name: 🔒 Security Scanning

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * 0'
  workflow_dispatch:

jobs:
  dependency-scan:
    name: 📦 Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@v4

      - name: 🔧 Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: 📦 Install
        run: npm ci --ignore-scripts

      - name: 🔍 Audit
        continue-on-error: true
        run: |
          npm audit --audit-level=moderate --json > audit-results.json || true
          
      - name: 📊 Report
        run: |
          echo "### 🔒 Security Audit" >> $GITHUB_STEP_SUMMARY
          if [ -f audit-results.json ]; then
            VULNS=$(jq '.metadata.vulnerabilities | to_entries[] | "\(.key): \(.value)"' audit-results.json 2>/dev/null || echo "No data")
            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
            echo "$VULNS" >> $GITHUB_STEP_SUMMARY
            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
          fi

  secrets-scan:
    name: 🔐 Secrets
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: 🔍 Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
          extra_args: --only-verified