Add Kusari security scan workflow

Kusari Security Scanner · Kusari Security Scanner · commit dd34791d42c9 · 2025-04-22T19:42:54.000Z
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,44 @@
+name: Kusari Security Scan
+
+on:
+  # Run on pull requests
+  pull_request:
+    types: [opened, synchronize, reopened]
+  
+  # Run when triggered via API
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Pull request number'
+        required: false
+      sha:
+        description: 'Commit SHA to analyze'
+        required: false
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  security-scan:
+    name: Run Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          # If triggered by workflow_dispatch with a SHA, use that SHA
+          ref: ${{ github.event.inputs.sha || github.sha }}
+
+      - name: Run Security Scanner
+        uses: Kusari-Sandbox/kusari-security-data@v1.0.0-beta1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload scan results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-scan-results
+          path: security-scan-results.json
+          retention-days: 3
