MerginMaps · DanChov · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/.github/workflows/security_check.yml b/.github/workflows/security_check.yml
@@ -0,0 +1,42 @@
+name: Python-api QA (Security & Style)
+
+# Trigger the workflow on every push
+on: [push]
+
+jobs:
+  quality-assurance:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install dependencies
+        run: |
+          # Upgrade pip and install security/linting tools
+          python -m pip install --upgrade pip
+          pip install bandit detect-secrets
+
+      # - name: Install dependencies
+      #   run: |
+      #     # Upgrade pip and install security/linting tools
+      #     python -m pip install --upgrade pip
+      #     pip install bandit detect-secrets flake8 flake8-json
+
+      - name: Run Bandit (Security Scan)
+        # Scan the mergin folder for vulnerabilities, excluding the test directory
+        run: bandit -r ./mergin/ -ll --exclude ./mergin/test
+
+      - name: Run Detect Secrets
+        # Scan the plugin directory for hardcoded secrets/credentials
+        run: detect-secrets scan ./mergin/ --all-files
+
+      # - name: Run Flake8 (Style Check)
+      #   # Style enforcement using MerginMaps standards
+      #   # Ignoring E501 (line length) and W503 (operator line breaks)
+      #   run: |
+      #     flake8 ./mergin/ --max-line-length=120 --ignore=E501,W503 --exclude=test