---
name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  schedule:
    # Run security scan weekly on Sundays at 00:00 UTC
    - cron: "0 0 * * 0"

permissions: {}

jobs:
  security:
    name: Security Analysis
    runs-on: ubuntu-latest

    permissions:
      security-events: write
      contents: read
      actions: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Go
        uses: ./.github/actions/setup
        with:
          token: ${{ github.token }}

      # Security Scanning with gosec
      - name: Run gosec Security Scanner
        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
        with:
          args: "-fmt sarif -out gosec-results.sarif ./..."

      - name: Upload gosec results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
        if: always()
        with:
          sarif_file: gosec-results.sarif

      # Dependency Vulnerability Scanning
      - name: Run govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck -json ./... > govulncheck-results.json || true

      - name: Parse govulncheck results
        run: |
          if [ -s govulncheck-results.json ]; then
            echo "::warning::Vulnerability check completed. Check govulncheck-results.json for details."
            if grep -i -q '"finding"' govulncheck-results.json; then
              echo "::error::Vulnerabilities found in dependencies!"
              cat govulncheck-results.json
              exit 1
            fi
          fi

      # Makefile Linting
      - name: Run checkmake on Makefile
        run: |
          go install github.com/checkmake/checkmake/cmd/checkmake@latest
          checkmake --config=.checkmake Makefile

      # Shell Script Formatting Check
      - name: Check shell script formatting
        run: |
          go install mvdan.cc/sh/v3/cmd/shfmt@latest
          shfmt -d .

      - name: Run YAML linting
        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
        with:
          file_or_dir: .
          strict: true

      # Docker Security (if Dockerfile exists)
      - name: Run Docker security scan
        if: hashFiles('Dockerfile') != ''
        run: |
          docker run --rm -v "$PWD":/workspace \
            aquasec/trivy:latest fs --security-checks vuln,config /workspace/Dockerfile || true

      # Upload artifacts for review
      - name: Upload security scan results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: always()
        with:
          name: security-scan-results
          path: |
            gosec-results.sarif
            govulncheck-results.json
          retention-days: 30