feat: add GitHub Actions workflow for automated security scanning

Author: jumalaw98

.github/workflows/security.yml

@@ -190,7 +190,7 @@ jobs:
 
       - name: Check for tracked .env files
         run: |
-          ENV_FILES=$(git ls-files | awk '/\.env$/')
+          ENV_FILES=$(git ls-files | awk '/(^|\/)\.env($|\.)/ && !/\.(example|template|sample)$/')
 
           if [ -n "$ENV_FILES" ]; then
             echo "::error::Found committed .env files. These files usually contain secrets and should not be tracked by git."
@@ -200,4 +200,23 @@ jobs:
             echo "And ensure they are listed in .gitignore before committing."
             exit 1
           fi
-          echo "No tracked .env files found."
+
+          TEMPLATE_FILES=$(git ls-files | awk '/(^|\/)\.env\.(example|template|sample)$/')
+          if [ -n "$TEMPLATE_FILES" ]; then
+            for file in $TEMPLATE_FILES; do
+              # 1. Known high-entropy prefixes: eyJ (JWTs), sk_test_/sk_live_/whsec_ (Stripe), gh[pousr]_ (GitHub)
+              SUSPICIOUS=$(grep -E '=(eyJ|sk_(test|live)_|whsec_|gh[pousr]_)' "$file" || true)
+              # 2. Generic 32+ char alphanumerics, ignoring usual placeholder words
+              GENERIC=$(grep -E '=[a-zA-Z0-9]{32,}' "$file" | grep -v -i -E '(your|example|dummy|mock|insert|here)' || true)
+              
+              if [ -n "$SUSPICIOUS" ] || [ -n "$GENERIC" ]; then
+                echo "::error::File $file contains what looks like actual key patterns."
+                [ -n "$SUSPICIOUS" ] && echo "$SUSPICIOUS"
+                [ -n "$GENERIC" ] && echo "$GENERIC"
+                echo "Please ensure templates only contain empty values or placeholders (e.g., 'your_key_here')."
+                exit 1
+              fi
+            done
+          fi
+
+          echo "No tracked .env files found, and templates are clean."