tercul-backend/.github/workflows/security.yml

name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run CodeQL scan every Monday at 14:20 UTC
    - cron: "20 14 * * 1"

jobs:
  codeql-analysis:
    name: CodeQL Security Scan
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go
          # Optionally use security-extended for more comprehensive scanning
          # queries: security-extended

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.25"
          cache: true

      - name: Install dependencies
        run: go mod download

      - name: Build for analysis
        run: go build -v ./...

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "backend-security"