blackroad-os-infra/.github/workflows/security-agent.yml

# BlackRoad Security Agent
# Specialized workflow for security-related tasks
# Runs security scans, audits, and remediation

name: Security Agent

on:
  workflow_dispatch:
    inputs:
      task_id:
        description: 'Security task ID'
        required: true
        type: string
      scan_type:
        description: 'Type of security scan'
        required: false
        type: choice
        options:
          - full
          - dependencies
          - secrets
          - codeql
        default: 'dependencies'

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  security-scan:
    runs-on: ubuntu-latest
    timeout-minutes: 45

    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '20'

      - name: Acknowledge task
        run: |
          echo "Security task: ${{ inputs.task_id }}"
          echo "Scan type: ${{ inputs.scan_type }}"

      - name: Dependency audit
        if: inputs.scan_type == 'dependencies' || inputs.scan_type == 'full'
        run: |
          if [ -f "package.json" ]; then
            npm audit --audit-level=moderate || true
          fi
          if [ -f "requirements.txt" ]; then
            pip install safety
            safety check -r requirements.txt || true
          fi

      - name: Secret scanning
        if: inputs.scan_type == 'secrets' || inputs.scan_type == 'full'
        run: |
          echo "Scanning for secrets..."
          # Install trufflehog
          curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
          trufflehog filesystem . --only-verified || true

      - name: CodeQL Analysis
        if: inputs.scan_type == 'codeql' || inputs.scan_type == 'full'
        uses: github/codeql-action/init@60d8f0d1f1f8c8d07ef53bd027032705d414ec28 # v3
        with:
          languages: javascript, typescript

      - name: CodeQL Analyze
        if: inputs.scan_type == 'codeql' || inputs.scan_type == 'full'
        uses: github/codeql-action/analyze@60d8f0d1f1f8c8d07ef53bd027032705d414ec28 # v3

      - name: Report results
        run: |
          echo "Security scan completed for task: ${{ inputs.task_id }}"
          echo "Scan type: ${{ inputs.scan_type }}"
          echo "Status: completed"