care-api/.gitea/workflows/scheduled-audit.yml

name: 📊 Manual Security & Quality Audit
# StackWorkflow v2.2 - Auditoria Manual com Tendências

on:
  workflow_dispatch:
    inputs:
      audit_type:
        description: 'Tipo de auditoria agendada'
        required: true
        default: 'manual'
        type: choice
        options:
        - manual
        - comprehensive
        - trend_analysis

env:
  REPORTS_DIR: reports/manual

jobs:
  manual-audit:
    name: 📊 Comprehensive Manual Audit
    runs-on: ubuntu-latest

    steps:
    - name: 📥 Checkout Code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0  # História completa para análise de tendências

    - name: 📊 Setup Reports Directory
      run: |
        mkdir -p ${{ env.REPORTS_DIR }}
        echo "📁 Diretório de relatórios criado: ${{ env.REPORTS_DIR }}"

    - name: 🔍 Comprehensive Project Analysis
      run: |
        echo "📊 Executando análise abrangente do projeto..."

        TIMESTAMP=$(date +%Y%m%d_%H%M%S)
        AUDIT_TYPE="${{ github.event.inputs.audit_type || 'manual' }}"
        REPORT_FILE="${{ env.REPORTS_DIR }}/manual-audit-$TIMESTAMP.md"

        # ========== MÉTRICAS BÁSICAS ==========
        echo "📋 Coletando métricas básicas..."

        TOTAL_FILES=$(find . -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" ! -path "./reports/*" | wc -l)
        PHP_FILES=$(find . -name "*.php" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" | wc -l)
        JS_FILES=$(find . -name "*.js" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" | wc -l)
        CSS_FILES=$(find . -name "*.css" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" | wc -l)
        PYTHON_FILES=$(find . -name "*.py" -type f ! -path "./.venv/*" ! -path "./venv/*" ! -path "./.git/*" | wc -l)

        # Lines of Code
        TOTAL_LOC=$(find . \( -name "*.php" -o -name "*.js" -o -name "*.py" -o -name "*.css" \) -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" ! -path "./.venv/*" ! -path "./venv/*" -exec wc -l {} + 2>/dev/null | tail -1 | awk '{print $1}' || echo "0")

        # ========== ANÁLISE DE SEGURANÇA ==========
        echo "🛡️ Análise de segurança..."

        # SQL Injection patterns
        SQL_ISSUES=$(find . -name "*.php" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec grep -l '\$wpdb->get_var.*{' {} \; 2>/dev/null | wc -l)
        SQL_DETAILS=$(find . -name "*.php" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec grep -Hn '\$wpdb->get_var.*{' {} \; 2>/dev/null | head -5)

        # XSS vulnerabilities
        XSS_ISSUES=$(find . \( -name "*.php" -o -name "*.js" \) -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec grep -l 'echo.*\$' {} \; 2>/dev/null | wc -l)
        XSS_DETAILS=$(find . \( -name "*.php" -o -name "*.js" \) -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec grep -Hn 'echo.*\$' {} \; 2>/dev/null | head -5)

        # Hardcoded secrets
        SECRETS_ISSUES=$(find . -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" ! -path "./reports/*" ! -name "*.log" -exec grep -l "password\|secret\|key\|token" {} \; 2>/dev/null | grep -v ".env.example" | wc -l)

        # Insecure configurations
        PUBLIC_ENDPOINTS=$(find . -name "*.php" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec grep -l '__return_true' {} \; 2>/dev/null | wc -l)

        # ========== ANÁLISE DE QUALIDADE ==========
        echo "🏗️ Análise de qualidade..."

        # Funções complexas
        LONG_FUNCTIONS=$(find . -name "*.php" -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec awk '/function.*{/{start=NR} /^}$/{if(NR-start>50) print FILENAME":"start":"NR-start" lines"}' {} \; 2>/dev/null | wc -l)

        # Code duplication (simplified)
        DUPLICATE_LINES=$(find . \( -name "*.php" -o -name "*.js" \) -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec wc -l {} + 2>/dev/null | awk '{sum+=$1} END{print sum*0.03}' | cut -d. -f1 || echo "0")

        # TODO/FIXME comments
        TODO_ITEMS=$(find . \( -name "*.php" -o -name "*.js" -o -name "*.py" \) -type f ! -path "./vendor/*" ! -path "./node_modules/*" ! -path "./.git/*" ! -path "./.venv/*" -exec grep -c "TODO\|FIXME\|HACK" {} + 2>/dev/null | awk '{sum+=$1} END{print sum+0}')

