This repository was archived by the owner on Apr 20, 2026. It is now read-only.

fix(db,tests): export table name variables; fix PG omnibus cleanup #67

Workflow file for this run

.github/workflows/security-scan.yml at c7d820d

	name: Security Scan & Auto-Fix

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	# Run weekly on Monday at 9am UTC
	- cron: '0 9 * * 1'
	workflow_dispatch:

	permissions:
	contents: write
	pull-requests: write
	security-events: write

	jobs:
	# Job 1: CodeQL Analysis (Copilot-enhanced)
	codeql-analysis:
	name: CodeQL Security Analysis
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: javascript-typescript, python
	# Copilot-powered queries for better detection
	queries: security-extended,security-and-quality

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:javascript-typescript"

	# Job 2: Secret Scanning
	secret-scan:
	name: Scan for Secrets
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run Gitleaks
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	# Job 3: Dependency Vulnerability Scan
	dependency-scan:
	name: Dependency Vulnerabilities
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'

	# Job 4: Auto-fix with Copilot Autofix (when available)
	autofix:
	name: Create Fix PR
	runs-on: ubuntu-latest
	needs: [codeql-analysis, secret-scan, dependency-scan]
	if: failure() # Only run if security issues found
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Check for Copilot Autofix suggestions
	id: check-fixes
	run: \|
	echo "Checking for available autofixes..."
	# GitHub automatically creates Copilot Autofix suggestions
	# for CodeQL alerts when available

	- name: Create Issue for Manual Review
	if: failure()
	uses: actions/github-script@v7
	with:
	script: \|
	const { owner, repo } = context.repo;
	const runUrl = `https://github.com/${owner}/${repo}/actions/runs/${context.runId}`;

	await github.rest.issues.create({
	owner,
	repo,
	title: '🔒 Security Scan Found Issues - Review Required',
	body: `## Security Scan Results

	The automated security scan found potential issues that require attention.

	### What was scanned:
	- ✅ CodeQL analysis (JavaScript, TypeScript, Python)
	- ✅ Secret detection (API keys, tokens, credentials)
	- ✅ Dependency vulnerabilities (npm, pip)

	### Next steps:
	1. Review the [workflow run](${runUrl}) for details
	2. Check the Security tab for Copilot Autofix suggestions
	3. Apply fixes or dismiss false positives

	### How to fix:
	- Copilot Autofix: If available, click "Generate fix" on alerts in the Security tab
	- Manual fix: Review the alert details and apply appropriate fixes
	- Dismiss: If it's a false positive, dismiss with explanation

	---
	This issue was automatically created by the security scanning workflow.
	`,
	labels: ['security', 'automated']
	});

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(db,tests): export table name variables; fix PG omnibus cleanup #67

Workflow file

fix(db,tests): export table name variables; fix PG omnibus cleanup #67

Uh oh!

Workflow file for this run