name: Security Scan & Auto-Guardian

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
        
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        if [ -f core_system/requirements.txt ]; then pip install -r core_system/requirements.txt; fi
        pip install bandit safety
        
    - name: Run Security Scan (Bandit)
      run: |
        bandit -r core_system/ -f json -o security-report.json || true
        
    - name: Run Dependency Check (Safety)
      run: |
        safety check || true
        
    - name: Upload Scan Results
      uses: actions/upload-artifact@v3
      with:
        name: security-reports
        path: security-report.json