feat: add Socket Security supply chain scanning

.github/workflows/socket-security.yml

@@ -0,0 +1,20 @@
+name: Socket Security
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      security-events: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: SocketDev/socket-security-py-action@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

socket.yml

@@ -0,0 +1,46 @@
+version: 2
+
+issueRules:
+  # Supply chain threats — critical for a security plugin
+  malware: true
+  didYouMean: true
+  gptMalware: true
+  installScripts: true
+  obfuscatedFile: true
+  manifestConfusion: true
+  troll: true
+
+  # Runtime behavior — high relevance for a sandboxing project
+  networkAccess: true
+  shellAccess: true
+  envVars: true
+  filesystemAccess: true
+  usesEval: true
+
+  # Dependency sourcing risks
+  gitDependency: true
+  httpDependency: true
+  gitHubDependency: true
+
+  # Ownership and maintenance
+  unstableOwnership: true
+  newAuthor: true
+  deprecated: true
+  unmaintained: true
+
+  # Vulnerability tracking
+  criticalCVE: true
+  cve: true
+  mediumCVE: true
+
+  # Quality signals
+  trivialPackage: true
+  highEntropyStrings: true
+  debugAccess: true
+  telemetry: true
+
+githubApp:
+  enabled: true
+  pullRequestAlertsEnabled: true
+  dependencyOverviewEnabled: true
+  projectReportsEnabled: true