Add comprehensive security scanning module with SAST, dependency, and configuration analysis

.github/workflows/security-scan.yml

@@ -8,6 +8,16 @@ on:
   schedule:
     # Run security scan daily at 2 AM UTC
     - cron: '0 2 * * *'
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  security-scan:
+    name: Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
   workflow_dispatch:
 
 permissions:
@@ -23,16 +33,42 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.10'
+
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install -e .
+
+      - name: Run Security Scan
+        id: security_scan
+        continue-on-error: true
+        run: |
+          agent-tester security --path . --format markdown --output security_report.md
+          echo "scan_completed=true" >> $GITHUB_OUTPUT
+
+      - name: Upload Security Report
+        if: always() && steps.security_scan.outputs.scan_completed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-report
+          path: security_report.md
+          retention-days: 30
+
+      - name: Check for Critical/High Issues
+        if: steps.security_scan.outcome == 'failure'
+        run: |
+          echo "::error::Security scan found critical or high severity issues!"
+          echo "Please review the security report artifact for details."
+          exit 1
+
+      - name: Comment PR with Security Summary
 
       - name: Run Full Security Scan
         id: security_scan
@@ -90,6 +126,16 @@ jobs:
         with:
           script: |
             const fs = require('fs');
+
+            // Read the security report if it exists
+            if (fs.existsSync('security_report.md')) {
+              const report = fs.readFileSync('security_report.md', 'utf8');
+
+              // Extract summary section
+              const summaryMatch = report.match(/## Executive Summary([\s\S]*?)(?=##|$)/);
+              const summary = summaryMatch ? summaryMatch[0] : 'Security scan completed.';
+
+              const comment = `## 🔒 Security Scan Results\n\n${summary}\n\n📄 Full report available in workflow artifacts.`;
             try {
               const report = JSON.parse(fs.readFileSync('security_report.json', 'utf8'));
               const summary = report.summary || {};
@@ -117,6 +163,15 @@ jobs:
                 repo: context.repo.repo,
                 body: comment
               });
+            }
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    if: github.event_name == 'pull_request'
             } catch (error) {
               console.log('Could not post comment:', error.message);
             }
@@ -128,6 +183,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          comment-summary-in-pr: true
 
       - name: Set up Python
         uses: actions/setup-python@v5

.gitignore

@@ -36,6 +36,10 @@ pip-audit-report.json
 agent_tests.yaml
 comprehensive_tests.yaml
 
+# Security reports (generated by security scanner)
+security_report*.md
+security_report*.json
+
 # Environment Variables - NEVER COMMIT THESE
 .env
 .env.local