name: Security Scanning

on:
  push:
    branches: [main, develop]
    paths:
      - 'apps/**'
      - 'packages/**'
      - 'cli/**'
      - '.gitea/workflows/security-scanning.yml'
  pull_request:
    branches: [main, develop]
  schedule:
    - cron: '0 3 * * 1'
  workflow_dispatch:

concurrency:
  group: security-scanning-${{ github.ref }}
  cancel-in-progress: true

jobs:
  security-scan:
    runs-on: debian
    timeout-minutes: 15

    steps:
      - name: Clone repository
        run: |
          WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
          rm -rf "$WORKSPACE"
          mkdir -p "$WORKSPACE"
          cd "$WORKSPACE"
          git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo

      - name: Setup tools
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          
          # Ensure standard directories exist
          mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
          
          python3 -m venv venv
          source venv/bin/activate
          pip install -q bandit safety pip-audit
          echo "✅ Security tools installed"

      - name: Python dependency audit
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Dependency Audit ==="
          pip-audit -r requirements.txt --desc 2>/dev/null || echo "⚠️ Some vulnerabilities found"
          echo "✅ Dependency audit completed"

      - name: Bandit security scan
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Bandit Security Scan ==="
          bandit -r apps/ packages/py/ cli/ \
            -s B101,B311 \
            --severity-level medium \
            -f txt -q 2>/dev/null || echo "⚠️ Bandit findings"
          echo "✅ Bandit scan completed"

      - name: Check for secrets
        run: |
          cd /var/lib/aitbc-workspaces/security-scan/repo
          echo "=== Secret Detection ==="
          # Simple pattern check for leaked secrets
          grep -rn "PRIVATE_KEY\s*=\s*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" && echo "⚠️ Possible secrets found" || echo "✅ No secrets detected"
          grep -rn "password\s*=\s*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" | head -5 && echo "⚠️ Possible hardcoded passwords" || echo "✅ No hardcoded passwords"

      - name: Cleanup
        if: always()
        run: rm -rf /var/lib/aitbc-workspaces/security-scan