coreason-runtime 0.1.0

name: Security Audit

on:
  push:
    branches: [ develop, main ]
  pull_request:
    branches: [ develop, main ]
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:

permissions: read-all

jobs:
  secret-scan:
    name: Secret Scanning
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Gitleaks Secret Scan
        run: |
          # Use the Gitleaks Docker image to avoid license requirements of the managed GitHub Action
          docker run -v ${{ github.workspace }}:/path zricethezav/gitleaks:latest detect --source=/path --verbose --redact
        continue-on-error: true

  sca-audit:
    name: Software Composition Analysis
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
      security-events: write
      actions: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
        with:
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Checkout coreason-manifest
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: CoReason-AI/coreason-manifest
          ref: main
          path: coreason-manifest
          token: ${{ secrets.GHCR_PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0
          fetch-tags: true

      - name: Link coreason-manifest as sibling
        run: ln -sfn $(pwd)/coreason-manifest ../coreason-manifest
        shell: bash

      - name: Checkout coreason-urn-authority
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: CoReason-AI/coreason-urn-authority
          path: coreason-urn-authority
          token: ${{ secrets.GHCR_PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0
          fetch-tags: true

      - name: Link coreason-urn-authority as sibling
        run: ln -sfn $(pwd)/coreason-urn-authority ../coreason-urn-authority
        shell: bash

      - name: Install uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: false
          python-version: '3.14'

      - name: Python SCA Audit (pip-audit)
        run: |
          if [ -f "pyproject.toml" ]; then
            uv export --format requirements-txt > requirements.txt
            uv tool run pip-audit -r requirements.txt -f sarif -o pip-audit.sarif || echo "Vulnerabilities found!"
            uv tool run pip-audit -r requirements.txt -f html -o pip-audit-report.html || true
          fi
        shell: bash

      - name: Node.js SCA Audit (npm audit)
        run: |
          if [ -f "package.json" ]; then
            npm install --package-lock-only
            npm audit --json > npm-audit.json || true
            npx @microsoft/npm-audit-sarif -i npm-audit.json -o npm-audit.sarif || true
          fi
        shell: bash

      - name: Black Duck Compliance Check
        run: |
          echo "INFO: Ready for Black Duck integration."
        shell: bash

      - name: Upload SARIF Reports to GitHub Advanced Security
        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
        with:
          sarif_file: .
        continue-on-error: true

      - name: Upload Compliance Reports as Artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: security-audit-reports
          path: |
            pip-audit-report.html
            npm-audit.json
          retention-days: 14