name: Security Scan on: push: branches: - main pull_request: branches: - main schedule: # Weekly scan every Monday at 06:00 UTC - cron: '0 6 * * 1' permissions: contents: read jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read strategy: fail-fast: false matrix: language: - javascript-typescript - python steps: - name: Checkout repository uses: actions/checkout@v7 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{ matrix.language }}" dependency-review: name: Dependency Review runs-on: ubuntu-latest # Dependency review only runs on pull requests. if: github.event_name == 'pull_request' permissions: contents: read pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v7 - name: Dependency Review uses: actions/dependency-review-action@v4 with: comment-summary-in-pr: on-failure