Add OWASP PR Scanner workflow

[lperry022]

This PR adds a GitHub Actions workflow (scan.yml) that:

• Runs the OWASP scanner on changed files in pull requests
• Posts results as a PR comment
• Fails the check if vulnerabilities are found
• Skips execution if only scanner/** files are modified

[github-actions]

🔒 Security Scan Results

🔒 Security Scan Results
=========================

Bandit Scan Results:
-------------------
Run started:2025-09-23 00:23:15.479966

Test results:
>> Issue: [B501:request_with_no_cert_validation] Call to requests with verify=False disabling SSL certificate checks, security issue.
   Severity: High   Confidence: High
   CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b501_request_with_no_cert_validation.html
   Location: ./tests/test_positive.py:35:0
34	default_password = "password"      # default password
35	requests.get("https://example.com", verify=False)  # TLS verification disabled
36	

--------------------------------------------------
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval.
   Severity: Medium   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b307-eval
   Location: ./tests/test_positive.py:66:9
65	user_code = "1 + 2"
66	result = eval(user_code)                     # dangerous dynamic evaluation
67	data = yaml.load("key: value")               # unsafe YAML load (should be yaml.safe_load)

--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b506_yaml_load.html
   Location: ./tests/test_positive.py:67:7
66	result = eval(user_code)                     # dangerous dynamic evaluation
67	data = yaml.load("key: value")               # unsafe YAML load (should be yaml.safe_load)
68	with open("tmp.bin", "wb") as fh:

--------------------------------------------------
>> Issue: [B301:blacklist] Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.
   Severity: Medium   Confidence: High
   CWE: CWE-502 (https://cwe.mitre.org/data/definitions/502.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b301-pickle
   Location: ./tests/test_positive.py:71:10
70	with open("tmp.bin", "rb") as fh:
71	    obj = pickle.load(fh)                    # unsafe deserialization
72	subprocess.run("echo hi", shell=True)        # shell=True

--------------------------------------------------

Code scanned:
	Total lines of code: 2056
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 19
		Medium: 3
		High: 1
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 23
Files skipped (1):
	./T1_2025/infra/backups/bak/controller/backend/v1.0.0/endpoints/register.py (syntax error while parsing AST from file)

Dependency Check Results:
-----------------------

⛔️ Critical vulnerabilities detected. Please review and address these security issues before merging.

Next Steps:

1. Review each critical finding above and fix them according to OWASP top 10 mitigations.