Add security audit and SAST workflow

Author: Alb4don

.github/workflows/security-scan.yml

@@ -0,0 +1,53 @@
+name: "Security Audit and SAST"
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '0 2 * * 1' # Executes every Monday at 02:00 UTC
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  python-security-scan:
+    name: Source Code and Dependency Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Repository Checkout
+        uses: actions/checkout@v4
+
+      - name: Python Environment Initialization
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Security Tooling Installation
+        run: |
+          python -m pip install --upgrade pip
+          pip install bandit safety
+
+      - name: Application Dependency Installation
+        run: |
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+      - name: Bandit Static Application Security Testing (SAST)
+        run: |
+          bandit -r . -ll -ii -x ./tests,./venv
+
+      - name: Safety Dependency Vulnerability Check
+        run: |
+          if [ -f requirements.txt ]; then safety check -r requirements.txt --full-report; fi
+
+      - name: Secret Scanning Initialization
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified