.github/workflows/security.yml

name: Security

on:
  pull_request:
  push:
    branches:
      - main
  schedule:
    - cron: '0 0 * * *'

jobs:
  dependencies:
    runs-on: ubuntu-latest
    name: Dependencies & Secrets Scan
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Code Security Scan
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        with:
          scan-type: 'fs'
          scanners: vuln,secret
          trivy-config: .trivy.yml
          exit-code: 1
          ignore-unfixed: true
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

  bandit:
    runs-on: ubuntu-latest
    name: Bandit
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - name: Set up Python
        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install bandit

      - name: Run bandit
        run: |
          bandit -r ./src/codegate