        # ========== ANÁLISE DE TENDÊNCIAS ==========
        echo "📈 Análise de tendências..."

        # Commits recentes (últimos 30 dias)
        RECENT_COMMITS=$(git log --since="30 days ago" --oneline | wc -l)

        # Contributors ativos
        ACTIVE_CONTRIBUTORS=$(git log --since="30 days ago" --format="%an" | sort | uniq | wc -l)

        # Arquivos modificados recentemente
        RECENT_CHANGES=$(git log --since="7 days ago" --name-only --pretty=format: | sort | uniq | grep -v "^$" | wc -l)

        # ========== CÁLCULO DE SCORES ==========
        echo "📊 Calculando scores..."

        # Security Score (0-100)
        SECURITY_PENALTY=$(( (SQL_ISSUES * 20) + (XSS_ISSUES * 15) + (SECRETS_ISSUES * 25) + (PUBLIC_ENDPOINTS * 10) ))
        SECURITY_SCORE=$(( 100 - SECURITY_PENALTY ))
        if [ $SECURITY_SCORE -lt 0 ]; then SECURITY_SCORE=0; fi

        # Quality Score (0-100)
        QUALITY_PENALTY=$(( (LONG_FUNCTIONS * 5) + (TODO_ITEMS * 2) ))
        QUALITY_SCORE=$(( 100 - QUALITY_PENALTY ))
        if [ $QUALITY_SCORE -lt 0 ]; then QUALITY_SCORE=0; fi

        # Overall Score
        OVERALL_SCORE=$(( (SECURITY_SCORE + QUALITY_SCORE) / 2 ))

        # ========== GERAÇÃO DO RELATÓRIO ==========
        echo "📝 Gerando relatório..."

        cat > "$REPORT_FILE" << EOF
        # 📊 Manual Audit Report - StackWorkflow v2.2

        **Data**: $(date '+%Y-%m-%d %H:%M:%S UTC')
        **Tipo**: $AUDIT_TYPE
        **Commit**: ${{ github.sha }}
        **Branch**: ${{ github.ref_name }}

        ## 📊 Scores Finais

        | Métrica | Score | Status |
        |---------|-------|--------|
        | 🛡️ **Segurança** | **$SECURITY_SCORE/100** | $([ $SECURITY_SCORE -ge 80 ] && echo "🟢 Excelente" || [ $SECURITY_SCORE -ge 60 ] && echo "🟡 Bom" || echo "🔴 Crítico") |
        | 🏗️ **Qualidade** | **$QUALITY_SCORE/100** | $([ $QUALITY_SCORE -ge 80 ] && echo "🟢 Excelente" || [ $QUALITY_SCORE -ge 60 ] && echo "🟡 Bom" || echo "🔴 Crítico") |
        | 🎯 **Geral** | **$OVERALL_SCORE/100** | $([ $OVERALL_SCORE -ge 80 ] && echo "🟢 Excelente" || [ $OVERALL_SCORE -ge 60 ] && echo "🟡 Bom" || echo "🔴 Crítico") |

        ## 📋 Resumo do Projeto

        ### 📁 Estrutura
        - **Total de ficheiros**: $TOTAL_FILES
        - **Linhas de código**: $TOTAL_LOC
        - **Ficheiros PHP**: $PHP_FILES
        - **Ficheiros JavaScript**: $JS_FILES
        - **Ficheiros CSS**: $CSS_FILES
        - **Ficheiros Python**: $PYTHON_FILES

        ### 📈 Atividade (últimos 30 dias)
        - **Commits**: $RECENT_COMMITS
        - **Contributors ativos**: $ACTIVE_CONTRIBUTORS
        - **Ficheiros alterados (7 dias)**: $RECENT_CHANGES

        ## 🛡️ Análise de Segurança

        ### 🚨 Vulnerabilidades Detectadas
        - **SQL Injection**: $SQL_ISSUES issues
        - **XSS**: $XSS_ISSUES issues
        - **Secrets hardcoded**: $SECRETS_ISSUES issues
        - **Endpoints públicos**: $PUBLIC_ENDPOINTS issues

        EOF

        # Adicionar detalhes de vulnerabilidades se existirem
        if [ $SQL_ISSUES -gt 0 ]; then
          echo "### 🔴 SQL Injection Details" >> "$REPORT_FILE"
          echo "\`\`\`" >> "$REPORT_FILE"
          echo "$SQL_DETAILS" >> "$REPORT_FILE"
          echo "\`\`\`" >> "$REPORT_FILE"
          echo "" >> "$REPORT_FILE"
        fi

        if [ $XSS_ISSUES -gt 0 ]; then
          echo "### 🔴 XSS Vulnerabilities Details" >> "$REPORT_FILE"
          echo "\`\`\`" >> "$REPORT_FILE"
          echo "$XSS_DETAILS" >> "$REPORT_FILE"
          echo "\`\`\`" >> "$REPORT_FILE"
          echo "" >> "$REPORT_FILE"
        fi

        cat >> "$REPORT_FILE" << EOF

        ## 🏗️ Análise de Qualidade

        ### 📏 Métricas de Código
        - **Funções complexas (>50 linhas)**: $LONG_FUNCTIONS
        - **Duplicação estimada**: $DUPLICATE_LINES linhas (~3%)
        - **TODOs/FIXMEs**: $TODO_ITEMS itens

