devops: enhance CI/CD pipeline with comprehensive security scanning and quality gates

[phrazzld]

Description

The current CI/CD pipeline needs enhancement with comprehensive security scanning, quality gates, and improved error handling to align with our automation philosophy.

Current Pipeline Gaps

Missing Security Scanning:

• No dependency vulnerability scanning beyond audit-filter
• No SAST (Static Application Security Testing)
• No secret scanning in CI
• No container security scanning

Quality Gate Improvements:

• Inconsistent error handling and reporting
• Missing performance budgets enforcement
• No automated accessibility testing in CI

Required Enhancements

1. Security Scanning Integration

• Add comprehensive SAST tools (CodeQL, Semgrep)
• Implement secret scanning (TruffleHog, GitLeaks)
• Add dependency scanning with SBOM generation
• Container security scanning for Docker builds

2. Quality Gates Enhancement

• Enforce test coverage thresholds (85% minimum)
• Add performance budget checks
• Implement accessibility testing in CI
• Add comprehensive linting and formatting checks

3. Pipeline Reliability

• Improve error handling and reporting
• Add retry mechanisms for flaky tests
• Implement proper artifact management
• Add comprehensive logging and monitoring

4. Deployment Security

• Implement proper environment secrets management
• Add deployment approval workflows
• Implement rollback mechanisms
• Add post-deployment verification

Acceptance Criteria

• All security scans integrated and passing
• Quality gates prevent broken code from reaching production
• Pipeline provides clear feedback on failures
• Comprehensive security reporting available
• Documentation updated with new pipeline processes

Priority

MEDIUM - Infrastructure improvements for long-term maintainability.