export gh secret scanning results

LiveReview Pre-Commit Check: skipped (iter:1, coverage:0%)

Author: shrsv

Makefile

@@ -170,7 +170,7 @@ SECURITY_GOVULN_PACKAGES := $(filter-out ./scripts,$(TEST_PACKAGES))
 testall:
 	$(GOTEST) -count=1 $(TEST_PACKAGES)
 
-.PHONY: security-govulncheck security-govulncheck-json security-osv security-gitleaks security-semgrep security-dependabot security-triage
+.PHONY: security-govulncheck security-govulncheck-json security-osv security-gitleaks security-semgrep security-dependabot security-gh-secret-scanning security-triage
 
 # Run Go vulnerability analysis for reachable vulnerabilities.
 security-govulncheck:
@@ -277,6 +277,21 @@ security-dependabot:
 			--paginate > "$$dated_report"; \
 		echo "Wrote $$dated_report"
 
+# Pull secret scanning alerts via GitHub API and emit a dated JSON artifact under security_issues/.
+security-gh-secret-scanning:
+	@command -v $(GH) >/dev/null 2>&1 || { \
+		echo "gh not found. Install from https://cli.github.com/"; \
+		exit 1; \
+	}
+	@mkdir -p security_issues
+	@dated_report="security_issues/gh-secret-scanning-live-review-$(shell date +%d-%m-%Y).json"; \
+		$(GH) api \
+			-H "Accept: application/vnd.github+json" \
+			-H "X-GitHub-Api-Version: 2022-11-28" \
+			/repos/$(GH_REPO)/secret-scanning/alerts \
+			--paginate > "$$dated_report"; \
+		echo "Wrote $$dated_report"
+
 # Regenerate machine-readable and markdown triage artifacts from the latest OSV report.
 security-triage: security-osv
 	@python3 scripts/extract_osv_report.py \