onvif-go/.github/workflows/security.yml

name: Security Scan

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]
  schedule:
    - cron: '0 0 * * 0'  # Weekly on Sunday

permissions:
  contents: read
  security-events: write

jobs:
  gosec:
    name: Security Scan (gosec)
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'
      
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: '-no-fail -fmt json -out gosec-report.json ./...'
      
      - name: Upload gosec report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: gosec-report
          path: gosec-report.json
          retention-days: 30
      
      - name: Display gosec results
        if: always()
        run: |
          if [ -f gosec-report.json ]; then
            echo "📊 Gosec Security Scan Results:"
            cat gosec-report.json | jq -r '.Stats // empty' || echo "No stats available"
            echo ""
            echo "Issues found:"
            cat gosec-report.json | jq -r '.Issues[]? | "\(.severity | ascii_upcase): \(.rule_id) - \(.details)"' || echo "No issues found"
          fi

  govulncheck:
    name: Vulnerability Check (govulncheck)
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'
      
      - name: Run govulncheck
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck ./...