fix: use free security scanners for private repo

Author: nikolay-e

.github/workflows/security.yml

@@ -8,77 +8,61 @@ on:
 
 permissions:
   contents: read
-  security-events: write
   actions: read
 
 jobs:
   # ============================================================================
-  # CodeQL Security Analysis
+  # Bandit Python Security Scanner
   # ============================================================================
-  codeql:
-    name: CodeQL Analysis
+  bandit:
+    name: Bandit Security Scan
     runs-on: ubuntu-latest
 
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['python', 'javascript']
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+      - name: Set up Python
+        uses: actions/setup-python@v6
         with:
-          languages: ${{ matrix.language }}
-          queries: +security-extended,security-and-quality
+          python-version: "3.12"
+
+      - name: Install Bandit
+        run: pip install bandit[toml]
 
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+      - name: Run Bandit
+        run: |
+          bandit -r src/ -f json -o bandit-results.json || true
+          bandit -r src/ -f txt -o bandit-results.txt || true
 
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+      - name: Upload Bandit results
+        uses: actions/upload-artifact@v4
         with:
-          category: "/language:${{matrix.language}}"
-          upload: true  # Upload results to Security tab
+          name: bandit-results
+          path: |
+            bandit-results.json
+            bandit-results.txt
 
   # ============================================================================
-  # SonarCloud Quality Gate
+  # Semgrep Security Scanner
   # ============================================================================
-  sonarcloud:
-    name: SonarCloud Analysis
+  semgrep:
+    name: Semgrep Security Scan
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0 # Shallow clones disabled for better analysis
+      - name: Checkout repository
+        uses: actions/checkout@v6
 
-      - name: Set up Python
-        uses: actions/setup-python@v6
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
         with:
-          python-version: "3.12"
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -e .[dev]
-
-      - name: Run tests with coverage
-        run: |
-          pytest \
-            --cov=src/arbitrium \
-            --cov-report=xml \
-            --cov-branch \
-            --junitxml=test-results.xml \
-            -n auto
-
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v6
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          config: >-
+            p/python
+            p/javascript
+            p/typescript
+            p/security-audit
+          generateSarif: false
 
   # ============================================================================
   # Trivy Container Scanning
@@ -110,12 +94,19 @@ jobs:
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'arbitrium-backend:scan'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          format: 'table'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+
+      - name: Run Trivy (JSON output)
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'arbitrium-backend:scan'
+          format: 'json'
+          output: 'trivy-results.json'
           severity: 'CRITICAL,HIGH,MEDIUM'
 
-      - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - name: Upload Trivy results
+        uses: actions/upload-artifact@v4
         with:
-          sarif_file: 'trivy-results.sarif'
-          category: 'container-security'
+          name: trivy-results
+          path: trivy-results.json