Northern-Thailand-Ping-River-Monitor/.gitea/workflows/security.yml

name: Security & Dependency Updates

on:
  schedule:
    # Run security scans daily at 3 AM UTC
    - cron: "0 3 * * *"
  workflow_dispatch:
  push:
    paths:
      - "requirements*.txt"
      - "Dockerfile"
      - ".gitea/workflows/security.yml"

env:
  PYTHON_VERSION: "3.11"
  # GitHub token for better rate limits and authentication
  GH_TOKEN: ${{ secrets.GH_TOKEN }}

jobs:
  # Dependency vulnerability scan
  dependency-scan:
    name: Dependency Security Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.CI_BOT_TOKEN }}

      - name: Install jq (for parsing JSON)
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip --root-user-action=ignore
          # Pin safety to a v2 line where `check --json` is stable
          pip install --root-user-action=ignore "safety>=2,<3" bandit semgrep

      - name: Run Safety check
        run: |
          if [ -f requirements.txt ]; then
            safety check -r requirements.txt --json --output safety-report.json || true
          else
            echo "[]" > safety-report.json
          fi
          if [ -f requirements-dev.txt ]; then
            safety check -r requirements-dev.txt --json --output safety-dev-report.json || true
          else
            echo "[]" > safety-dev-report.json
          fi

      - name: Run Bandit security scan
        run: |
          if [ -d src ]; then
            bandit -r src/ -f json -o bandit-report.json || true
          else
            echo '{"results":[]}' > bandit-report.json
          fi

      - name: Run Semgrep security scan
        run: |
          if [ -d src ]; then
            semgrep --config=auto src/ --json --output=semgrep-report.json || true
          else
            echo '{"results":[]}' > semgrep-report.json
          fi

      - name: Upload security reports
        uses: actions/upload-artifact@v3
        with:
          name: security-reports-${{ github.run_number }}
          path: |
            safety-report.json
            safety-dev-report.json
            bandit-report.json
            semgrep-report.json

      - name: Check for critical vulnerabilities
        run: |
          echo "🔍 Checking for critical vulnerabilities..."

          # --- Safety results (robust to array/object formats) ---
          summarize_safety () {
            f="$1"
            if [ -f "$f" ]; then
              count=$(jq -r '
                if type=="array" then length
                else ((.vulnerabilities // []) | length)
                end
              ' "$f" 2>/dev/null || echo "0")

              if [ "${count:-0}" -gt 0 ]; then
                echo "⚠️ Found $count dependency vulnerabilities in $f"
                jq -r '
                  if type=="array" then
                    .[] | "- \(.package_name // .name) \(.installed_version // ""): \(.vulnerability_id // .advisory // "N/A")"
                  else
                    (.vulnerabilities // [])[] | "- \(.package_name) \(.installed_version): \(.vulnerability_id)"
                  end
                ' "$f" || true
              else
                echo "✅ No dependency vulnerabilities found in $f"
              fi
            fi
          }
          summarize_safety safety-report.json
          summarize_safety safety-dev-report.json

          # --- Bandit results (count HIGH severity properly) ---
          if [ -f bandit-report.json ]; then
            high_severity=$(jq '[.results[]? | select(.issue_severity=="HIGH")] | length' bandit-report.json 2>/dev/null || echo "0")
            if [ "${high_severity:-0}" -gt 0 ]; then
              echo "⚠️ Found $high_severity high-severity security issues"
            else
              echo "✅ No high-severity security issues found"
            fi
          fi

  # License compliance check
  license-check:
    name: License Compliance
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.CI_BOT_TOKEN }}

      - name: Install jq (for parsing JSON)
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install pip-licenses
        run: |
          python -m pip install --upgrade pip --root-user-action=ignore
          pip install --root-user-action=ignore pip-licenses
          if [ -f requirements.txt ]; then
            pip install --root-user-action=ignore -r requirements.txt
          fi

      - name: Check licenses
        run: |
          echo "📄 Checking dependency licenses..."
          pip-licenses --format=json --output-file=licenses.json
          pip-licenses --format=markdown --output-file=licenses.md

          # Check for potentially problematic licenses
          problematic_licenses=("GPL" "AGPL" "LGPL")
          for license in "${problematic_licenses[@]}"; do
            if grep -iq "$license" licenses.json; then
              echo "⚠️ Found potentially problematic license: $license"
            fi
          done

          echo "✅ License check completed"

      - name: Upload license report
        uses: actions/upload-artifact@v3
        with:
          name: license-report-${{ github.run_number }}
          path: |
            licenses.json
            licenses.md

  # Dependency update check
  dependency-update:
    name: Check for Dependency Updates
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.CI_BOT_TOKEN }}

      - name: Install jq (for parsing JSON)
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Check for outdated packages
        run: |
          echo "📦 Checking for outdated packages..."
          if [ -f requirements.txt ]; then
            python -m pip install --upgrade pip --root-user-action=ignore
            pip install --root-user-action=ignore -r requirements.txt
          fi
          pip list --outdated --format=json > outdated-packages.json || true

          if [ -s outdated-packages.json ] && [ "$(cat outdated-packages.json)" != "[]" ]; then
            echo "📋 Outdated packages found:"
            jq -r '.[] | "- \(.name): \(.version) -> \(.latest_version)"' outdated-packages.json
          else
            echo "✅ All packages are up to date"
          fi

