name: Security
on:
  push:
    branches: [main, master]
  pull_request:
  schedule:
    - cron: '0 6 * * 1'
  workflow_dispatch:

jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
    with:
      # MessageStore.cs uses string-interpolation in CommandText for table
      # names and clause-joins that come from internal code constants, not
      # user input. Values are bound via SqlParameter, the SQL surface is
      # local-only inside a Dalamud plugin. Semgrep matches the pattern
      # without dataflow, so it flags those eight call sites; CodeQL
      # would not. Suppressed for this repo only.
      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'