Create security.yml

[FelipeSantosAppSafe]

Summary by CodeRabbit

• Chores
  • Added an automated security scanning workflow that runs on pushes, pull requests, and manual triggers.
  • Supports an optional target parameter when manually triggered to customize scan scope.
  • Integrates with existing security tooling to centralize scans and reporting.
  • Enhances continuous security coverage across all branches.
  • No user-facing changes; improves overall reliability and security monitoring.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/security.yml) named "🛡️ Scans de Segurança" that runs on push, pull_request, and workflow_dispatch. It invokes a reusable workflow from ditointernet/dito-security/appsec.yml@v1, mapping a target input (fallback to DAST_TARGET) and forwarding five specified secrets.

Changes

Cohort / File(s)	Summary
Security workflow (new) \.github/workflows/security.yml	Introduces a workflow "🛡️ Scans de Segurança" triggered on push, pull_request, and workflow_dispatch; defines job "Seguranca" that reuses ditointernet/dito-security/.github/workflows/appsec.yml@v1, passes input target (input or DAST_TARGET), and forwards secrets DOJO_TOKEN, DOJO_USER, DOJO_PASS, REPO_TOKEN, DPBOT_TOKEN.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as Developer
    participant GH as GitHub Actions
    participant WF as security.yml (this repo)
    participant RW as dito-security/appsec.yml@v1

    Dev->>GH: push / pull_request / workflow_dispatch
    GH->>WF: Start "🛡️ Scans de Segurança"
    note over WF: Resolve target = input.target<br/>or env.DAST_TARGET
    WF->>RW: Reusable workflow call<br/>with target + secrets
    RW-->>WF: Execute security scans (AppSec/DAST/etc.)
    WF-->>GH: Job "Seguranca" result
    GH-->>Dev: Workflow status and outputs

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A cautious rabbit taps the CI drum,
New shields arise when commits come.
Secrets tucked, the scans take flight,
Reused spells guard code by night.
Hop, hop—alerts kept tight,
Burrow secure, green checks in sight.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the main change by indicating the creation of the security.yml workflow file, matching the addition of a new GitHub Actions workflow for security scans described in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between daf5f5b and d87a977.

📒 Files selected for processing (1)

• .github/workflows/security.yml (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Broaden the branch filters to include slash-containing branch names.

Using branches: ['*'] limits the workflow to branches without /, so pushes like feature/foo will never trigger the security scan. Please switch to ['**'] (or drop the filter entirely) for both push and pull_request so the workflow still runs on standard feature branches.

   push:
-    branches: ['*']
+    branches: ['**']
   pull_request:
-    branches: ['*']
+    branches: ['**']

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	branches: ['*']
	pull_request:
	branches: ['*']
	push:
	branches: ['**']
	pull_request:
	branches: ['**']

🤖 Prompt for AI Agents

In .github/workflows/security.yml around lines 5 to 7, the branch filters use
branches: ['*'] which does not match branch names containing slashes (e.g.
feature/foo); update both the push and pull_request branch filters to use
branches: ['**'] (or remove the filters entirely) so the workflow triggers on
slash-containing branches like feature/* and other nested names.

[EndBug]

This is spam