name: Scheduled Security Scan

on:
  schedule:
    - cron: "17 3 * * 1"
  workflow_dispatch:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: "21"

      - name: Gradle dependency report
        working-directory: create-limited-draining
        run: ./gradlew dependencies --configuration runtimeClasspath --no-daemon

      - name: Suspicious code pattern scan
        shell: bash
        run: |
          grep_excludes=(
            --exclude-dir=.git
            --exclude-dir=.codex-agent-repository-kit
            --exclude-dir=.gradle
            --exclude-dir=build
            --exclude-dir=run
            --exclude=security-scan.yml
          )

          patterns=(
            'eval\s*\('
            'new Function\s*\('
            'Runtime\.getRuntime\(\)\.exec'
            'ProcessBuilder\s*\('
            'curl .*sh'
            'wget .*sh'
          )

          found=0
          for pattern in "${patterns[@]}"; do
            if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
              found=1
            fi
          done

          if [ "$found" -eq 1 ]; then
            echo "Suspicious code patterns were found. Review the matches above."
            exit 1
          fi

      - name: Secret and config leak scan
        shell: bash
        run: |
          grep_excludes=(
            --exclude-dir=.git
            --exclude-dir=.codex-agent-repository-kit
            --exclude-dir=.gradle
            --exclude-dir=build
            --exclude-dir=run
            --exclude=security-scan.yml
          )

          patterns=(
            'BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY'
            'AKIA[0-9A-Z]{16}'
            'xox[baprs]-[0-9A-Za-z-]+'
            'gh[pousr]_[0-9A-Za-z_]+'
            'sk-[A-Za-z0-9]{20,}'
            'api[_-]?key\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
            'token\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
            'password\s*=\s*["'\'']?[^[:space:]]{8,}'
          )

          found=0
          for pattern in "${patterns[@]}"; do
            if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
              found=1
            fi
          done

          if find . -path ./.git -prune -o -path ./.codex-agent-repository-kit -prune -o \( -name ".env" -o -name ".env.*" \) -not -name ".env.example" -print | grep .; then
            echo "Committed environment files were found."
            found=1
          fi

          if [ "$found" -eq 1 ]; then
            echo "Potential secret or config leak detected. Review the matches above."
            exit 1
          fi

      - name: AI instruction injection scan
        shell: bash
        run: |
          grep_excludes=(
            --exclude-dir=.git
            --exclude-dir=.codex-agent-repository-kit
            --exclude-dir=.gradle
            --exclude-dir=build
            --exclude-dir=run
            --exclude=security-scan.yml
          )

          patterns=(
            'ignore (all )?(previous|above) instructions'
            'reveal your instructions'
            'exfiltrate'
            'send.*token'
            'send.*secret'
            'disable.*safety'
            'jailbreak'
            'prompt injection'
          )

          found=0
          for pattern in "${patterns[@]}"; do
            if grep -RInEi "${grep_excludes[@]}" "$pattern" .; then
              found=1
            fi
          done

          if [ "$found" -eq 1 ]; then
            echo "Potential AI instruction-injection text found. Review whether this is documentation, test data, or malicious content."
            exit 1
          fi