From 570c7670bf24052af553c55d4f0c00115c529097 Mon Sep 17 00:00:00 2001
From: Kusari Security Scanner <security@kusari.dev>
Date: Tue, 22 Apr 2025 21:44:37 +0000
Subject: [PATCH] Add Kusari security scan workflow

---
 .github/workflows/security-scan.yml | 44 +++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/security-scan.yml

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
new file mode 100644
index 0000000..30672e6
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,44 @@
+name: Kusari Security Scan
+
+on:
+  # Run on pull requests
+  pull_request:
+    types: [opened, synchronize, reopened]
+  
+  # Run when triggered via API
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Pull request number'
+        required: false
+      sha:
+        description: 'Commit SHA to analyze'
+        required: false
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  security-scan:
+    name: Run Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          # If triggered by workflow_dispatch with a SHA, use that SHA
+          ref: ${{ github.event.inputs.sha || github.sha }}
+
+      - name: Run Security Scanner
+        uses: Kusari-Sandbox/kusari-security-data@v1.0.0-beta1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload scan results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-scan-results
+          path: security-scan-results.json
+          retention-days: 3
\ No newline at end of file