From b197310d7e77f363c3d7117cf154a3e2713759f6 Mon Sep 17 00:00:00 2001
From: mapup-parask <94374284+mapup-parask@users.noreply.github.com>
Date: Mon, 9 Feb 2026 11:42:00 +0530
Subject: [PATCH] Add automated security scanning

---
 .github/workflows/gitleaks.yml | 51 ++++++++++++++++++++++++++++++++++
 .github/workflows/semgrep.yml  | 45 ++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 .github/workflows/gitleaks.yml
 create mode 100644 .github/workflows/semgrep.yml

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
new file mode 100644
index 0000000..08e54d6
--- /dev/null
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,51 @@
+name: Gitleaks Secret Scan
+on:
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    name: Scan for secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name"' | sed 's/.*"v\(.*\)".*/\1/')
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz -C /usr/local/bin gitleaks
+
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose --redact --report-format sarif --report-path gitleaks-report.sarif
+
+      - name: Upload SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks-report.sarif
+
+# name: Gitleaks Secret Scan
+# on:
+#   pull_request:
+#     branches: [main, master]
+#   schedule:
+#     - cron: '0 3 * * 1'  # Weekly Monday 3am UTC
+#   workflow_dispatch:       # Allow manual trigger
+
+# jobs:
+#   gitleaks:
+#     name: Scan for secrets
+#     runs-on: ubuntu-latest
+#     steps:
+#       - uses: actions/checkout@v4
+#         with:
+#           fetch-depth: 0
+#       - uses: gitleaks/gitleaks-action@v2
+#         env:
+#           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#           GITLEAKS_ENABLE_COMMENTS: false
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
new file mode 100644
index 0000000..8572ba5
--- /dev/null
+++ b/.github/workflows/semgrep.yml
@@ -0,0 +1,45 @@
+name: Semgrep SAST
+on:
+  pull_request:
+    branches: [main, master]
+  schedule:
+    - cron: '0 4 * * 1'
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    name: Static analysis
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        run: semgrep scan --config auto --error --json --output semgrep-results.json || true
+
+      - name: Send results to endpoint
+        if: always()
+        run: |
+          curl -X POST "${{ secrets.SAST_WEBHOOK_URL }}" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${{ secrets.SAST_WEBHOOK_TOKEN }}" \
+            -d @semgrep-results.json
+
+# name: Semgrep SAST
+# on:
+#   pull_request:
+#     branches: [main, master]
+#   schedule:
+#     - cron: '0 4 * * 1'  # Weekly Monday 4am UTC
+#   workflow_dispatch:       # Allow manual trigger
+
+# jobs:
+#   semgrep:
+#     name: Static analysis
+#     runs-on: ubuntu-latest
+#     container:
+#       image: semgrep/semgrep
+#     steps:
+#       - uses: actions/checkout@v4
+#       - run: semgrep scan --config auto --error --quiet