name: Security Scan

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  schedule:
    - cron: '0 0 * * 0'  # Run weekly on Sunday

permissions:
  contents: read
  security-events: write

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Bearer Security Scan
        uses: bearer/bearer-action@v2
        with:
          scanner: sast
          format: sarif
          output: bearer.sarif
          severity: critical,high
          path: .
          exit-code: 0
          
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: bearer.sarif