name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 4 * * 1'   # Mondays 04:00 UTC

# Reusable workflow lives in JonKazama-Hellion/security-workflows.
# It runs Semgrep SAST + Trivy filesystem scan in parallel.
# Inputs (all optional): severity, semgrep-config, semgrep-exclude-rules.
jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
    # Example overrides if you need them:
    # with:
    #   severity: 'CRITICAL'
    #   semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'