From bd6188ca2721f2b0f0a7fbc04d46b445c1ff3950 Mon Sep 17 00:00:00 2001
From: mage-os-ci <info@mage-os.org>
Date: Mon, 30 Dec 2024 10:06:40 +0000
Subject: [PATCH] Add Sansec eComscan workflow

---
 .github/workflows/sansec-ecomscan.yml | 38 +++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/sansec-ecomscan.yml

diff --git a/.github/workflows/sansec-ecomscan.yml b/.github/workflows/sansec-ecomscan.yml
new file mode 100644
index 0000000000..ac420982cd
--- /dev/null
+++ b/.github/workflows/sansec-ecomscan.yml
@@ -0,0 +1,38 @@
+name: Sansec eComscan Security Scan
+
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+  run-ecomscan:
+    name: Run Sansec eComscan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      - name: Download eComscan
+        run: wget https://ecomscan.com/downloads/linux-amd64/ecomscan
+
+      - name: Fix permissions
+        run: chmod +x ecomscan
+
+      - name: Run eComscan
+        env:
+          ECOMSCAN_KEY: ${{ secrets.SANSEC_LICENSE_KEY }}
+        run: |
+          output=$$(./ecomscan --no-auto-update --skip-database --deep --format=csv .)
+          if [ -n "$$output" ]; then
+            echo "Security issues found:"
+            echo "$$output"
+            exit 1
+          fi