security.yml

name: Security Audit

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]
  schedule:
    # Run weekly on Sundays at midnight
    - cron: '0 0 * * 0'

jobs:
  audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit
        run: npm audit --audit-level=high
        continue-on-error: true

      - name: Check for known vulnerabilities
        run: |
          # Output audit results in JSON format for review
          npm audit --json > audit-results.json || true
          
          # Count high and critical vulnerabilities
          HIGH=$(cat audit-results.json | node -pe "JSON.parse(require('fs').readFileSync('/dev/stdin').toString()).metadata?.vulnerabilities?.high || 0")
          CRITICAL=$(cat audit-results.json | node -pe "JSON.parse(require('fs').readFileSync('/dev/stdin').toString()).metadata?.vulnerabilities?.critical || 0")
          
          echo "High vulnerabilities: $HIGH"
          echo "Critical vulnerabilities: $CRITICAL"
          
          if [ "$CRITICAL" -gt 0 ]; then
            echo "::error::Found $CRITICAL critical vulnerabilities!"
            exit 1
          fi

      - name: Upload audit results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: npm-audit-results
          path: audit-results.json
          retention-days: 30