Security Analysis #6

	name: Security Analysis

	on:
	push:
	branches: [ main ]
	paths:
	- '**.php'
	- 'composer.json'
	- 'composer.lock'
	pull_request:
	branches: [ main ]
	paths:
	- '**.php'
	- 'composer.json'
	- 'composer.lock'
	schedule:
	- cron: '0 0 * * 0' # Weekly on Sunday

	jobs:
	security:
	name: Security Checks
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Setup PHP
	uses: shivammathur/setup-php@v2
	with:
	php-version: '8.2'
	extensions: json, mbstring
	tools: composer:v2

	- name: Install dependencies
	run: composer install --prefer-dist --no-interaction

	- name: PHP Security Checker
	uses: symfonycorp/security-checker-action@v5

	- name: Run PHPCS Security Audit
	run: \|
	composer require --dev pheromone/phpcs-security-audit
	vendor/bin/phpcs --standard=Security src/

	- name: Check for JSON Injection vulnerabilities
	run: \|
	find src -type f -name "*.php" -exec php -l {} \; \| grep -i "json_decode\\|json_encode"
	vendor/bin/phpstan analyse src --level=max --configuration=phpstan.neon

	- name: Run Psalm Security Analysis
	run: \|
	vendor/bin/psalm --taint-analysis
	vendor/bin/psalm --security-analysis

	- name: Run SARIF Security Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:php"

	- name: Upload SARIF results
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: results.sarif

Provide feedback