security-scan.yml

name: "Security Audit and SAST"

on:
  push:
    branches: [ "main", "master" ]
  pull_request:
    branches: [ "main", "master" ]
  schedule:
    - cron: '0 2 * * 1' # Executes every Monday at 02:00 UTC

permissions:
  contents: read
  security-events: write

jobs:
  python-security-scan:
    name: Source Code and Dependency Analysis
    runs-on: ubuntu-latest

    steps:
      - name: Repository Checkout
        uses: actions/checkout@v4

      - name: Python Environment Initialization
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
          cache: 'pip'

      - name: Security Tooling Installation
        run: |
          python -m pip install --upgrade pip
          pip install bandit safety

      - name: Application Dependency Installation
        run: |
          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

      - name: Bandit Static Application Security Testing (SAST)
        run: |
          bandit -r . -ll -ii -x ./tests,./venv

      - name: Safety Dependency Vulnerability Check
        run: |
          if [ -f requirements.txt ]; then safety check -r requirements.txt --full-report; fi

      - name: Secret Scanning Initialization
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
          extra_args: --debug --only-verified