feat: improve project security posture

This PR introduces the following security changes to the project

 * Dependabot configuration for daily scans/updates from the Python and GitHub Actions ecosystems
 * Updates to the project CI GHA workflow to improve security
   * Upgrade reusable actions to latest release versions
   * Use poetry in CI to ensure consistent dependency version usage between dev and CI
   * Add execution of bandit and gitleaks checks
 * pre-commit tooling for contributors now runs `bandit`, `snyk`, `zizmor` and `gitleaks`
   * CI, codebase and dependency changes made to reflect issues found in scans
 * `security-insights.yml` added to communicate security changes to project made above

Here is the `pre-commit` output from this commit:

```
ruff.....................................................................Passed
ruff-format..............................................................Passed
bandit...................................................................Passed
Detect hardcoded secrets.................................................Passed
Snyk Test................................................................Passed
- hook id: snyk-test
- duration: 3.61s

[pre-commit-snyk] 2025-07-22 09:00:50 level=info Snyk path: /opt/homebrew/bin/snyk
[pre-commit-snyk] 2025-07-22 09:00:50 level=info Snyk version: 1.1298.0
[pre-commit-snyk] 2025-07-22 09:00:50 level=info Snyk arguments: test --file=poetry.lock --package-manager=pip --fail-on=upgradable

Testing /Users/travistruman/dev/uqlm...

Tested 103 dependencies for known issues, found 8 issues, 24 vulnerable paths.

Issues with no direct upgrade or patch:
  ✗ Improper Resource Shutdown or Release [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10332643] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Buffer Overflow [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10332644] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Buffer Overflow [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10332645] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Mismatched Memory Management Routines [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10337825] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Out-of-bounds Write [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10337826] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Out-of-bounds Write [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10337828] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Out-of-bounds Write [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-10337834] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available
  ✗ Improper Check for Unusual or Exceptional Conditions [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-9726944] in torch@2.7.1
    introduced by torch@2.7.1 and 2 other path(s)
  No upgrade or patch available

Organization:      trumant
Package manager:   poetry
Target file:       pyproject.toml
Project name:      uqlm
Open source:       no
Project path:      /Users/travistruman/dev/uqlm
Licenses:          enabled

[pre-commit-snyk] 2025-07-22 09:00:52 level=info Snyk exit code: 0

zizmor...................................................................Passed
```

Author: trumant

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/ci.yaml

@@ -6,6 +6,8 @@ on:
 
 jobs:
   run-tests:
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -21,15 +23,20 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5.6
         with:
           python-version: ${{matrix.python-version}}
 
       - name: Install dependencies
-        run: python -m pip install pytest pytest-asyncio langchain-openai .
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry
+          poetry install --all-groups
 
       - name: Run tests
-        run: pytest -v
+        run: poetry run pytest -v

.github/workflows/linting.yml

@@ -1,35 +1,37 @@
 name: Linting with Ruff
 
 on:
-    pull_request:
-        branches:
-          - main
-          - develop
-    workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
 
 concurrency:
-    group: ${{ github.workflow }}-${{ github.ref }}
-    cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-    ruff-formatting:
-        runs-on: ubuntu-latest
-        steps:
-        - uses: actions/checkout@v4
-        - name: Set up Python
-          uses: actions/setup-python@v5
-          with:
-            python-version: "3.9"
-            cache: 'pip'
-        - name: Get Ruff version and install
-          run: |
-              pip install poetry
-              RUFF_VERSION=$(poetry show --only=dev | grep '^ruff ' | awk '{print $3}')
-              echo "Installing ruff==$RUFF_VERSION"
-              pip install ruff==$RUFF_VERSION
-        - name: Lint with Ruff
-          run: |
-            ruff check uqlm/
-        - name: Check for unformatted files
-          run: |
-            ruff format --check uqlm/
+  ruff-formatting:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@v5.6
+        with:
+          python-version: "3.9"
+          cache: 'pip'
+      - name: Install Ruff
+        run: |
+            pip install poetry
+            poetry install --all-groups
+      - name: Lint with Ruff
+        run: |
+          poetry run ruff check
+      - name: Check for unformatted files
+        run: |
+          poetry run ruff format --check

.pre-commit-config.yaml

@@ -5,3 +5,25 @@ repos:
       - id: ruff
         args: [ --fix ]
       - id: ruff-format
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.6
+    hooks:
+      - id: bandit
+        args: [--config=bandit.yml]
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.27.2
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/fabasoad/pre-commit-snyk
+    rev: v1.0.2
+    hooks:
+      - id: snyk-test
+        args:
+          - --snyk-args=--file=poetry.lock
+          - --snyk-args=--package-manager=pip
+          - --snyk-args=--fail-on=upgradable
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.11.0
+    hooks:
+      # Run the linter.
+      - id: zizmor

bandit.yml

@@ -0,0 +1,6 @@
+exclude_dirs:
+  - assets
+  - examples
+  - tests
+skips:
+  - B101

examples/judges_demo.ipynb

@@ -66,15 +66,14 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 1,
+   "execution_count": null,
    "metadata": {
     "tags": []
    },
    "outputs": [],
    "source": [
     "import os\n",
     "from uqlm import LLMPanel\n",
-    "from uqlm.judges import LLMJudge\n",
     "from uqlm.utils import load_example_dataset, math_postprocessor"
    ]
   },

poetry.lock

@@ -33,6 +33,8 @@ bert-score = "^0.3.0"
 pandas = "^2.2.3"
 sentence-transformers = "^3.4.0"
 datasets = "^3.3.2"
+aiohttp = "^3.12.14"
+torch = "^2.7.1"
 
