Update GitHub Actions workflows to use latest version of upload-sarif action for improved functionality and security

CalinL · CalinL · commit 5bb03e998931 · 2026-03-30T12:14:28.000-04:00
Add ESLint configuration file with security and best practice rules
diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml
@@ -50,7 +50,7 @@ jobs:
           severity-cutoff: critical
       
       - name: Upload Anchore vulnerability report to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
       
diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml
@@ -44,7 +44,7 @@ jobs:
           output: "trivy-results.sarif"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         if: always()
         with:
           sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml
@@ -64,6 +64,6 @@ jobs:
       - uses: githubabcs-devops/zap-to-ghas@main
       
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/IACS-AquaSecurity-tfsec.yml b/.github/workflows/IACS-AquaSecurity-tfsec.yml
@@ -31,6 +31,6 @@ jobs:
           sarif_file: tfsec.sarif
 
       - name: Upload SARIF file to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: tfsec.sarif
diff --git a/.github/workflows/IACS-Checkmarx-kics.yml b/.github/workflows/IACS-Checkmarx-kics.yml
@@ -51,6 +51,6 @@ jobs:
           cat results-dir/results.json
 
       - name: Upload SARIF file to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results-dir/results.sarif
diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml
@@ -54,7 +54,7 @@ jobs:
    
     # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
     - name: Upload results to Security tab
-      uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 
diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml
@@ -42,7 +42,7 @@ jobs:
    
     # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
     - name: Upload results to Security tab
-      uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 
diff --git a/.github/workflows/SAST-ESLint.yml b/.github/workflows/SAST-ESLint.yml
@@ -32,6 +32,7 @@ jobs:
       - name: Run ESLint
         env:
           SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
+        working-directory: src/webapp01
         run: npx eslint .
           --config .eslintrc.js
           --ext .js,.jsx,.ts,.tsx
@@ -42,5 +43,5 @@ jobs:
       - name: Upload analysis results to GitHub
         uses: github/codeql-action/upload-sarif@0e9f55954318745b37b7933c693bc093f7336125 # v4.35.1
         with:
-          sarif_file: eslint-results.sarif
+          sarif_file: src/webapp01/eslint-results.sarif
           wait-for-processing: true
diff --git a/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml b/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml
@@ -58,7 +58,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -86,6 +86,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/SAST-Kubesec.yml b/.github/workflows/SAST-Kubesec.yml
@@ -52,7 +52,7 @@ jobs:
 
       - name: Upload Kubesec scan results to GitHub Security tab
         if: steps.validate.outputs.valid == 'true'
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: kubesec-results.sarif
       
@@ -90,6 +90,6 @@ jobs:
 