        ## 🎯 Recomendações Prioritárias

        EOF

        # Gerar recomendações baseadas nos scores
        if [ $SECURITY_SCORE -lt 70 ]; then
          echo "### 🔴 Segurança (Crítico)" >> "$REPORT_FILE"
          echo "1. **Corrigir SQL Injection**: Usar prepared statements" >> "$REPORT_FILE"
          echo "2. **Eliminar XSS**: Sanitizar outputs com esc_html()" >> "$REPORT_FILE"
          echo "3. **Remover secrets**: Migrar para variáveis de ambiente" >> "$REPORT_FILE"
          echo "" >> "$REPORT_FILE"
        fi

        if [ $QUALITY_SCORE -lt 70 ]; then
          echo "### 🟡 Qualidade (Melhorar)" >> "$REPORT_FILE"
          echo "1. **Refatorar funções grandes**: Quebrar em funções menores" >> "$REPORT_FILE"
          echo "2. **Eliminar duplicação**: Aplicar DRY principle" >> "$REPORT_FILE"
          echo "3. **Resolver TODOs**: Implementar ou documentar" >> "$REPORT_FILE"
          echo "" >> "$REPORT_FILE"
        fi

        cat >> "$REPORT_FILE" << EOF
        ## 🔄 Próximas Ações

        1. **Imediato**: Corrigir issues críticos de segurança
        2. **Curto prazo**: Refatorar código com alta complexidade
        3. **Médio prazo**: Implementar testes automatizados
        4. **Automação**: Executar \`/avaliar\` para correções automáticas

        ---
        **Powered by**: StackWorkflow v2.2 Manual Audit System
        **Execução**: Manual via `/avaliar` ou workflow_dispatch
        EOF

        echo "SECURITY_SCORE=$SECURITY_SCORE" >> $GITHUB_ENV
        echo "QUALITY_SCORE=$QUALITY_SCORE" >> $GITHUB_ENV
        echo "OVERALL_SCORE=$OVERALL_SCORE" >> $GITHUB_ENV

        echo "✅ Relatório manual gerado: $REPORT_FILE"

    - name: 📤 Upload Manual Report
      uses: actions/upload-artifact@v4
      with:
        name: manual-audit-report-${{ github.run_number }}
        path: ${{ env.REPORTS_DIR }}/*.md
        retention-days: 90

    - name: 📊 Create Issue for Critical Findings
      if: env.OVERALL_SCORE < 50
      uses: actions/github-script@v7
      with:
        script: |
          const title = `🔴 Critical Issues Found - Manual Audit ${new Date().toISOString().split('T')[0]}`;
          const body = `# 🚨 Critical Security & Quality Issues Detected

          **Overall Score**: ${process.env.OVERALL_SCORE}/100 🔴
          **Security Score**: ${process.env.SECURITY_SCORE}/100
          **Quality Score**: ${process.env.QUALITY_SCORE}/100

          ## 🎯 Immediate Action Required

          This automated manual audit has detected critical issues that require immediate attention.

          ### 📋 Next Steps
          1. 🔍 **Review** the detailed audit report in the artifacts
          2. 🔧 **Fix** critical security vulnerabilities first
          3. 🏗️ **Refactor** code quality issues
          4. ⚡ **Run** \`/avaliar\` in StackWorkflow for automated fixes

          ### 📁 Reports
          - Check the "manual-audit-report-${{ github.run_number }}" artifact for detailed findings
          - Review file:line references for specific issues

          ---
          **Auto-generated by**: StackWorkflow v2.2 Manual Audit
          **Report ID**: ${{ github.run_number }}
          `;

          await github.rest.issues.create({
            owner: context.repo.owner,
            repo: context.repo.repo,
            title: title,
            body: body,
            labels: ['security', 'quality', 'critical', 'automated-audit']
          });

    - name: 🏆 Success Summary
      if: env.OVERALL_SCORE >= 80
      run: |
        echo "🎉 PARABÉNS! Projeto com qualidade excelente!"
        echo "📊 Score geral: $OVERALL_SCORE/100"
        echo "🛡️ Segurança: $SECURITY_SCORE/100"
        echo "🏗️ Qualidade: $QUALITY_SCORE/100"