Skip to content

chore(security): Implement uniform SAST, SCA, and Dependabot (#83)#84

Merged
gowthamrao merged 1 commit into
mainfrom
develop
Apr 21, 2026
Merged

chore(security): Implement uniform SAST, SCA, and Dependabot (#83)#84
gowthamrao merged 1 commit into
mainfrom
develop

Conversation

@gowthamrao
Copy link
Copy Markdown
Contributor

@gowthamrao gowthamrao commented Apr 21, 2026

Release Notes: Security Tooling & Pipeline Resilience

Overview

This update stabilizes our security infrastructure by unifying our vulnerability scanning tools and resolving key pipeline bottlenecks. We've successfully migrated to TruffleHog for secret detection and implemented graceful degradation for GitHub Advanced Security to ensure smoother, more resilient CI runs.

🛡️ Vulnerability & Secret Scanning

  • Uniform Security Scans: Implemented standardized CI workflows for Static Application Security Testing (SAST), Software Composition Analysis (SCA), Trivy, and Dependabot.
  • TruffleHog Migration: Replaced Gitleaks with TruffleHog for deeper secret scanning capabilities.
  • TruffleHog Stabilization: Fixed CI paths and resolved a critical base/head identical mismatch error within security.yml to ensure accurate pull request diffing.

⚙️ CI/CD & CodeQL Hardening

  • CodeQL Permissions: Added the required actions:read permissions for successful codeql upload-sarif executions.
  • Pipeline Error Resolution: Resolved recurring CodeQL matrix errors, fixed pathing issues, and cleared up lingering Codespell linting warnings.
  • Pipeline Resilience: * Configured workflows to gracefully degrade GitHub Advanced Security uploads when the feature is disabled on the repository.
    • Injected continue-on-error limits for degradation steps to prevent non-critical scan failures from blocking deployments.

🛠️ Formatting Standards

  • EOF Enforcement: Strictly enforced End of File (EOF) standards across the codebase to maintain formatting consistency.

@gowthamrao
chore(security): Implement uniform SAST, SCA, and Dependabot (#83)
33ecc96 
## Release Notes: Security Tooling & Pipeline Resilience

### Overview
This update stabilizes our security infrastructure by unifying our vulnerability scanning tools and resolving key pipeline bottlenecks. We've successfully migrated to TruffleHog for secret detection and implemented graceful degradation for GitHub Advanced Security to ensure smoother, more resilient CI runs.

### 🛡️ Vulnerability & Secret Scanning
* **Uniform Security Scans:** Implemented standardized CI workflows for Static Application Security Testing (SAST), Software Composition Analysis (SCA), Trivy, and Dependabot.
* **TruffleHog Migration:** Replaced Gitleaks with TruffleHog for deeper secret scanning capabilities.
* **TruffleHog Stabilization:** Fixed CI paths and resolved a critical `base/head` identical mismatch error within `security.yml` to ensure accurate pull request diffing.

### ⚙️ CI/CD & CodeQL Hardening
* **CodeQL Permissions:** Added the required `actions:read` permissions for successful `codeql upload-sarif` executions.
* **Pipeline Error Resolution:** Resolved recurring CodeQL matrix errors, fixed pathing issues, and cleared up lingering Codespell linting warnings.
* **Pipeline Resilience:** * Configured workflows to gracefully degrade GitHub Advanced Security uploads when the feature is disabled on the repository.
    * Injected `continue-on-error` limits for degradation steps to prevent non-critical scan failures from blocking deployments.

### 🛠️ Formatting Standards
* **EOF Enforcement:** Strictly enforced End of File (EOF) standards across the codebase to maintain formatting consistency.


---

* chore(security): implement uniform SAST, SCA, Trivy, and Dependabot scans

* fix(security): swap gitleaks for trufflehog and fix ci paths

* fix(security): add actions:read permission for codeql upload-sarif

* fix(security): resolve pathing, codespell, and CodeQL matrix errors

* fix(security): graceful degrade advanced security uploads when disabled

* fix(security): strictly enforce EOF and inject continue-on-error degradation limits

* fix(security): resolve TruffleHog base/head identical mismatch in security.yml
@gowthamrao gowthamrao merged commit bb0fda2 into main Apr 21, 2026
13 of 21 checks passed
@gowthamrao gowthamrao deleted the develop branch April 21, 2026 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gowthamrao