name: Snyk Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'   # Weekly on Monday 06:00 UTC

jobs:
  snyk-backend:
    name: Python vulnerabilities (backend)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install backend dependencies
        run: pip install -r backend/requirements-lock.txt

      - name: Snyk — scan Python packages
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --file=backend/requirements-lock.txt --severity-threshold=high
        continue-on-error: true   # report without blocking CI during initial cleanup

  snyk-frontend:
    name: npm vulnerabilities (frontend)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install frontend dependencies
        run: npm ci
        working-directory: frontend

      - name: Snyk — scan npm packages
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --file=frontend/package.json --severity-threshold=high
        continue-on-error: true

  snyk-docker-backend:
    name: Docker image vulnerabilities (backend)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build backend image for scanning
        run: docker build -t aegis-backend:scan backend/

      - name: Snyk — scan Docker image
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: aegis-backend:scan
          args: --severity-threshold=high
        continue-on-error: true