      - name: Create dependency update issue
        if: github.event_name == 'schedule'
        run: |
          if [ -s outdated-packages.json ] && [ "$(cat outdated-packages.json)" != "[]" ]; then
            echo "📝 Creating dependency update issue..."
            cat > issue-body.md << 'EOF'
## 📦 Dependency Updates Available

The following packages have updates available:
EOF
            jq -r '.[] | "- **\(.name)**: \(.version) → \(.latest_version)"' outdated-packages.json >> issue-body.md
            cat >> issue-body.md << 'EOF'

## 🔍 Security Impact

Please review each update for:
- Security fixes
- Breaking changes
- Compatibility issues

## ✅ Action Items

- [ ] Review changelog for each package
- [ ] Test updates in development environment
- [ ] Update requirements.txt
- [ ] Run full test suite
- [ ] Deploy to staging for validation

---
*This issue was automatically created by the security workflow.*
EOF
            echo "Issue body created. In a real implementation, you would create a Gitea issue here."
            cat issue-body.md
          fi

      - name: Upload dependency reports
        uses: actions/upload-artifact@v3
        with:
          name: dependency-reports-${{ github.run_number }}
          path: |
            outdated-packages.json
            issue-body.md

  # Code quality metrics
  code-quality:
    name: Code Quality Metrics
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.CI_BOT_TOKEN }}

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install quality tools
        run: |
          python -m pip install --upgrade pip --root-user-action=ignore
          pip install --root-user-action=ignore radon xenon vulture
          if [ -f requirements.txt ]; then
            pip install --root-user-action=ignore -r requirements.txt
          fi

      - name: Calculate code complexity
        run: |
          echo "📊 Calculating code complexity..."
          if [ -d src ]; then
            radon cc src/ --json > complexity-report.json
            radon mi src/ --json > maintainability-report.json
            echo "🔍 Complexity Summary:"
            radon cc src/ --average
            echo "🔧 Maintainability Summary:"
            radon mi src/
          else
            echo "{}" > complexity-report.json
            echo "{}" > maintainability-report.json
            echo "No src/ directory found; skipping detailed radon output."
          fi

      - name: Find dead code
        run: |
          echo "🧹 Checking for dead code..."
          if [ -d src ]; then
            vulture src/ --json > dead-code-report.json || true
          else
            echo "[]" > dead-code-report.json
          fi

      - name: Check for code smells
        run: |
          echo "👃 Checking for code smells..."
          if [ -d src ]; then
            xenon --max-absolute B --max-modules A --max-average A src/ || true
          else
            echo "No src/ directory found; skipping xenon."
          fi

      - name: Upload quality reports
        uses: actions/upload-artifact@v3
        with:
          name: code-quality-reports-${{ github.run_number }}
          path: |
            complexity-report.json
            maintainability-report.json
            dead-code-report.json

  # Security summary
  security-summary:
    name: Security Summary
    runs-on: ubuntu-latest
    needs: [dependency-scan, license-check, code-quality]
    if: always()

    steps:
      - name: Install jq (for parsing JSON)
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Download all artifacts
        uses: actions/download-artifact@v3

      - name: Generate security summary
        run: |
          echo "# 🔒 Security Scan Summary" > security-summary.md
          echo "" >> security-summary.md
          echo "**Scan Date:** $(date -u)" >> security-summary.md
          echo "**Repository:** ${{ github.repository }}" >> security-summary.md
          echo "**Commit:** ${{ github.sha }}" >> security-summary.md
          echo "" >> security-summary.md

          echo "## 📊 Results" >> security-summary.md
          echo "" >> security-summary.md

          # Dependency scan results (support array/object formats)
          if ls security-reports-*/safety-report.json >/dev/null 2>&1; then
            vuln_count=$(jq -s '
              def countfile:
                if type=="array" then length
                else ((.vulnerabilities // []) | length)
                end;
              add | (if type=="number" then . else 0 end)
            ' security-reports-*/safety-report.json 2>/dev/null || echo "0")
            if [ "${vuln_count:-0}" -eq 0 ]; then
              echo "- ✅ **Dependency Scan**: No vulnerabilities found" >> security-summary.md
            else
              echo "- ⚠️ **Dependency Scan**: ${vuln_count} vulnerabilities found" >> security-summary.md
            fi
          else
            echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
          fi

          # Docker scan results (Trivy removed)
          echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md

          # License check results
          if ls license-report-*/licenses.json >/dev/null 2>&1; then
            echo "- ✅ **License Check**: Completed" >> security-summary.md
          else
            echo "- ❓ **License Check**: Results not available" >> security-summary.md
          fi

          # Code quality results
          if ls code-quality-reports-*/complexity-report.json >/dev/null 2>&1; then
            echo "- ✅ **Code Quality**: Analyzed" >> security-summary.md
          else
            echo "- ❓ **Code Quality**: Results not available" >> security-summary.md
          fi

          echo "" >> security-summary.md
          echo "## 🔗 Detailed Reports" >> security-summary.md
          echo "" >> security-summary.md
          echo "Detailed reports are available in the workflow artifacts." >> security-summary.md

          cat security-summary.md

      - name: Upload security summary
        uses: actions/upload-artifact@v3
        with:
          name: security-summary-${{ github.run_number }}
          path: security-summary.md