Merge pull request #42 from testsigmahq/chore/security-fixes

chore: add security vulnerability scan workflow and update gitignore

Author: vikram-chaitanya

.github/workflows/security-scan.yml

@@ -0,0 +1,39 @@
+name: Security Vulnerability Scan
+
+on:
+  workflow_dispatch:
+
+jobs:
+  grype-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Java version
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'zulu'
+
+      - name: Download dependencies
+        run: ./gradlew dependencies --no-daemon
+
+      - name: Install Grype
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run Grype vulnerability scanner
+        run: |
+          GRADLE_CACHE="$HOME/.gradle/caches/modules-2/files-2.1"
+          echo "Scanning Gradle cache: $(find $GRADLE_CACHE -name '*.jar' | wc -l) JARs found"
+          grype "dir:$GRADLE_CACHE" \
+            --output table
+          grype "dir:$GRADLE_CACHE" \
+            --output sarif > grype-results.sarif
+
+      - name: Upload scan results as artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: grype-scan-results
+          path: 'grype-results.sarif'

.gitignore

@@ -3,4 +3,5 @@
 build
 .gradle
 .idea
-.DS_STORE
+.DS_STORE
+.claude/*