Merge remote-tracking branch 'origin/main' into 2024-09-26-config-as-…

…java-code

.github/workflows/license_scan.yml

@@ -10,32 +10,34 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run license scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: "rootfs"
           scan-ref: "."
           scanners: "license"
           severity: "CRITICAL,HIGH"
           exit-code: 1
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
   license_scan2:
     name: License scan (repo)
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: npm install (typescript-client)
         run: cd extensions/wrapper/clients/typescript-client && npm clean-install
       - name: npm install (typescript-client-example)
         run: cd extensions/wrapper/clients/typescript-client-example && npm clean-install
       - name: Run license scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: "repo"
           scan-ref: "."
           scanners: "license"
           severity: "CRITICAL,HIGH"
           exit-code: 1
+          github-pat: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/secret_scan.yml

@@ -17,9 +17,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Run vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: "fs"
           exit-code: "1"
           ignore-unfixed: true
           scanners: secret
+          github-pat: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security_scan.yml

@@ -12,29 +12,31 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Run static analysis (rootfs)
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: "rootfs"
           scanners: "vuln,misconfig"
           ignore-unfixed: true
           format: "sarif"
           output: "trivy-results-rootfs.sarif"
           severity: "CRITICAL,HIGH"
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
   security_scan_repo:
     name: security_scan_repo
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Run static analysis (repo)
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: "repo"
           scanners: "vuln,misconfig"
           ignore-unfixed: true
           format: "sarif"
           output: "trivy-results-repo.sarif"
           severity: "CRITICAL,HIGH"
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Trivy scan results to GitHub Security tab (repo)
         uses: github/codeql-action/upload-sarif@v2
         continue-on-error: true

.github/workflows/trivy.yml

@@ -12,17 +12,18 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run static analysis
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: 'fs'
           security-checks: 'vuln,secret,config'
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
 
 
       - name: Upload Trivy scan results to GitHub Security tab