Security #45

	name: Security

	on:
	push:
	branches: [master, main, develop]
	paths-ignore:
	- "**.md"
	- "LICENSE.txt"
	- ".gitignore"
	- "context/**"
	- "TODO.md"
	- "examples/**/README.md"
	pull_request:
	branches: [master, main, develop]
	paths-ignore:
	- "**.md"
	- "LICENSE.txt"
	- ".gitignore"
	- "context/**"
	- "TODO.md"
	- "examples/**/README.md"
	schedule:
	# Run security scan weekly on Mondays at 00:00 UTC
	- cron: "0 0 * * 1"

	jobs:
	trivy:
	name: Vulnerability Scan (Trivy)
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: "fs"
	scan-ref: "."
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH,MEDIUM"

	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	fail-on-severity: moderate

	govulncheck:
	name: Go Vulnerability Check
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: "1.25"

	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest

	- name: Run govulncheck
	run: govulncheck $(go list ./... \| grep -v '/examples/' \| grep -v '/test/')

Provide feedback