name: Security Scanning

on:
  push:
    branches: [main, develop]
    paths:
      - 'apps/**'
      - 'packages/**'
      - 'cli/**'
      - '.gitea/workflows/security-scanning.yml'
  pull_request:
    branches: [main, develop]
  schedule:
    - cron: '0 3 * * 1'
  workflow_dispatch:

concurrency:
  group: security-scanning-${{ github.ref }}
  cancel-in-progress: true

jobs:
  security-scan:
    runs-on: debian
    timeout-minutes: 15

    steps:
      - name: Clone repository
        run: |
          WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
          rm -rf "$WORKSPACE"
          mkdir -p "$WORKSPACE"
          cd "$WORKSPACE"
          git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo

      - name: Setup tools
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          
          # Ensure standard directories exist
          mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
          
          python3 -m venv venv
          source venv/bin/activate
          pip install -q bandit pip-audit
          echo "✅ Security tools installed"

      - name: Python dependency audit
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Dependency Audit ==="
          pip-audit -r requirements.txt --desc
          echo "✅ Dependency audit completed"

      - name: Bandit security scan
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Bandit Security Scan ==="
          bandit -r apps/ packages/py/ cli/ \
            -s B101,B311 \
            --severity-level medium \
            -f txt -q
          echo "✅ Bandit scan completed"

      - name: Check for secrets
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          echo "=== Secret Detection ==="
          # Simple pattern check for leaked secrets
          secret_matches=$(mktemp)
          password_matches=$(mktemp)

          grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
          grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true

          if [[ -s "$secret_matches" ]]; then
            echo "❌ Possible secrets found"
            cat "$secret_matches"
            rm -f "$secret_matches" "$password_matches"
            exit 1
          fi

          if [[ -s "$password_matches" ]]; then
            echo "❌ Possible hardcoded passwords"
            head -5 "$password_matches"
            rm -f "$secret_matches" "$password_matches"
            exit 1
          fi

          rm -f "$secret_matches" "$password_matches"
          echo "✅ No hardcoded secrets detected"

      - name: Cleanup
        if: always()
        run: rm -rf /var/lib/aitbc-workspaces/security-scan