Security #17

	name: Security

	on:
	pull_request:
	branches: [main, master]
	push:
	branches: [main, master]
	schedule:
	# Run weekly security scan
	- cron: '0 2 * * 1'

	jobs:
	security-audit:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Use Node.js 20.x
	uses: actions/setup-node@v4
	with:
	node-version: 20.x
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Run security audit
	run: npm audit --audit-level=moderate

	- name: Run dependency check
	uses: ossf/[email protected]
	with:
	repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
	results_file: results.sarif
	results_format: sarif
	publish_results: true

	- name: Upload to code-scanning
	uses: github/codeql-action/upload-sarif@v2
	if: always()
	with:
	sarif_file: results.sarif

	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	strategy:
	fail-fast: false
	matrix:
	language: ['javascript']

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: ${{ matrix.language }}

	- name: Use Node.js 20.x
	uses: actions/setup-node@v4
	with:
	node-version: 20.x
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Build project
	run: npm run build

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: '/language:${{matrix.language}}'

Provide feedback