From 69456c1b32681806612579b286289e8d2cc06234 Mon Sep 17 00:00:00 2001
From: Jake Bapple <jake.bapple@gmail.com>
Date: Tue, 31 Mar 2026 09:51:12 -0500
Subject: [PATCH] Add GitHub Actions workflow for private security scan

---
 .github/workflows/scan-private-repo.yml | 69 +++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .github/workflows/scan-private-repo.yml

diff --git a/.github/workflows/scan-private-repo.yml b/.github/workflows/scan-private-repo.yml
new file mode 100644
index 00000000..31bba4ea
--- /dev/null
+++ b/.github/workflows/scan-private-repo.yml
@@ -0,0 +1,69 @@
+name: Private Security Scan
+
+# Epyon private-repo scanner entrypoint.
+# This workflow delegates execution to the local reusable workflow.
+
+permissions:
+  contents: read
+
+concurrency:
+  group: epyon-scan-${{ github.repository }}
+  cancel-in-progress: false
+
+on:
+  schedule:
+    # Nightly run at 2 AM UTC
+    - cron: "0 2 * * *"
+  # checkov:skip=CKV_GHA_7:Workflow inputs control scan parameters not build artifacts
+  workflow_dispatch:
+    inputs:
+      subdirectory:
+        description: "Optional: Subdirectory path to scan (e.g., apps/api)"
+        required: false
+        type: string
+      scan_mode:
+        description: "Scan mode (quick/full/nightly/baseline)"
+        required: false
+        default: "full"
+        type: choice
+        options:
+          - quick
+          - full
+          - nightly
+          - baseline
+      garak_target_type:
+        description: "Garak generator type (e.g. test, openai, huggingface)"
+        required: false
+        default: "openai"
+        type: string
+      garak_target_name:
+        description: "Garak target model name (e.g. gpt-4o-mini)"
+        required: false
+        default: "gpt-4o-mini"
+        type: string
+      garak_probes:
+        description: "Garak probe set (comma-separated, e.g. promptinject,dan,encoding)"
+        required: false
+        default: "promptinject"
+        type: string
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  security-scan-main:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: write
+      security-events: write
+      issues: write
+    uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@main
+    with:
+      scan_mode: ${{ github.event_name == 'schedule' && 'nightly' || github.event.inputs.scan_mode || 'full' }}
+      subdirectory: ${{ github.event.inputs.subdirectory || '' }}
+      garak_target_type: ${{ github.event.inputs.garak_target_type || 'openai' }}
+      garak_target_name: ${{ github.event.inputs.garak_target_name || 'gpt-4o-mini' }}
+      garak_probes: ${{ github.event.inputs.garak_probes || 'promptinject' }}
+    secrets: inherit