security.yml

name: Security

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday at 6 AM UTC

jobs:
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v6

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4
      with:
        languages: python

    - name: Autobuild
      uses: github/codeql-action/autobuild@v4

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4

  audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6
    
    - name: Install uv
      uses: astral-sh/setup-uv@v7
      with:
        enable-cache: true
        cache-dependency-glob: "uv.lock"
    
    - name: Set up Python
      run: uv python install 3.11
    
    - name: Install dependencies
      run: uv sync --all-extras
    
    - name: Run security audit
      run: |
        # Ignoring pip 25.2 vulnerabilities (uv manages pip, not user-facing)
        # Risk: Low - only affects installation of malicious packages from untrusted sources
        # Mitigation: All packages installed from trusted PyPI with uv.lock verification
        uv run pip-audit \
          --ignore-vuln GHSA-4xh5-x5gv-qwph \
          --ignore-vuln GHSA-6vgw-5pg2-w6jp \
          --ignore-vuln GHSA-58qw-9mgm-455v \
          --ignore-vuln ECHO-ffe1-1d3c-d9bc \
          --ignore-vuln ECHO-7db2-03aa-5591