password_manager 0.2.5

name: Security Scan Pipeline

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 4 * * *'  # Daily at 4 AM UTC

jobs:
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable

    - name: Install cargo-audit
      run: cargo install cargo-audit

    - name: Run security audit
      run: cargo audit

    - name: Run cargo-audit with advisory database
      run: cargo audit --db /tmp/advisory-db
      continue-on-error: true

  dependency-check:
    name: Dependency Check
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable

    - name: Install cargo-outdated
      run: cargo install cargo-outdated

    - name: Check for outdated dependencies
      run: cargo outdated --exit-code 1 || true

  code-scanning:
    name: Code Scanning
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable

    - name: Install cargo-clippy
      run: rustup component add clippy

    - name: Cache Rust dependencies
      uses: actions/cache@v4
      with:
        path: |
          ~/.cargo/registry
          ~/.cargo/git
          target
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

    - name: Build project
      run: cargo build --all-features

    - name: Run clippy security checks
      run: cargo clippy --all-features -- -D warnings || echo "Clippy completed with warnings"

    - name: Run cargo check for security issues
      run: cargo check --all-features --all-targets

  rust-security-audit:
    name: Rust Security Audit
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable

    - name: Install cargo-audit
      run: cargo install cargo-audit

    - name: Run security audit
      run: cargo audit

  gitleaks:
    name: GitLeaks
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Run Gitleaks
      uses: gitleaks/gitleaks-action@v2
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITLEAKS_ENABLE_UPLOAD_ARTIFACTS: true