From eb5402c77c9ed9e13d79bb803179774462081924 Mon Sep 17 00:00:00 2001
From: Naomi Carrigan <accounts@nhcarrigan.com>
Date: Thu, 11 Dec 2025 20:12:36 +0100
Subject: [PATCH] feat: automated upload of .gitea/workflows/security.yml

---
 .gitea/workflows/security.yml | 71 +++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 .gitea/workflows/security.yml

diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
new file mode 100644
index 0000000..cb4dca5
--- /dev/null
+++ b/.gitea/workflows/security.yml
@@ -0,0 +1,71 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ main, master, develop ]
+  pull_request:
+    branches: [ main, master, develop ]
+  schedule:
+    # Run weekly on Mondays at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  trivy-scan:
+    name: Trivy Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Combined scan for vulnerabilities, secrets, and IaC misconfigurations
+      - name: Run Trivy comprehensive security scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          format: 'table'
+          output: 'trivy-results.txt'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          # Fail on any vulnerability found
+          exit-code: '1'
+          # Don't ignore unfixed vulnerabilities
+          ignore-unfixed: false
+          # Skip database update to speed up scans (uses cached DB)
+          skip-db-update: false
+
+      # Display results for visibility
+      - name: Display Trivy scan results
+        if: always()
+        run: |
+          if [ -f trivy-results.txt ]; then
+            echo "=== Trivy Security Scan Results ==="
+            cat trivy-results.txt
+          fi
+
+      # Static code analysis with Semgrep
+      - name: Run Semgrep static analysis
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/owasp-top-ten
+            p/ci
+            p/security
+          generateSarif: '1'
+          outputFormat: 'text'
+          outputFile: 'semgrep-results.txt'
+          # Fail on any finding
+          error: 'true'
+
+      # Display Semgrep results
+      - name: Display Semgrep scan results
+        if: always()
+        run: |
+          if [ -f semgrep-results.txt ]; then
+            echo "=== Semgrep Static Analysis Results ==="
+            cat semgrep-results.txt
+          fi
+