From 3fdf169231bc9839e51bc0a8b120a9956e9c998a Mon Sep 17 00:00:00 2001
From: ngmisl <ngmi@posteo.es>
Date: Fri, 23 May 2025 10:55:22 +0200
Subject: [PATCH 1/3] Create security-scan.yaml

---
 .github/workflows/security-scan.yaml | 91 ++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 .github/workflows/security-scan.yaml

diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
new file mode 100644
index 00000000..6edf918e
--- /dev/null
+++ b/.github/workflows/security-scan.yaml
@@ -0,0 +1,91 @@
+name: Vibecondom Security Scan
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    # Weekly scan on Sundays
+    - cron: '0 0 * * 0'
+
+jobs:
+  security-scan:
+    name: Run Vibecondom Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.24'
+
+    - name: Run Vibecondom
+      run: |
+        # Store current directory (root of the repo being scanned)
+        SCAN_TARGET_DIR=$(pwd)
+
+        # Create a temporary directory for the vibecondom tool source
+        VIBECONDOM_TOOL_DIR=$(mktemp -d)
+        echo "Cloning vibe-condom tool into $VIBECONDOM_TOOL_DIR..."
+        git clone --depth 1 https://github.com/ngmisl/vibe-condom.git "$VIBECONDOM_TOOL_DIR"
+        
+        echo "Building vibecondom tool in $VIBECONDOM_TOOL_DIR..."
+        cd "$VIBECONDOM_TOOL_DIR"
+        go build -o vibecondom .
+        # Verify the build
+        if [ ! -f vibecondom ]; then
+          echo "::error::Failed to build vibecondom tool in $VIBECONDOM_TOOL_DIR"
+          exit 1
+        fi
+        echo "Vibecondom tool built successfully."
+        ls -la # Show contents of VIBECONDOM_TOOL_DIR
+
+        # Go back to the original directory to scan it
+        cd "$SCAN_TARGET_DIR"
+        echo "Current directory for scanning: $(pwd)"
+        ls -la # Show current directory structure for debugging
+        
+        # Run the security scan on the current directory using the built tool
+        echo "Running scan with $VIBECONDOM_TOOL_DIR/vibecondom..."
+        "$VIBECONDOM_TOOL_DIR/vibecondom" -mode=local -target "." -log-level debug -exclude-files "README.md"
+        
+        # Check if any issues were found
+        exit_code=$?
+        if [ $exit_code -eq 2 ]; then
+          echo "::warning::Vibecondom found potential security issues. Check the logs above for details."
+          exit $exit_code # Fail the step if issues are found
+        elif [ $exit_code -ne 0 ]; then
+          echo "::error::Vibecondom exited with error code $exit_code. Check application logs for details."
+          exit $exit_code # Fail the step on other errors
+        else
+          echo "Vibecondom scan completed successfully with exit code $exit_code."
+        fi
+
+        # Cleanup the temporary directory
+        echo "Cleaning up $VIBECONDOM_TOOL_DIR..."
+        rm -rf "$VIBECONDOM_TOOL_DIR"
+      env:
+        # Enable debug output
+        RUNNER_DEBUG: 1
+
+        # Save output to a file
+      working-directory: ${{ github.workspace }}
+
+    - name: Upload scan results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: security-scan-results
+        path: |
+          *.log
+          *.json
+          vibecondom-output-*.txt
+        compression-level: 9
+        retention-days: 7
+        if-no-files-found: warn

From 4ef129ebbcea0ef07276250c452fdea20a15e398 Mon Sep 17 00:00:00 2001
From: ngmisl <ngmi@posteo.es>
Date: Mon, 26 May 2025 09:08:33 +0200
Subject: [PATCH 2/3] Update security-scan.yaml

---
 .github/workflows/security-scan.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
index 6edf918e..94c639fc 100644
--- a/.github/workflows/security-scan.yaml
+++ b/.github/workflows/security-scan.yaml
@@ -53,7 +53,7 @@ jobs:
         
         # Run the security scan on the current directory using the built tool
         echo "Running scan with $VIBECONDOM_TOOL_DIR/vibecondom..."
-        "$VIBECONDOM_TOOL_DIR/vibecondom" -mode=local -target "." -log-level debug -exclude-files "README.md"
+        "$VIBECONDOM_TOOL_DIR/vibecondom" -mode=local -target "." -log-level warn -exclude-files "README.md"
         
         # Check if any issues were found
         exit_code=$?

From 8b5ea9146da323d0238b5a6ace331053e06c9817 Mon Sep 17 00:00:00 2001
From: ngmisl <ngmi@posteo.es>
Date: Mon, 26 May 2025 09:27:28 +0200
Subject: [PATCH 3/3] Update security-scan.yaml

---
 .github/workflows/security-scan.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
index 94c639fc..6214ce6f 100644
--- a/.github/workflows/security-scan.yaml
+++ b/.github/workflows/security-scan.yaml
@@ -13,7 +13,7 @@ jobs:
   security-scan:
     name: Run Vibecondom Security Scan
     runs-on: ubuntu-latest
-
+    
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
@@ -53,7 +53,7 @@ jobs:
         
         # Run the security scan on the current directory using the built tool
         echo "Running scan with $VIBECONDOM_TOOL_DIR/vibecondom..."
-        "$VIBECONDOM_TOOL_DIR/vibecondom" -mode=local -target "." -log-level warn -exclude-files "README.md"
+        "$VIBECONDOM_TOOL_DIR/vibecondom" -mode=local -target "." -log-level warn -exclude-files "README.md" -decode-base64
         
         # Check if any issues were found
         exit_code=$?
@@ -73,7 +73,7 @@ jobs:
       env:
         # Enable debug output
         RUNNER_DEBUG: 1
-
+        
         # Save output to a file
       working-directory: ${{ github.workspace }}