[Unit]
Description=Security scan of nas-burnin (pip-audit + bandit + gitleaks)
After=network-online.target docker.service
Wants=network-online.target

[Service]
Type=oneshot
# Wire SECURITY_SCAN_WEBHOOK here if you want findings POSTed somewhere.
# Environment=SECURITY_SCAN_WEBHOOK=https://chat.example/hooks/abc
ExecStart=%h/docker/stacks/nas-burnin/scripts/security-scan.sh
# Tools cache + container pulls — give them headroom.
TimeoutStartSec=600
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=default.target