# llm-security — GitHub Actions workflow
# Deterministic security scanning for AI/LLM projects.
# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
#
# See docs/ci-cd-guide.md for configuration options and detailed setup.
#
# Alternative (without npx): replace the scan step with:
#   run: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif

name: LLM Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Run llm-security scan
        run: npx llm-security scan . --fail-on high --format sarif --output-file results.sarif

      - name: Upload SARIF to GitHub Advanced Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif

# Configuration:
#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
#   --compact                              One-liner per finding (reduced log noise)
#   --format sarif                         OASIS SARIF 2.1.0 output
#   --output-file <path>                   Write full results to file
#   --baseline                             Diff against stored baseline
#
# Or configure via .llm-security/policy.json:
#   { "ci": { "failOn": "high", "compact": true } }