From b0efcfe242296a6ac08d5560b0039d021aec0cbe Mon Sep 17 00:00:00 2001
From: Daniel Sanz <13658011+sdn4z@users.noreply.github.com>
Date: Fri, 7 Nov 2025 10:17:06 +0100
Subject: [PATCH] ci: periodically run OSV scanner

---
 .github/workflows/security.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 7b034cc..5749945 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -1,5 +1,3 @@
-# This workflow will run security checks against our project
-
 name: Security
 
 on:
@@ -7,11 +5,13 @@ on:
     branches: ["main"]
   pull_request:
     branches: ["main"]
+  schedule:
+    - cron: "0 0 * * 1" # every Monday at 00:00 UTC
 
 jobs:
   osv-scanner:
-    runs-on: ubuntu-latest
     if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/google/osv-scanner:v2.1.0@sha256:9a1ba57d2a1506c9e9d0dfbeaf46346507e829745b70d47d77e12c38e66de8d7
     steps:
@@ -19,9 +19,10 @@ jobs:
       - name: Run OSV Scanner
         run: |
           /osv-scanner --format table -r .
+
   semgrep:
+    if: github.event_name != 'schedule' && !startsWith(github.event.head_commit.message, 'bump:')
     runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
     container:
       image: returntocorp/semgrep:1.128.1@sha256:144d315f7354c2b2c53021a76165a500f67252c47464be75e951b67050f54a9e
     steps:
@@ -29,12 +30,13 @@ jobs:
       - name: Run Semgrep
         run: |
           semgrep scan --config auto
+
   twyn:
+    if: github.event_name != 'schedule' && !startsWith(github.event.head_commit.message, 'bump:')
     runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      
+
       - name: Install uv
         uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2