Security #74

	name: Security

	on:
	schedule:
	# Run security checks daily at 6 AM UTC
	- cron: '0 6 * * *'
	push:
	branches: [ master ]
	pull_request:
	branches: [ master ]

	jobs:
	security-audit:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.10"

	- name: Install security tools
	run: \|
	python -m pip install --upgrade pip
	pip install safety bandit semgrep

	- name: Install dependencies
	run: \|
	pip install -e ".[dev]"

	- name: Check dependencies for known vulnerabilities
	run: \|
	safety check --json --output safety-report.json \|\| true

	- name: Security linting with bandit
	run: \|
	bandit -r src/ -f json -o bandit-report.json \|\| true

	- name: Static analysis with semgrep
	run: \|
	semgrep --config=auto src/ --json --output=semgrep-report.json \|\| true

	- name: Upload security reports
	uses: actions/upload-artifact@v4
	if: always()
	with:
	name: security-reports
	path: \|
	safety-report.json
	bandit-report.json
	semgrep-report.json
	retention-days: 30

	codeql:
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	language: [ 'python' ]

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:${{matrix.language}}"

Provide feedback