.github/workflows/pr-security.yml

name: Security Checks
on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: write

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true

jobs:
  rule_check:
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
          format: rdjson
          output: rd.json
          diff: true
      - uses: reviewdog/action-setup@v1
        with:
          reviewdog_version: latest
      - name: Run reviewdog
        env:
          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Create SBOM
        uses: anchore/sbom-action@v0
        with:
          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
      - name: Scan SBOM
        uses: anchore/scan-action@v3
        with:
          sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
          fail-build: true
          severity-cutoff: critical