From afc76fc35377d531afd2b1a048f2aed39e7b4373 Mon Sep 17 00:00:00 2001
From: Michael Onyekwere <onyekwere_michael@yahoo.com>
Date: Sat, 28 Mar 2026 15:56:44 +0000
Subject: [PATCH 1/2] ci: add KYA security scan for MCP dependencies

---
 .github/workflows/kya-scan.yml | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 .github/workflows/kya-scan.yml

diff --git a/.github/workflows/kya-scan.yml b/.github/workflows/kya-scan.yml
new file mode 100644
index 0000000..c41baeb
--- /dev/null
+++ b/.github/workflows/kya-scan.yml
@@ -0,0 +1,9 @@
+name: KYA Security Scan
+on: [push, pull_request]
+
+jobs:
+  kya-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: Thezenmonster/kya-scan-action@v1

From 2017dcb18af0879fe8e051f975014a49904d4bae Mon Sep 17 00:00:00 2001
From: Michael Onyekwere <onyekwere_michael@yahoo.com>
Date: Sat, 28 Mar 2026 15:59:46 +0000
Subject: [PATCH 2/2] fix: pin action to commit SHA, add explicit permissions
 block

---
 .github/workflows/kya-scan.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/kya-scan.yml b/.github/workflows/kya-scan.yml
index c41baeb..0e8960e 100644
--- a/.github/workflows/kya-scan.yml
+++ b/.github/workflows/kya-scan.yml
@@ -1,9 +1,13 @@
 name: KYA Security Scan
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   kya-scan:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: Thezenmonster/kya-scan-action@v1
+      - uses: Thezenmonster/kya-scan-action@d4d86df07bacaefe57970b69db6fa7a776dfe15b
+