Orchestration: CI, tests, security, and governance improvements

[Ladas]

Current maturity score: 2/5

This repository contains the kagenti-operator and platform-operator (Kubernetes CRD controllers). Tests are written but commented out in CI. Zero security scanning.

Top 5 gaps

1. Tests commented out in CI — ci.yaml has a TODO comment. 30 test specs exist across 10 files but never run in CI.
2. Zero security scanning — 0/8 applicable tools. Two Go modules, 2 Dockerfiles, and 8 shell scripts are unscanned. Dependency updates needed for several Go packages.
3. 0% SHA-pinned actions — All 10 GitHub Actions references use tag-only pinning.
4. Partial Dependabot — Only github-actions ecosystem is covered. Missing gomod (2 modules) and docker ecosystems.
5. E2E tests not in CI — 7 E2E specs exist but no CI workflow triggers them.

Recommended phase order

1. orchestrate:precommit — Add gitleaks, shellcheck, hadolint, golangci-lint hooks
2. orchestrate:ci — Uncomment tests, SHA-pin actions, add permissions, add security scanning, expand dependabot, add scorecard
3. orchestrate:tests — Add CR reconciliation E2E tests, wire E2E into CI
4. orchestrate:security — Add CODEOWNERS, SECURITY.md
5. orchestrate:replicate — CLAUDE.md, .claude/settings.json, skills

Context

• Scan report generated by orchestrate:scan skill
• Umbrella issue: Org-wide orchestration: CI, tests, security, and governance across all repos kagenti#841
• Scan skill PR: Add orchestrate and onboard skill families with comprehensive CI blueprint kagenti#691