name: Security Scanning

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    # Wöchentlich Sonntag um 00:00 UTC
    - cron: '0 0 * * 0'

permissions:
  contents: read
  security-events: write

jobs:
  # Secret Scanning mit Gitleaks
  secrets:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  # Dependency Vulnerability Scanning
  dependencies:
    name: Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 9

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run audit
        run: pnpm audit --audit-level=high
        continue-on-error: true

      - name: Check for known vulnerabilities
        run: |
          echo "## Dependency Audit Results" >> $GITHUB_STEP_SUMMARY
          pnpm audit --json | jq -r '.advisories | to_entries[] | "- [\(.value.severity)] \(.value.module_name): \(.value.title)"' >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY

  # CodeQL Analysis
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
          queries: security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:javascript-typescript"

  # Security Unit & Integration Tests
  security-tests:
    name: Security Tests
    runs-on: ubuntu-latest
    needs: [secrets, dependencies]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 9

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run security tests
        run: pnpm test:security
        env:
          CSRF_SECRET: test-csrf-secret
          PAYLOAD_SECRET: test-payload-secret
          PAYLOAD_PUBLIC_SERVER_URL: https://test.example.com
          NEXT_PUBLIC_SERVER_URL: https://test.example.com

      - name: Upload test results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-test-results
          path: |
            coverage/
            test-results/
          retention-days: 7