# Security scanning workflow for codex-lens
# Runs pip-audit to check for known vulnerabilities in dependencies

name: Security Scan

on:
  # Run on push to main branch
  push:
    branches:
      - main
      - master
  # Run weekly on Sundays at 00:00 UTC
  schedule:
    - cron: '0 0 * * 0'
  # Allow manual trigger
  workflow_dispatch:

jobs:
  security-audit:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.10'
          cache: 'pip'

      - name: Install pip-audit
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit

      - name: Run pip-audit on requirements.in
        run: pip-audit --requirement requirements.in
        continue-on-error: false

      - name: Run pip-audit on pyproject.toml dependencies
        run: pip-audit --project-path .
        continue-on-error: false

      - name: Check for safety issues
        run: |
          pip install safety
          safety check --json || true
        continue-on-error: true

  bandit-security:
    name: Code Security Linting
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.10'

      - name: Install bandit
        run: pip install bandit[toml]

      - name: Run bandit security linter
        run: bandit -r src/ -ll -i
        continue-on-error: true