 
 [tool.poetry.group.dev]
@@ -44,6 +46,7 @@ ipywidgets = "^8.1.5"
 ruff = "0.9.7"
 pre-commit = "^4.1.0"
 ipykernel = "^6.29.5"
+bandit = "^1.8.6"
 
 [tool.poetry.group.test]
 optional = true
@@ -103,7 +106,7 @@ line-length = 400
 
 [tool.ruff.lint]
 #What rules to enable
-select = ["E", "F"]
+select = ["E", "F", "S"]
 # E = pycodestyle errors
 # F = pyflakes
 # I = isort (import sorting)
@@ -113,7 +116,8 @@ select = ["E", "F"]
 # S = bandit (security)
 
 #What rules to ignore
-ignore = []
+ignore = ["S101"]
+per-file-ignores = { "tests/test_similarity.py" = ["S603","S607"] }
 
 
 [tool.ruff.format]

pyproject.toml

@@ -0,0 +1,104 @@
+header:
+  schema-version: 2.0.0
+  last-updated: '2025-07-22'
+  last-reviewed: '2025-07-22'
+  url: https://github.com/cvs-health/uqlm
+
+project:
+  documentation:
+    code-of-conduct: https://github.com/cvs-health/uqlm/blob/main/CODE_OF_CONDUCT.md
+    quickstart-guide: https://cvs-health.github.io/uqlm/latest/getstarted.html
+  homepage: https://cvs-health.github.io/uqlm/
+  name: "uqlm: Uncertainty Quantification for Language Models"
+  administrators:
+    - name: Dylan Bouchard
+      affiliation: CVS Health
+      email: dylan.bouchard@cvshealth.com
+      primary: true
+    - name: Mohit Singh Chauhan
+      affiliation: CVS Health
+      email: mohitsingh.chauhan@cvshealth.com
+      primary: false
+    - name: David Skarbrevik
+      affiliation: CVS Health
+      email: david.skarbrevik@cvshealth.com
+    - name: Viren Bajaj
+      affiliation: CVS Health
+      email: bajajv@aetna.com
+    - name: Ho-Kyeong Ra
+      affiliation: CVS Health
+      email: doyajii1@gmail.com
+    - name: Zeya Ahmad
+      affiliation: CVS Health
+      email: zeya.ahmad@cvshealth.com
+  repositories:
+    - name: LangFair
+      url: https://github.com/cvs-health/uqlm
+      comment: cvs-health/uqlm is the primary repository for uqlm.
+  vulnerability-reporting:
+    bug-bounty-available: false
+    contact:
+      name: Dylan Bouchard
+      affiliation: CVS Health
+      email: dylan.bouchard@cvshealth.com
+      primary: true
+    reports-accepted: true
+    # security-policy: TODO: Add security policy URL
+
+repository:
+  url: https://github.com/cvs-health/uqlm
+  status: active
+  accepts-change-request: true
+  accepts-automated-change-request: true
+  core-team:
+    - name:        Dylan Bouchard
+      affiliation: CVS Health
+      email: dylan.bouchard@cvshealth.com
+      primary:     true
+  documentation:
+    contributing-guide: https://github.com/cvs-health/uqlm/blob/main/CONTRIBUTING.md
+  license:
+    url: https://github.com/cvs-health/uqlm/blob/main/LICENSE
+    expression: "Apache-2.0"
+  security:
+    assessments:
+      self:
+        comment: Self assessment with SCA, SAST and secret leak tools completed July 2025 to establish baseline.
+        date: '2025-07-22'
+    tools:
+      - name: Dependabot
+        type: SCA
+        version: "2"
+        rulesets:
+          - built-in
+        results:
+          adhoc:
+            name: Scheduled SCA Scan Results
+            predicate-uri: https://docs.github.com/en/graphql/reference/objects#repositoryvulnerabilityalert
+            location: https://github.com/cvs-health/uqlm/security/dependabot
+            comment: |
+              The results of the scheduled SCA scan are available in the Dependabot tab of the Security Insights page.
+        integration:
+          adhoc: true
+          ci: false
+          release: false
+      - name: bandit
+        comment: Used in pre-commit and CI to check for security issues in Python code.
+        type: SAST
+        version: "1.8.6"
+        rulesets:
+          - bandit.yml
+        integration:
+          adhoc: true
+          ci: true
+          release: true
+      - name: Snyk Open Source
+        comment: Used in pre-commit to check for vulnerabilities in dependencies.
+        type: SCA
+        version: "1.1298.0"
+        rulesets:
+          - default
+        integration:
+          adhoc: true
+          ci: false
+          release: false

security-insights.yml

@@ -94,7 +94,7 @@ def _download(url, my_file_path):
         print(f"BLEURT checkpoint not found. Downloading to: {zip_file_path}")
 
         try:
-            response = requests.get(url)
+            response = requests.get(url, timeout=(5, 60))
             if response.status_code == 200:
                 with open(zip_file_path, "wb") as f:
                     f.write(response.content)