ci: add security scanning workflow with Gitleaks, Trivy, and npm audit

Runs on push to main, PRs, weekly cron (Monday 06:00 UTC), and manual
dispatch. Gitleaks detects leaked secrets, Trivy scans the filesystem
for known CVEs, and npm audit checks production dependencies.

Closes #42

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/security.yml

@@ -1,81 +1,76 @@
-name: Security
+name: security
 
 on:
-  pull_request:
-    branches: [main]
   push:
     branches: [main]
+  pull_request:
   schedule:
-    - cron: "0 6 * * 1"  # Monday 6am UTC
+    - cron: "0 6 * * 1"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: security-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
-permissions:
-  contents: read
-
 jobs:
+  gitleaks:
+    name: Secret detection
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   trivy:
-    name: Trivy
-    runs-on:
-      - self-hosted
-      - macOS
-      - ARM64
-      - patchloom-vscode
+    name: Vulnerability scan
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
         with:
-          egress-policy: audit
-      - uses: actions/checkout@v6
-      - name: Install Trivy
-        run: |
-          if ! command -v trivy &>/dev/null; then
-            brew install trivy
-          fi
+          node-version-file: .nvmrc
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
       - name: Trivy filesystem scan
-        run: trivy fs --scanners vuln --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed .
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          severity: HIGH,CRITICAL
+          exit-code: 1
 
-  gitleaks:
-    name: Gitleaks
-    runs-on:
-      - self-hosted
-      - macOS
-      - ARM64
-      - patchloom-vscode
+  npm-audit:
+    name: npm audit
+    runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-      - uses: actions/checkout@v6
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
         with:
-          fetch-depth: 0
-      - name: Install gitleaks
-        env:
-          GITLEAKS_VERSION: "8.30.1"
-        run: |
-          if command -v gitleaks &>/dev/null; then
-            echo "gitleaks already installed"
-            exit 0
-          fi
-          archive="${RUNNER_TEMP}/gitleaks.tar.gz"
-          bindir="${RUNNER_TEMP}/gitleaks-bin"
-          mkdir -p "$bindir"
-          case "$(uname -s)-$(uname -m)" in
-            Linux-x86_64)  platform="linux_x64" ;;
-            Linux-aarch64) platform="linux_arm64" ;;
-            Darwin-x86_64) platform="darwin_x64" ;;
-            Darwin-arm64)  platform="darwin_arm64" ;;
-            *) echo "Unsupported platform: $(uname -s)-$(uname -m)" >&2; exit 1 ;;
-          esac
-          curl --retry 5 --retry-all-errors --retry-delay 2 -sSfL \
-            -o "$archive" \
-            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_${platform}.tar.gz"
-          tar -xzf "$archive" -C "$bindir" gitleaks
-          printf '%s\n' "$bindir" >> "$GITHUB_PATH"
-      - run: gitleaks detect --source . --exit-code 1
+          node-version-file: .nvmrc
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Audit production dependencies
+        run: npm audit --audit-level=high --omit=dev