From 06d40fdbc8bea03bb40fc7fce36bb85201a36882 Mon Sep 17 00:00:00 2001
From: Toutsu <Hegin4@yandex.ru>
Date: Tue, 12 May 2026 12:45:36 +0300
Subject: [PATCH] ci: add deep SAST via SecurityCodeScan Roslyn analyzer

- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props
  scans all C# source during every dotnet build
- HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true
- No extra CI step needed: analyzer runs inside every build job automatically

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/pr-checks.yml | 6 +++---
 Directory.Build.props          | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml
index 8613723..af8671d 100644
--- a/.gitea/workflows/pr-checks.yml
+++ b/.gitea/workflows/pr-checks.yml
@@ -39,13 +39,13 @@ jobs:
       - name: Restore dependencies
         run: dotnet restore
 
-      - name: Build Shared
+      - name: Build Shared (includes SAST via SecurityCodeScan)
         run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
 
-      - name: Build Bot (compile check)
+      - name: Build Bot (compile check, includes SAST)
         run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
 
-      - name: Build Web (compile check)
+      - name: Build Web (compile check, includes SAST)
         run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
 
       - name: Run tests
diff --git a/Directory.Build.props b/Directory.Build.props
index 385424b..abbd5a4 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -7,4 +7,8 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="SecurityCodeScan.VS2019" Version="5.6.7" PrivateAssets="all" />
+  </ItemGroup>
 </Project>