Global Repository Security & Linting #5

	name: Global Repository Security & Linting

	on:
	push:
	branches: [ "main", "master" ]
	pull_request:
	branches: [ "main", "master" ]
	schedule:
	- cron: '0 0 * * 0' # Run weekly on Sunday

	jobs:
	secret-scanning:
	name: Secret Scanning
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	# TruffleHog is a free, powerful secret scanner
	- name: TruffleHog Secret Scan
	uses: trufflesecurity/trufflehog@main
	with:
	path: ./
	base: ${{ github.event.pull_request.base.sha }}
	head: ${{ github.ref }}
	extra_args: --debug --only-verified

	iac-security:
	name: IaC Security Scan (Trivy)
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	# Trivy is free and excellent for IaC and container scanning
	- name: Run Trivy vulnerability scanner in fs mode
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	trivy-config: trivy.yaml
	format: 'table'
	exit-code: '0' # Set to 1 in later phases to block PRs
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'

	linting:
	name: Super-Linter
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	# Super-linter supports multiple languages and is free
	- name: Lint Code Base
	uses: github/super-linter@v5
	env:
	VALIDATE_ALL_CODEBASE: false
	DEFAULT_BRANCH: "main"
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# Disable linters that might be too noisy initially
	VALIDATE_JSCPD: false
	VALIDATE_KUBERNETES_KUBEVAL: false

Provide feedback