector after pushing the branch with git.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.