security.yml

name: Security

on:
  schedule:
    - cron: '0 5 * * 1'  # Monday 05:00 UTC

permissions:
  contents: read

jobs:
  govulncheck:
    name: Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: '1.25.9'
          cache: true

      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Run govulncheck
        run: govulncheck ./...

  trivy:
    name: Trivy – ${{ matrix.service }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        service: [mail-gateway, mail-worker, mail-admin, bouncemanagement]
    steps:
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Trivy – vulnerability scan
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          image-ref: ghcr.io/${{ github.repository }}/${{ matrix.service }}:latest
          format: sarif
          output: trivy.sarif
          severity: CRITICAL,HIGH
          ignore-unfixed: true
          exit-code: '1'

      - name: Upload Trivy SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: trivy.sarif
          category: trivy-weekly-${{ matrix.service }}

      - name: Trivy – generate SBOM (CycloneDX)
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          image-ref: ghcr.io/${{ github.repository }}/${{ matrix.service }}:latest
          format: cyclonedx
          output: sbom-${{ matrix.service }}.cdx.json

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom-weekly-${{ matrix.service }}
          path: sbom-${{ matrix.service }}.cdx.json
          retention-days: 90