Show backend mode (local/remote) in verbose journal output (#1097) #603

	name: Security Scanning

	on:
	schedule:
	- cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC
	push:
	branches: [ main ]
	workflow_dispatch:

	jobs:
	dependency-scan:
	name: Dependency Vulnerability Scan
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python 3.11
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install safety bandit semgrep

	- name: Run safety check
	run: \|
	safety check --json --output safety-report.json
	continue-on-error: true

	- name: Run bandit security linter
	run: \|
	bandit -r src/ -f json -o bandit-report.json
	continue-on-error: true

	- name: Run semgrep security scan
	run: \|
	semgrep --config=auto src/ --json --output=semgrep-report.json
	continue-on-error: true

	- name: Upload security reports
	uses: actions/upload-artifact@v4
	with:
	name: security-scan-results
	path: \|
	safety-report.json
	bandit-report.json
	semgrep-report.json

	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: python
	continue-on-error: true

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3
	continue-on-error: true

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	continue-on-error: true

Provide feedback