name: ci-security

on:
  push:
    branches: [main, master, develop]
  pull_request:
    branches: [main, master, develop]
  workflow_dispatch:

jobs:
  trivy-maven-modules:
    name: Trivy (Java / Maven manifests)
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - scan-ref: services
          - scan-ref: java
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: fs
          scan-ref: ${{ matrix.scan-ref }}
          scanners: vuln
          vuln-type: os,library
          severity: CRITICAL,HIGH
          exit-code: "1"
          ignore-unfixed: true

  npm-audit-ui:
    name: npm audit (delivery-platform-ui)
    runs-on: ubuntu-latest
    permissions:
      contents: read
    defaults:
      run:
        working-directory: web/delivery-platform-ui
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: web/delivery-platform-ui/package-lock.json
      - name: Install and audit
        run: |
          npm ci
          npm audit --audit-level=high