From 3c0a90f92ba4e3aaa6854bc98d451fde7340877d Mon Sep 17 00:00:00 2001
From: Damien Retzinger <damienwebdev@gmail.com>
Date: Tue, 5 May 2026 11:56:14 -0400
Subject: [PATCH] feat(sansec-ecomscan): add sansec ecomscan feature (#235)

---
 .../workflows/_internal-sansec-ecomscan.yaml  | 73 +++++++++++++++++++
 sansec-ecomscan/README.md                     | 34 +++++++++
 sansec-ecomscan/action.yml                    | 47 ++++++++++++
 3 files changed, 154 insertions(+)
 create mode 100644 .github/workflows/_internal-sansec-ecomscan.yaml
 create mode 100644 sansec-ecomscan/README.md
 create mode 100644 sansec-ecomscan/action.yml

diff --git a/.github/workflows/_internal-sansec-ecomscan.yaml b/.github/workflows/_internal-sansec-ecomscan.yaml
new file mode 100644
index 0000000..939f154
--- /dev/null
+++ b/.github/workflows/_internal-sansec-ecomscan.yaml
@@ -0,0 +1,73 @@
+name: Sansec eComscan Security Scan
+
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - ".github/workflows/_internal-sansec-ecomscan.yaml"
+    - "sansec-ecomscan/**"
+    - "!(**/*.md)"
+  pull_request:
+    branches:
+    - main
+    paths:
+    - ".github/workflows/_internal-sansec-ecomscan.yaml"
+    - "sansec-ecomscan/**"
+    - "!(**/*.md)"
+  workflow_dispatch:
+
+env:
+  MAGENTO_COMPOSER_REPO: "https://mirror.mage-os.org/"
+
+jobs:
+  compute_matrix:
+    if: "!startsWith(github.head_ref, 'release-please')"
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.supported-version.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ./supported-version
+        with:
+          kind: currently-supported
+        id: supported-version
+
+  run-ecomscan:
+    needs: compute_matrix
+    strategy:
+      matrix: ${{ fromJSON(needs.compute_matrix.outputs.matrix) }}
+      fail-fast: false
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: ./setup-magento
+        id: setup-magento
+        with:
+          php-version: ${{ matrix.php }}
+          tools: composer:v${{ matrix.composer }}
+          mode: extension
+          magento_repository: ${{ env.MAGENTO_COMPOSER_REPO }}
+          magento_version: ${{ matrix.magento }}
+          composer_auth: ${{ secrets.COMPOSER_AUTH }}
+
+      - uses: ./cache-magento
+        with:
+          composer_cache_key: ${{ matrix.magento }}
+
+      - name: Composer install
+        shell: bash
+        run: composer install
+        working-directory: ${{ steps.setup-magento.outputs.path }}
+        env:
+          COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH }}
+
+      - uses: ./sansec-ecomscan
+        with:
+          license: ${{ secrets.SANSEC_LICENSE_KEY }}
+          path: ${{ steps.setup-magento.outputs.path }}
diff --git a/sansec-ecomscan/README.md b/sansec-ecomscan/README.md
new file mode 100644
index 0000000..d53cc7a
--- /dev/null
+++ b/sansec-ecomscan/README.md
@@ -0,0 +1,34 @@
+# Sansec eComscan Security Scan Action
+
+A Github Action that runs the [Sansec eComscan](https://sansec.io/ecomscan) security scanner.
+
+## Inputs
+
+See the [action.yml](./action.yml)
+
+## Usage
+
+The caller is responsible for checking out the repository before calling this action. A valid Sansec license key must be passed via the `ecomscan_key` input.
+
+The `path` input should point to the root of the Magento installation — the directory that contains `app/`, `vendor/`, etc. It defaults to `.` (the current working directory).
+
+```yml
+name: Sansec eComscan Security Scan
+
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+  run-ecomscan:
+    # Skip if it's a push event on a PR (it can't access secrets)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: graycoreio/github-actions-magento2/sansec-ecomscan@7.1.0
+        with:
+          license: ${{ secrets.SANSEC_LICENSE_KEY }}
+```
diff --git a/sansec-ecomscan/action.yml b/sansec-ecomscan/action.yml
new file mode 100644
index 0000000..d8113af
--- /dev/null
+++ b/sansec-ecomscan/action.yml
@@ -0,0 +1,47 @@
+name: "Sansec eComscan Security Scan"
+author: "Graycore"
+description: "A Github Action that runs the Sansec eComscan security scanner."
+
+inputs:
+  license:
+    required: true
+    description: "Sansec license key (ECOMSCAN_KEY)"
+
+  path:
+    required: true
+    default: '.'
+    description: "The directory to scan."
+
+  skip_database:
+    required: false
+    default: 'true'
+    description: "Skip the database scan (--skip-database). Defaults to true."
+
+runs:
+  using: composite
+  steps:
+    - name: Download eComscan
+      shell: bash
+      run: wget https://ecomscan.com/downloads/linux-amd64/ecomscan
+
+    - name: Fix permissions
+      shell: bash
+      run: chmod +x ecomscan
+
+    - name: Run eComscan
+      shell: bash
+      env:
+        ECOMSCAN_KEY: ${{ inputs.license }}
+      run: |
+        FLAGS=(--no-auto-update --deep --format=csv)
+        [ "${{ inputs.skip_database }}" = "true" ] && FLAGS+=(--skip-database)
+        output=$(./ecomscan "${FLAGS[@]}" "${{ inputs.path }}")
+        if [ -n "$output" ]; then
+          echo "Security issues found:"
+          echo "$output"
+          exit 1
+        fi
+
+branding:
+  icon: "shield"
+  color: "red"