davinci-video-converter-fork/.github/workflows/security.yml

name: Security Scanning

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    # Run security scans weekly on Sunday at 2 AM UTC
    - cron: '0 2 * * 0'

jobs:
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: cpp
        queries: security-extended,security-and-quality

    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:cpp"

  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Dependency Review
      uses: actions/dependency-review-action@v4

  code-security:
    name: Code Security Scan
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y build-essential ffmpeg cppcheck clang-tidy

    - name: Cppcheck static analysis
      run: |
        cppcheck --enable=all --error-exitcode=1 \
          --suppress=missingIncludeSystem \
          --suppress=unmatchedSuppression \
          src/ 2>&1 | tee cppcheck-report.txt || exit 1

    - name: Upload Cppcheck report
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: cppcheck-report
        path: cppcheck-report.txt

    - name: Build and analyze with clang-tidy
      run: |
        make clean
        bear -- make 2>&1 | tee build.log || true
        clang-tidy -checks='*' -warnings-as-errors='*' src/*.cpp -- -Isrc/include 2>&1 | tee clang-tidy-report.txt || exit 0

    - name: Upload clang-tidy report
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: clang-tidy-report
        path: clang-tidy-report.txt

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Install security tools
      run: |
        sudo apt-get update
        sudo apt-get install -y git-secrets

    - name: Run git secrets scan
      run: |
        git secrets --scan-history || echo "Scan complete"

    - name: Check for secrets in code
      run: |
        if command -v trufflehog &> /dev/null; then
          trufflehog git file://. --no-update --fail
        else
          echo "TruffleHog not available, skipping..."
        fi

  memory-safety:
    name: Memory Safety Check
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Install Valgrind
      run: sudo apt-get update && sudo apt-get install -y valgrind

    - name: Build with debug symbols
      run: |
        make clean
        CXXFLAGS="-g -O0" make

    - name: Create test input file
      run: |
        mkdir -p tests
        ffmpeg -f lavfi -i testsrc=duration=1:size=128x72:rate=1 -c:v libx264 -t 1 tests/input.mp4 -y 2>/dev/null || touch tests/input.mp4

    - name: Run Valgrind on tests
      run: |
        mkdir -p tests
        ffmpeg -f lavfi -i testsrc=duration=1:size=128x72:rate=1 -c:v libx264 -t 1 tests/input.mp4 -y 2>/dev/null || touch tests/input.mp4
        valgrind --leak-check=full --error-exitcode=1 ./tests/test_parser || exit 0
        valgrind --leak-check=full --error-exitcode=1 ./tests/test_validator || exit 0
        valgrind --leak-check=full --error-exitcode=1 ./tests/test_converter || exit 0