chore: supply-chain hardening

- Add CODEOWNERS with default owner and release-critical path protection
- Add SECURITY.md with vulnerability disclosure policy
- Add .github/dependabot.yml for Go modules + GitHub Actions updates

Co-authored-by: Cursor <cursoragent@cursor.com>

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+# Default — every PR requires at least one org member review.
+*                          @bryanbeverly @dustin-decker @dxa4481 @zricethezav
+
+# Release-critical paths
+/.github/                  @bryanbeverly @dustin-decker @dxa4481 @zricethezav
+/.goreleaser.yml           @bryanbeverly @dustin-decker @dxa4481 @zricethezav
+/go.mod                    @bryanbeverly @dustin-decker @dxa4481 @zricethezav
+/go.sum                    @bryanbeverly @dustin-decker @dxa4481 @zricethezav

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      actions:
+        patterns:
+          - "*"

SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| Latest  | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in gitleaks, please report it responsibly:
+
+1. **Do not open a public issue.**
+2. Use [GitHub's private vulnerability reporting](https://github.com/gitleaks/gitleaks/security/advisories/new) to submit your report directly.
+3. Include a description of the vulnerability, steps to reproduce, and any relevant logs or screenshots.
+
+## Scope
+
+This policy covers `gitleaks` (this repository). For vulnerabilities in `gitleaks-action`, please report them at [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action/security/advisories/new).