From b4ee70916a3b32a2fe04fe51d0f44cfe289f07f2 Mon Sep 17 00:00:00 2001
From: Jordan Wildon <88871159+proseltd@users.noreply.github.com>
Date: Thu, 13 Nov 2025 22:19:13 +0000
Subject: [PATCH] Replace CI with shared security-suite workflow (preserving
 deployment workflows where required)

---
 .github/workflows/security-suite.yml | 32 ++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/security-suite.yml

diff --git a/.github/workflows/security-suite.yml b/.github/workflows/security-suite.yml
new file mode 100644
index 0000000..710957c
--- /dev/null
+++ b/.github/workflows/security-suite.yml
@@ -0,0 +1,32 @@
+name: security-suite
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  dependency-review:
+    if: ${{ github.event_name == 'pull_request' && github.repository != 'prose-intelligence-ltd/.github' }}
+    uses: prose-intelligence-ltd/.github/.github/workflows/dependency-review.yml@main
+    
+  gitleaks:
+    uses: prose-intelligence-ltd/.github/.github/workflows/gitleaks.yml@main
+
+  iac-checkov:
+    uses: prose-intelligence-ltd/.github/.github/workflows/checkov.yml@main
+    with:
+      directory: .
+      framework: terraform,kubernetes,cloudformation
+
+  threat-model-lint:
+    uses: prose-intelligence-ltd/.github/.github/workflows/threat-model-lint.yml@main
+    with:
+      path: docs/threat-model.md
+
+  sast-semgrep:
+    uses: prose-intelligence-ltd/.github/.github/workflows/semgrep.yml@main
+    with:
+      config: p/ci