.github/workflows/security.yml

name: CI Security Pipeline

on:
  push:
    branches:
      - '**'
  pull_request:
    branches:
      - '**'

jobs:
  security-checks:
    name: Security Checks
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [22.x]
      fail-fast: false
    
    permissions: 
      contents: read
      security-events: write
      
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Setup Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4.1.0
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

      - name: Install Dependencies
        run: npm ci
        
      - name: Build
        run: npm run build
        
      - name: Run Tests
        run: npm run test

      - name: OWASP Dependency Check
        id: dependency-check
        continue-on-error: true
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 'HyVueGantt'
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

      - name: Run Syft
        uses: anchore/sbom-action@v0.17.9
        with:
          format: spdx-json
          output-file: sbom-${{ github.event.repository.name }}-${{ matrix.node-version }}.spdx.json

      - name: Run Grype
        uses: anchore/scan-action@v6.0.0
        continue-on-error: true
        with:
          sbom: sbom-${{ github.event.repository.name }}-${{ matrix.node-version }}.spdx.json
          fail-build: true
          severity-cutoff: "high"
          output-format: json
          output-file: reports/grype-results.json

      - name: Archive Security Results
        uses: actions/upload-artifact@v4.5.0
        if: always()
        with:
          name: security-scan-results-node-${{ matrix.node-version }}
          path: |
            dependency-check-report.html
            sbom-${{ github.event.repository.name }}-${{ matrix.node-version }}.spdx.json
            ${{github.workspace}}/reports
          retention-days: 2

      #- name: Notify on Failure
      #  if: failure()
      #  uses: actions/github-script@v7
      #  with:
      #    script: |
      #      const nodeVersion = '${{ matrix.node }}';
      #      github.rest.issues.create({
      #        owner: context.repo.owner,
      #        repo: context.repo.repo,
      #        title: `Security Scan Failed - Node ${nodeVersion}`,
      #        body: `Security scan failed for Node.js ${nodeVersion} in workflow run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
      #        labels: ['security', 'ci-failure']
      #      })