From af5eb6bcb53c06deb11922e83b3795a40903f50c Mon Sep 17 00:00:00 2001
From: Jafrullah Mohammad <jafrullah.mohammad1@nhs.net>
Date: Mon, 5 Jan 2026 10:10:23 +0000
Subject: [PATCH] NHSO-59706: Adding devsecops scanning workflow

---
 .github/workflows/devsecops_security_scan.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/workflows/devsecops_security_scan.yml

diff --git a/.github/workflows/devsecops_security_scan.yml b/.github/workflows/devsecops_security_scan.yml
new file mode 100644
index 0000000..9c7e239
--- /dev/null
+++ b/.github/workflows/devsecops_security_scan.yml
@@ -0,0 +1,16 @@
+---
+
+name: DevSecOps Security Scan
+# yamllint disable-line rule:truthy
+on:
+  workflow_dispatch:  # manual trigger only
+  schedule:
+    - cron: "0 22 * * *"    # every day 22:00 UTC
+permissions:
+  contents: read
+  actions: read
+  id-token: write  # Required for Defender for Cloud publishing
+  security-events: write
+jobs:
+  scan:
+    uses: NHSDigital/nhsapp-devsecops/.github/workflows/devsecops_security_scan_template.yml@develop