.github/workflows/security-scan.yml

name: Security Scan

on:
  schedule:
    # Run weekly on Sunday at 00:00 UTC
    - cron: '0 0 * * 0'
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  security-events: write
  actions: read
  contents: read

jobs:
  dependency-scan:
    name: Dependency Security Scan
    runs-on: ubuntu-latest
    strategy:
      matrix:
        directory: ['src/backend', 'src/web']
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18.x'
          cache: 'npm'
          cache-dependency-path: ${{ matrix.directory }}/package.json

      - name: Install dependencies
        working-directory: ${{ matrix.directory }}
        run: npm ci

      - name: Run npm audit
        working-directory: ${{ matrix.directory }}
        run: npm audit --audit-level=high
        continue-on-error: true

      - name: Setup Snyk
        uses: snyk/actions/setup@v1

      - name: Run Snyk scan
        working-directory: ${{ matrix.directory }}
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: snyk test --severity-threshold=high
        continue-on-error: true

      - name: Upload Snyk report
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: snyk.sarif

  code-analysis:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: javascript, typescript
          queries: security-extended,security-and-quality

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18.x'

      - name: Install dependencies
        run: |
          cd src/backend && npm ci
          cd ../web && npm ci

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
        with:
          category: "/language:javascript"

  container-scan:
    name: Container Security Scan
    runs-on: ubuntu-latest
    strategy:
      matrix:
        image: ['backend', 'web']
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Build container image
        run: |
          docker build -t saas-benchmarks-${{ matrix.image }}:${{ github.sha }} \
            -f src/${{ matrix.image }}/Dockerfile .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.12.0
        with:
          image-ref: saas-benchmarks-${{ matrix.image }}:${{ github.sha }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          vuln-type: 'os,library'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

  security-report:
    name: Generate Security Report
    needs: [dependency-scan, code-analysis, container-scan]
    runs-on: ubuntu-latest
    if: always()
    
    steps:
      - name: Generate summary
        run: |
          echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY
          echo "## Scans Performed" >> $GITHUB_STEP_SUMMARY
          echo "- Dependency Security Scan" >> $GITHUB_STEP_SUMMARY
          echo "- CodeQL Analysis" >> $GITHUB_STEP_SUMMARY
          echo "- Container Security Scan" >> $GITHUB_STEP_SUMMARY
          echo "## Status" >> $GITHUB_STEP_SUMMARY
          echo "- Dependency Scan: ${{ needs.dependency-scan.result }}" >> $GITHUB_STEP_SUMMARY
          echo "- Code Analysis: ${{ needs.code-analysis.result }}" >> $GITHUB_STEP_SUMMARY
          echo "- Container Scan: ${{ needs.container-scan.result }}" >> $GITHUB_STEP_SUMMARY

      - name: Notify on failure
        if: failure()
        run: |
          echo "::error::Security scan failed. Please review the detailed reports."