name: Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  schedule:
    # Run security scan weekly on Sundays at 00:00 UTC
    - cron: "0 0 * * 0"

permissions: {}

jobs:
  security:
    name: Security Analysis
    runs-on: ubuntu-latest

    permissions:
      security-events: write
      contents: read
      actions: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Setup Go
        uses: ./.github/actions/setup
        with:
          token: ${{ github.token }}

      # Security Scanning with gosec
      - name: Run gosec Security Scanner
        uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
        with:
          args: "-fmt sarif -out gosec-results.sarif ./..."

      - name: Upload gosec results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
        if: always()
        with:
          sarif_file: gosec-results.sarif

      # Dependency Vulnerability Scanning
      - name: Run govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck -json ./... > govulncheck-results.json || true

      - name: Parse govulncheck results
        run: |
          if [ -s govulncheck-results.json ]; then
            echo "::warning::Vulnerability check completed. Check govulncheck-results.json for details."
            if grep -i -q '"finding"' govulncheck-results.json; then
              echo "::error::Vulnerabilities found in dependencies!"
              cat govulncheck-results.json
              exit 1
            fi
          fi

      # Makefile Linting
      - name: Run checkmake on Makefile
        run: |
          go install github.com/checkmake/checkmake/cmd/checkmake@latest
          checkmake --config=.checkmake Makefile

      # Shell Script Formatting Check
      - name: Check shell script formatting
        run: |
          go install mvdan.cc/sh/v3/cmd/shfmt@latest
          shfmt -d .

      - name: Run YAML linting
        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
        with:
          file_or_dir: .
          strict: true

      # Docker Security (if Dockerfile exists)
      - name: Run Docker security scan
        if: hashFiles('Dockerfile') != ''
        run: |
          docker run --rm -v "$PWD":/workspace \
            aquasec/trivy:latest fs --security-checks vuln,config /workspace/Dockerfile || true

      # Upload artifacts for review
      - name: Upload security scan results
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: security-scan-results
          path: |
            gosec-results.sarif
            govulncheck-results.json
          retention-days: 30