knowfoolery/.github/workflows/security-scan.yml

name: Security Scan

on:
  pull_request:
  push:
    branches:
      - main
      - develop

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: backend/go.work

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Enable Corepack
        run: corepack enable

      - name: Install frontend dependencies
        working-directory: frontend
        run: yarn install --immutable

      - name: Install Task
        uses: arduino/setup-task@v2

      - name: Install golangci-lint and gosec
        run: |
          go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"          

      - name: Install Trivy
        run: |
          sudo apt-get update
          sudo apt-get install -y wget gnupg lsb-release
          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
          sudo apt-get update
          sudo apt-get install -y trivy          

      - name: Install k6
        uses: grafana/setup-k6-action@v1

      - name: Run Task security pipeline
        run: task ci:security-scan

      - name: Upload reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-reports
          path: |
            reports/security
            reports/tests
            reports/docker
            reports/perf