Comprehensive Security Scan #186

	name: Comprehensive Security Scan

	on:
	push:
	branches: [ main ]
	schedule:
	# Run comprehensive security scan daily at 2 AM UTC
	- cron: '0 2 * * *'
	workflow_dispatch: # Allow manual triggering

	env:
	NODE_VERSION: '18'

	jobs:
	comprehensive-security-scan:
	name: Comprehensive Security Scan
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: ${{ env.NODE_VERSION }}
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Run comprehensive security audit
	run: npm audit --audit-level moderate

	- name: Run CodeQL Analysis
	uses: github/codeql-action/init@v3
	with:
	languages: javascript

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	continue-on-error: true

	- name: Check for known vulnerabilities in dependencies
	run: \|
	echo "Checking for known vulnerabilities..."
	npm audit --json > audit-results.json \|\| true
	echo "Audit results saved for review"

	- name: Upload security scan results
	uses: actions/upload-artifact@v4
	with:
	name: security-scan-results
	path: audit-results.json
	retention-days: 30

	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	fail-on-severity: moderate
	allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

Provide feedback