# .github/workflows/cyberscope.yml — auto-generated by CyberScope v7.6
name: CyberScope Security Scan
on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]
  schedule:
    - cron: '0 3 * * 1'   # weekly, Mondays 03:00 UTC
  workflow_dispatch: {}

jobs:
  security-scan:
    runs-on: ubuntu-latest
    timeout-minutes: 25
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - name: Install CyberScope
        run: |
          curl -fsSL https://github.com/OWNER/REPO/releases/latest/download/takeover-scanner-v6.tar.gz -o cyberscope.tar.gz
          tar xzf cyberscope.tar.gz && cd takeover-scanner-v6
          pip install -r backend/requirements.txt
      - name: Run scan
        working-directory: takeover-scanner-v6
        run: |
          python3 cyberscope_cli.py scan '${{ vars.CYBERSCOPE_TARGET }}' \
            --depth shallow \
            --json /tmp/scan.json
      - name: Fail build on severity >= high
        working-directory: takeover-scanner-v6
        run: |
          python3 <<'PY'
          import json, sys
          data = json.load(open('/tmp/scan.json'))
          bad = [f for f in data.get('findings', [])
                 if f.get('severity') in {
                   'critical': ['critical'],
                   'high':     ['critical', 'high'],
                   'medium':   ['critical', 'high', 'medium'],
                   'low':      ['critical', 'high', 'medium', 'low'],
                   'info':     ['critical', 'high', 'medium', 'low', 'info'],
                 }.get('high', [])]
          if bad:
              print(f'::error::found {len(bad)} finding(s) at or above high')
              for f in bad[:20]:
                  print(f'::error file={f.get("url","?")}::{f.get("severity","?").upper()} · {f.get("type","?")} — {f.get("evidence","")[:120]}')
              sys.exit(1)
          print(f'no findings at/above high — OK')
          PY
      - name: Upload scan report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: cyberscope-report
          path: /tmp/scan.json
