# Security Scanning

name: Security

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  schedule:
    - cron: '0 0 * * 1'  # Weekly on Monday

env:
  POETRY_VERSION: 1.8.0
  PYTHON_VERSION: "3.12"

jobs:
  security:
    name: Security Scanning
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install Poetry
        run: |
          curl -sSL https://install.python-poetry.org | python3 -
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Install dependencies
        run: |
          poetry config virtualenvs.in-project true
          poetry install

      - name: Run Bandit
        run: |
          poetry run bandit -r src/ -f json -o bandit-report.json
        continue-on-error: true

      - name: Upload Bandit report
        uses: actions/upload-artifact@v4
        with:
          name: bandit-report
          path: bandit-report.json
        continue-on-error: true