From 89839198fdcc15d565e3ff242a86d8818776e85a Mon Sep 17 00:00:00 2001
From: john4064 <jparkhurst120@gmail.com>
Date: Thu, 26 Mar 2026 04:08:34 +0000
Subject: [PATCH] Add .github/workflows/security.yaml

---
 .github/workflows/security.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/security.yaml

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 0000000..8c74559
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,29 @@
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  trivy:
+    runs-on: nas
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/workspace \
+            aquasec/trivy:latest fs \
+            --exit-code 1 \
+            --severity HIGH,CRITICAL \
+            /workspace
+      - name: Run Semgrep
+        run: |
+            docker run --rm \
+            -v ${{ github.workspace }}:/src \
+            returntocorp/semgrep semgrep \
+            --config=auto \
+            --error /src
+      - name: Run Gitleaks
+        run: |
+            docker run --rm \
+            -v ${{ github.workspace }}:/repo \
+            zricethezav/gitleaks:latest detect \
+            --source /repo \
+            --exit-code 1
\ No newline at end of file