platform/.gitea/workflows/security.yml

name: Security Checks

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
  workflow_dispatch:

jobs:
  dependency-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Audit Budget dependencies
        working-directory: services/budget
        run: |
          npm ci --production
          npm audit --audit-level=high

      - name: Audit Frontend dependencies
        working-directory: frontend-v2
        run: |
          npm ci
          npm audit --audit-level=high || true  # low-severity OK for now

  secret-scanning:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for secrets in tracked files
        run: |
          echo "Checking for tracked .env files..."
          if git ls-files | grep -E '\.env$' | grep -v '.env.example'; then
            echo "ERROR: .env files are tracked in git!"
            exit 1
          fi

          echo "Checking for tracked .db files..."
          if git ls-files | grep -E '\.db$'; then
            echo "ERROR: .db files are tracked in git!"
            exit 1
          fi

          echo "Checking for hardcoded secrets patterns..."
          if grep -rn 'password.*=.*["\x27][a-zA-Z0-9_-]\{8,\}["\x27]' \
            --include='*.py' --include='*.js' --include='*.ts' \
            gateway/ services/ frontend-v2/src/ \
            | grep -v 'env\.\|environ\|process\.env\|\.get(\|config\.\|test\|example\|placeholder\|CHANGE_ME\|changeme' \
            | grep -vi 'hash\|bcrypt\|comment\|error\|warning'; then
            echo "WARNING: Possible hardcoded secrets found (review above)"
          fi

          echo "Secret scan passed"

  dockerfile-lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check Dockerfiles run as non-root
        run: |
          fail=0
          for f in gateway/Dockerfile services/trips/Dockerfile services/fitness/Dockerfile.backend services/inventory/Dockerfile services/budget/Dockerfile frontend-v2/Dockerfile; do
            if [ -f "$f" ]; then
              if ! grep -q '^USER ' "$f"; then
                echo "ERROR: $f does not have a USER instruction (runs as root)"
                fail=1
              fi
              if ! grep -q 'HEALTHCHECK' "$f"; then
                echo "WARNING: $f has no HEALTHCHECK"
              fi
            fi
          done
          exit $fail