reset to previous commit.

.github/workflows/security-scan.yml

@@ -1,184 +0,0 @@
-name: Security Scanning
-
-on:
-  push:
-    branches: [ main, develop ]
-  pull_request:
-    branches: [ main ]
-  schedule:
-    # Run daily at 2 AM UTC
-    - cron: '0 2 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  security-events: write
-  actions: read
-
-jobs:
-  dependency-scan:
-    name: Dependency Vulnerability Scan
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-      
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install safety bandit pip-audit
-      
-      - name: Run Safety check
-        run: |
-          pip install -r requirements.txt
-          safety check --json --output safety-report.json || true
-      
-      - name: Run pip-audit
-        run: |
-          pip-audit --requirement requirements.txt --format json --output pip-audit-report.json || true
-      
-      - name: Upload Safety report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: safety-report
-          path: safety-report.json
-      
-      - name: Upload pip-audit report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: pip-audit-report
-          path: pip-audit-report.json
-
-  code-security-scan:
-    name: Code Security Analysis
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-      
-      - name: Install Bandit
-        run: |
-          python -m pip install --upgrade pip
-          pip install bandit[toml]
-      
-      - name: Run Bandit security scan
-        run: |
-          bandit -r app/ -f json -o bandit-report.json || true
-          bandit -r app/ -f txt
-      
-      - name: Upload Bandit report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: bandit-report
-          path: bandit-report.json
-
-  secret-scan:
-    name: Secret Detection
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Full history for better secret detection
-      
-      - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_ENABLE_SUMMARY: true
-
-  docker-scan:
-    name: Docker Image Security Scan
-    runs-on: ubuntu-latest
-    if: github.event_name != 'schedule'
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Build Docker image
-        run: |
-          docker build -t timetracker:security-scan .
-      
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'timetracker:security-scan'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-      
-      - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-  codeql-analysis:
-    name: CodeQL Analysis
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: python, javascript
-          queries: security-extended
-      
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
-  security-report:
-    name: Generate Security Report
-    runs-on: ubuntu-latest
-    needs: [dependency-scan, code-security-scan, secret-scan]
-    if: always()
-    
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      
-      - name: Generate summary
-        run: |
-          echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "## Scan Results" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          
-          if [ -f safety-report/safety-report.json ]; then
-            echo "### Dependency Vulnerabilities (Safety)" >> $GITHUB_STEP_SUMMARY
-            python -c "import json; data=json.load(open('safety-report/safety-report.json')); print(f'Found {len(data.get(\"vulnerabilities\", []))} vulnerabilities')" >> $GITHUB_STEP_SUMMARY || echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-          if [ -f bandit-report/bandit-report.json ]; then
-            echo "### Code Security Issues (Bandit)" >> $GITHUB_STEP_SUMMARY
-            python -c "import json; data=json.load(open('bandit-report/bandit-report.json')); metrics=data.get('metrics', {}); print(f'Total Issues: {sum([m.get(\"SEVERITY.HIGH\", 0) + m.get(\"SEVERITY.MEDIUM\", 0) + m.get(\"SEVERITY.LOW\", 0) for m in metrics.values()])}')" >> $GITHUB_STEP_SUMMARY || echo "Scan completed" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-          fi
-          
-          echo "## Actions Required" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "1. Review all vulnerability reports" >> $GITHUB_STEP_SUMMARY
-          echo "2. Update vulnerable dependencies" >> $GITHUB_STEP_SUMMARY
-          echo "3. Fix high-severity security issues" >> $GITHUB_STEP_SUMMARY
-          echo "4. Review and rotate any exposed secrets" >> $GITHUB_STEP_SUMMARY
-