       - name: Upload Kubesec scan results to GitHub Security tab
         if: steps.validate.outputs.valid == 'true'
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: kubesec-results.sarif
diff --git a/.github/workflows/SCA-OpenSSF-Scorecard.yml b/.github/workflows/SCA-OpenSSF-Scorecard.yml
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security-agent-workflow.yml b/.github/workflows/security-agent-workflow.yml
@@ -1,99 +1,99 @@
-# Security Agent Workflow
-# Original author: Elio Struyf
-# Reference: https://www.eliostruyf.com/custom-security-agent-github-copilot-actions/
-
-name: Security Agent Workflow
-
-on:
-    workflow_dispatch:
-
-jobs:
-    security-assessment:
-        runs-on: ubuntu-latest
-        timeout-minutes: 15
-        permissions:
-            contents: read
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-            - name: Setup Node.js
-              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
-              with:
-                  node-version: 22
-
-            - name: Install GitHub Copilot CLI
-              run: npm i -g @github/copilot
-
-            - name: Run Security Agent via Copilot CLI
-              env:
-                  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-                  GITHUB_REPOSITORY: ${{ github.repository }}
-              run: |
-                  set -euo pipefail
-                  
-                  # Verify agent file exists
-                  if [ ! -f ".github/agents/security-agent.md" ]; then
-                    echo "Error: Security agent file not found"
-                    exit 1
-                  fi
-                  
-                  AGENT_PROMPT=$(cat .github/agents/security-agent.md)
-                  PROMPT="$AGENT_PROMPT"
-                  PROMPT+=$'\n\nContext:\n'
-                  PROMPT+="- Repository: $GITHUB_REPOSITORY"
-                  PROMPT+=$'\n\nTask:\n'
-                  PROMPT+="- Execute the instructions on the full codebase"
-                  PROMPT+="- Generate the security report at security-reports/security-assessment-report.md summarizing findings, severity, and remediation guidance."
-                  PROMPT+=$'\n\nIMPORTANT: Complete the analysis and save the report file. Do not wait for user input.'
-
-                  # Run with timeout to prevent hanging
-                  timeout 600 copilot --prompt "$PROMPT" --allow-all-tools --allow-all-paths < /dev/null || {
-                    exit_code=$?
-                    if [ $exit_code -eq 124 ]; then
-                      echo "Warning: Copilot CLI timed out after 10 minutes"
-                    fi
-                    # Continue even if copilot exits non-zero, report may still be generated
-                    echo "Copilot CLI exited with code: $exit_code"
-                  }
-
-            - name: Output security report as summary
-              if: always()
-              run: |
-                  set -euo pipefail
-                  REPORT_PATH="security-reports/security-assessment-report.md"
-
-                  if [ ! -f "$REPORT_PATH" ]; then
-                    echo "No security report generated; skipping summary."
-                    exit 0
-                  fi
-
-                  echo "## Security Assessment Report" >> $GITHUB_STEP_SUMMARY
-                  cat "$REPORT_PATH" >> $GITHUB_STEP_SUMMARY
-
-            - name: Upload security report artifact
-              if: always()
-              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-              with:
-                  name: security-assessment-report-${{ github.run_id }}
-                  path: security-reports/security-assessment-report.md
-                  retention-days: 30
-
-            - name: Check for critical vulnerabilities
-              if: always()
-              run: |
-                  set -euo pipefail
-                  REPORT_PATH="security-reports/security-assessment-report.md"
-
-                  if [ ! -f "$REPORT_PATH" ]; then
-                    echo "No security report generated; skipping critical check."
-                    exit 0
-                  fi
-
-                  if grep -q "THIS ASSESSMENT CONTAINS A CRITICAL VULNERABILITY" "$REPORT_PATH"; then
-                    echo "❌ CRITICAL VULNERABILITY DETECTED - Workflow failed"
-                    echo "The security assessment found critical vulnerabilities that must be addressed before proceeding."
-                    exit 1
-                  else
-                    echo "✅ No critical vulnerabilities detected"
-                  fi
+# Security Agent Workflow
+# Original author: Elio Struyf
+# Reference: https://www.eliostruyf.com/custom-security-agent-github-copilot-actions/
+
+name: Security Agent Workflow
+
+on:
+    workflow_dispatch:
+
+jobs:
+    security-assessment:
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        permissions:
+            contents: read
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+            - name: Setup Node.js
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+              with:
+                  node-version: 22
+
+            - name: Install GitHub Copilot CLI
+              run: npm i -g @github/copilot
+
+            - name: Run Security Agent via Copilot CLI
+              env:
+                  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+                  GITHUB_REPOSITORY: ${{ github.repository }}
+              run: |
+                  set -euo pipefail
+                  
+                  # Verify agent file exists
+                  if [ ! -f ".github/agents/security-agent.md" ]; then
+                    echo "Error: Security agent file not found"
+                    exit 1
+                  fi
+                  
+                  AGENT_PROMPT=$(cat .github/agents/security-agent.md)
+                  PROMPT="$AGENT_PROMPT"
+                  PROMPT+=$'\n\nContext:\n'
+                  PROMPT+="- Repository: $GITHUB_REPOSITORY"
+                  PROMPT+=$'\n\nTask:\n'
+                  PROMPT+="- Execute the instructions on the full codebase"
+                  PROMPT+="- Generate the security report at security-reports/security-assessment-report.md summarizing findings, severity, and remediation guidance."
+                  PROMPT+=$'\n\nIMPORTANT: Complete the analysis and save the report file. Do not wait for user input.'
+
+                  # Run with timeout to prevent hanging
+                  timeout 600 copilot --prompt "$PROMPT" --allow-all-tools --allow-all-paths < /dev/null || {
+                    exit_code=$?
+                    if [ $exit_code -eq 124 ]; then
+                      echo "Warning: Copilot CLI timed out after 10 minutes"
+                    fi
+                    # Continue even if copilot exits non-zero, report may still be generated
+                    echo "Copilot CLI exited with code: $exit_code"
+                  }
+
+            - name: Output security report as summary
+              if: always()
+              run: |
+                  set -euo pipefail
+                  REPORT_PATH="security-reports/security-assessment-report.md"
+
+                  if [ ! -f "$REPORT_PATH" ]; then
+                    echo "No security report generated; skipping summary."
+                    exit 0
+                  fi
+
+                  echo "## Security Assessment Report" >> $GITHUB_STEP_SUMMARY
+                  cat "$REPORT_PATH" >> $GITHUB_STEP_SUMMARY
+
+            - name: Upload security report artifact
+              if: always()
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+              with:
+                  name: security-assessment-report-${{ github.run_id }}
+                  path: security-reports/security-assessment-report.md
+                  retention-days: 30
+
+            - name: Check for critical vulnerabilities
+              if: always()
+              run: |
+                  set -euo pipefail
+                  REPORT_PATH="security-reports/security-assessment-report.md"
+
+                  if [ ! -f "$REPORT_PATH" ]; then
+                    echo "No security report generated; skipping critical check."
+                    exit 0
+                  fi
+
+                  if grep -q "THIS ASSESSMENT CONTAINS A CRITICAL VULNERABILITY" "$REPORT_PATH"; then
+                    echo "❌ CRITICAL VULNERABILITY DETECTED - Workflow failed"
+                    echo "The security assessment found critical vulnerabilities that must be addressed before proceeding."
+                    exit 1
+                  else
+                    echo "✅ No critical vulnerabilities detected"
+                  fi
diff --git a/src/webapp01/.eslintrc.js b/src/webapp01/.eslintrc.js
@@ -0,0 +1,30 @@
+module.exports = {
+  env: {
+    browser: true,
+    es2021: true,
+    jquery: true
+  },
+  extends: 'eslint:recommended',
+  parserOptions: {
+    ecmaVersion: 'latest',
+    sourceType: 'script'
+  },
+  rules: {
+    // Security rules
+    'no-eval': 'error',
+    'no-implied-eval': 'error',
+    'no-new-func': 'error',
+    'no-script-url': 'error',
+    
+    // Best practices
+    'eqeqeq': ['error', 'always'],
+    'no-var': 'warn',
+    'prefer-const': 'warn'
+  },
+  ignorePatterns: [
+    'wwwroot/lib/**',       // Ignore third-party libraries
+    '**/*.min.js',          // Ignore minified files
+    'obj/**',               // Ignore build artifacts
+    'bin/**'                // Ignore build artifacts
+  ]
+};
