Merge branch 'main' into fix/udeml

.github/workflows/security-scan.yml

@@ -3,20 +3,28 @@ name: Security Scan
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+    branches: [main]
 
+# Set permissions at workflow level for GITHUB_TOKEN
 permissions:
-  contents: write        # Changed from read hi
+  contents: read
   pull-requests: write
   issues: write
   checks: write
   actions: write        # Added
   security-events: write # Added
   discussions: write    # Added sssadsada
-  statuses: write       # Added
+  statuses: write
+
 
 jobs:
   security-scan:
     runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'pull_request' && 
+      (github.event.pull_request.head.repo.full_name == github.repository || 
+       github.event.pull_request.head.repo.fork)
+  
     steps:
       - uses: actions/checkout@v4
 
@@ -29,7 +37,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          key: ${{ runner.os }}-pip-${{ hashFiles('/requirements.txt') }}
           restore-keys: |
             ${{ runner.os }}-pip-
 
@@ -102,7 +110,10 @@ jobs:
                   else:
                       logging.info(f"Vulnerability added: {category} at line {line_number}")
 
-              def check_high_risk_sql_injection(self):
+              def check_high_risk_sq
+
+
+              l_injection(self):
                   sql_patterns = [
                       r"(?i)(?:execute|cursor\.execute)\s*\(.*?f[\"''].*?\{.*?\}.*?[\"''].*?\)",
                       r"(?i)(?:execute|cursor\.execute)\s*\(.*?\+.*?\)",
@@ -175,6 +186,7 @@ jobs:
                                   "HIGH"
                               )
 
+
               def check_dangerous_deserialization(self):
                   dangerous_patterns = [
                       (r"pickle\.loads?\(.*?\)", "Unsafe pickle deserialization"),
@@ -255,7 +267,7 @@ jobs:
                       logging.error(f"An error occurred during analysis: {str(e)}")
                       raise
 
-              def generate_report(self):
+             def generate_report(self):
                   report = f"\n🔒 Security Scan Results for {self.file_path} 🔒\n"
                   report += "=" * 50 + "\n"
                   report += f"Lines of Code Analyzed: {len(self.code_lines)}\n\n"
@@ -333,40 +345,27 @@ jobs:
           path: security-scan-results.txt
           retention-days: 90
 
+
       - name: Comment PR
-        uses: actions/github-script@v7
         if: always()
-        with:
-          github-token: ${{ secrets.PAT_TOKEN }}
-          script: |
-            const fs = require('fs')
-            let comment = '## Security Scan Results\n\n'
-            
-            if ('${{ steps.check_results.outputs.file_exists }}' === 'true') {
-              const scanResults = fs.readFileSync('security-scan-results.txt', 'utf8')
-              comment += '```\n' + scanResults + '\n```\n\n'
-              
-              if ('${{ steps.check_results.outputs.vulnerabilities_found }}' === 'true') {
-                comment += '⛔ **Critical vulnerabilities detected. Please review and address these security issues before merging.**\n\n'
-                comment += '### Next Steps:\n'
-                comment += '1. Review each critical finding above and fix them according to OWASP top 10 mitigations.\n'
-              } else {
-                comment += '✅ **No critical security issues detected.**\n\n'
-                comment += 'The code has passed all critical security checks.'
-              }
-            } else {
-              comment += '⚠️ **Error: The security scan failed to complete. Please review the workflow logs for more information.**'
-            }
-            
-            await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: comment
-            })
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ -f security-scan-results.txt ]; then
+            SCAN_RESULTS=$(cat security-scan-results.txt)
+            if grep -q "Critical Security Issues!" security-scan-results.txt; then
+              COMMENT="## Security Scan Results\n\n\`\`\`\n${SCAN_RESULTS}\n\`\`\`\n\n⛔️ **Critical vulnerabilities detected. Please review and address these security issues before merging.**\n\n### Next Steps:\n1. Review each critical finding above and fix them according to OWASP top 10 mitigations.\n"
+            else
+              COMMENT="## Security Scan Results\n\n\`\`\`\n${SCAN_RESULTS}\n\`\`\`\n\n✅ **No critical security issues detected.**\n\nThe code has passed all critical security checks."
+            fi
+          else
+            COMMENT="## Security Scan Results\n\n⚠️ **Error: The security scan failed to complete. Please review the workflow logs for more information.**"
+          fi
+          
+          gh pr comment ${{ github.event.pull_request.number }} --body "$COMMENT"
 
       - name: Fail if critical vulnerabilities found
         if: steps.check_results.outputs.vulnerabilities_found == 'true'
         run: |
           echo "::error::Critical security vulnerabilities were detected. Please review the findings and address them before merging."
-          exit 1
+          exit 1