Merge pull request #2 from novanynx/novanynx-patch-1

Create security-scan.yml

Author: humor4fun

.github/workflows/security-scan.yml

@@ -0,0 +1,41 @@
+name: OpenGrep Triage and Remediation Prod
+
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  workflow_dispatch:
+
+env:
+  OPENGREP_VERSION: "v1.16.1"
+
+jobs:
+  opengrep-scan-and-process:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download OpenGrep
+        run: |
+          curl -sL "https://github.com/opengrep/opengrep/releases/download/${OPENGREP_VERSION}/opengrep_manylinux_x86" -o opengrep
+          chmod +x opengrep
+
+      - name: Run OpenGrep scan
+        run: |
+          ./opengrep scan --sarif --sarif-output=opengrep-results.sarif --config auto . || true
+
+      - name: Upload SARIF as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: opengrep-sarif
+          path: opengrep-results.sarif
+          retention-days: 7
+
+      - name: AppSecAI Triage and Remediation
+        uses: AppSecureAI/automation-action@v1
+        with:
+          file: opengrep-results.sarif