Merge pull request #68 from jmeridth/feat/issue-update-estimate #157

	name: security

	on:
	push:
	branches: [main]
	pull_request:
	schedule:
	- cron: '0 0 * * 0' # Weekly on Sunday

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read
	security-events: write

	jobs:
	govulncheck:
	name: Vulnerability Scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: audit

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest

	- name: Run govulncheck
	run: govulncheck ./...

	trivy:
	name: Trivy Security Scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
	with:
	egress-policy: audit

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	severity: 'HIGH,CRITICAL'

Provide feedback