docs(security): add more details (#9525)

Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>

docs/security.mdx

@@ -24,6 +24,80 @@ We enforce [pre-commit](https://github.com/prowler-cloud/prowler/blob/master/.pr
 
 Our container registries are continuously scanned for vulnerabilities, with findings automatically reported to our security team for assessment and remediation. This process evolves alongside our stack as we adopt new languages, frameworks, and technologies, ensuring our security practices remain comprehensive, proactive, and adaptable.
 
+### Static Application Security Testing (SAST)
+
+We employ multiple SAST tools across our codebase to identify security vulnerabilities, code quality issues, and potential bugs during development:
+
+#### CodeQL Analysis
+- **Scope**: UI (JavaScript/TypeScript), API (Python), and SDK (Python)
+- **Frequency**: On every push and pull request, plus daily scheduled scans
+- **Integration**: Results uploaded to GitHub Security tab via SARIF format
+- **Purpose**: Identifies security vulnerabilities, coding errors, and potential exploits in source code
+
+#### Python Security Scanners
+- **Bandit**: Detects common security issues in Python code (SQL injection, hardcoded passwords, etc.)
+  - Configured to ignore test files and report only high-severity issues
+  - Runs on both SDK and API codebases
+- **Pylint**: Static code analysis with security-focused checks
+  - Integrated into pre-commit hooks and CI/CD pipelines
+
+#### Code Quality & Dead Code Detection
+- **Vulture**: Identifies unused code that could indicate incomplete implementations or security gaps
+- **Flake8**: Style guide enforcement with security-relevant checks
+- **Shellcheck**: Security and correctness checks for shell scripts
+
+### Software Composition Analysis (SCA)
+
+We continuously monitor our dependencies for known vulnerabilities and ensure timely updates:
+
+#### Dependency Vulnerability Scanning
+- **Safety**: Scans Python dependencies against known vulnerability databases
+  - Runs on every commit via pre-commit hooks
+  - Integrated into CI/CD for SDK and API
+  - Configured with selective ignores for tracked exceptions
+- **Trivy**: Multi-purpose scanner for containers and dependencies
+  - Scans all container images (UI, API, SDK, MCP Server)
+  - Checks for vulnerabilities in OS packages and application dependencies
+  - Reports findings to GitHub Security tab
+
+#### Automated Dependency Updates
+- **Dependabot**: Automated pull requests for dependency updates
+  - **Python (pip)**: Monthly updates for SDK
+  - **GitHub Actions**: Monthly updates for workflow dependencies
+  - **Docker**: Monthly updates for base images
+  - Temporarily paused for API and UI to maintain stability during active development
+  - **Security-first approach**: Even when paused, Dependabot automatically creates pull requests for security vulnerabilities, ensuring critical security patches are never delayed
+
+### Container Security
+
+All container images are scanned before deployment:
+
+- **Trivy Vulnerability Scanning**:
+  - Scans images for vulnerabilities and misconfigurations
+  - Generates SARIF reports uploaded to GitHub Security tab
+  - Creates PR comments with scan summaries
+  - Configurable to fail builds on critical findings
+  - Reports include CVE counts and remediation guidance
+- **Hadolint**: Dockerfile linting to enforce best practices
+  - Validates Dockerfile syntax and structure
+  - Ensures secure image building practices
+
+### Secrets Detection
+
+We protect against accidental exposure of sensitive credentials:
+
+- **TruffleHog**: Scans entire codebase and Git history for secrets
+  - Runs on every push and pull request
+  - Pre-commit hook prevents committing secrets
+  - Detects high-entropy strings, API keys, tokens, and credentials
+  - Configured to report verified and unknown findings
+
+### Security Monitoring
+
+- **GitHub Security Tab**: Centralized view of all security findings from CodeQL, Trivy, and other SARIF-compatible tools
+- **Artifact Retention**: Security scan reports retained for post-deployment analysis
+- **PR Comments**: Automated security feedback on pull requests for rapid remediation
+
 ## Reporting Vulnerabilities
 
 At Prowler, we consider the security of our open source software and systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.