feat(workflows): add security reusable workflows #28
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add five reusable GitHub Actions workflows for security scanning and maintenance: - checkov-scan.yml: Infrastructure-as-code security scanning with Checkov for Terraform and Bicep files - gitleaks-scan.yml: Secret scanning using Gitleaks to detect exposed credentials and API keys - gitleaks.yml: Alternative Gitleaks configuration for different scanning scenarios - sha-staleness-check.yml: Automated checking of GitHub Actions SHA pinning staleness - weekly-security-maintenance.yml: Scheduled workflow for weekly security updates and maintenance tasks All workflows are reusable (workflow_call trigger) and designed to be called from orchestration workflows. Each workflow includes proper error handling, security best practices, and artifact uploads for scan results. Resolves: #15 🔒 - Generated by Copilot
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive weekly security maintenance workflow along with supporting workflows for secret scanning (Gitleaks) and Infrastructure as Code scanning (Checkov). The main workflow validates SHA pinning compliance, checks for stale SHA pins, runs security scans, and generates a consolidated security report.
Key changes:
- Added a weekly security maintenance workflow that orchestrates multiple security checks
- Created reusable workflows for Gitleaks and Checkov security scans with SARIF support
- Implemented SHA staleness checking to identify outdated dependency pins
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/weekly-security-maintenance.yml |
Main orchestration workflow that runs dependency validation, staleness checks, and security scans on a weekly schedule |
.github/workflows/sha-staleness-check.yml |
Standalone workflow for checking GitHub Actions SHA pin age |
.github/workflows/gitleaks.yml |
Basic Gitleaks secret scanning workflow triggered on push and PR |
.github/workflows/gitleaks-scan.yml |
Reusable Gitleaks workflow with soft-fail and SARIF upload capabilities |
.github/workflows/checkov-scan.yml |
Reusable Checkov IaC scanning workflow with soft-fail and SARIF upload capabilities |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- fix file path from sha-staleness-report.json to logs/sha-staleness-results.json - add SHA pinning and security hardening to gitleaks workflow - make gitleaks conditional on license availability for org repos - add GITHUB_TOKEN env var to SHA staleness check - fix parameter name from ThresholdDays to MaxAge for consistency 🔒 - Generated by Copilot
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…tion Changes: - Add conditional checks for package-lock.json before npm setup/install steps - Install Gitleaks directly from GitHub releases (v8.18.0) - Run gitleaks detect command directly instead of via npm script - Use --no-git flag to scan all files regardless of git status - Use --redact flag to avoid exposing secrets in output 🔒 - Generated by Copilot
Member
Author
|
The build will pass when the prior commits with the scripts this on relies on are there. |
agreaves-ms
approved these changes
Nov 6, 2025
ChrisRisner
approved these changes
Nov 12, 2025
mkcomer
approved these changes
Nov 12, 2025
…ions - convert sha-staleness-check to reusable workflow with outputs - extract validate-pinning job to dependency-pinning-scan reusable workflow - standardize parameter naming to max-age-days across workflows - add comprehensive workflow documentation and conventions - add explicit job-level permissions to gitleaks workflow 🔒 - Generated by Copilot
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 13 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…orkflow docs 🔀 - Generated by Copilot
- pin gitleaks-action to v2.3.9 SHA with security-events permission - add SHA-256 checksum verification for gitleaks binary - upgrade gitleaks from v8.18.0 to v8.29.0 with version variable - implement dual SARIF+JSON output format for gitleaks scan - fix file reference mismatch in artifact uploads - change checkov to use centralized requirements.txt - fix JSON property names (Dependencies, CurrentVersion, LatestVersion, DaysOld) - fix gitleaks.yml conditional to check secrets context - update workflow documentation for accuracy 🔒 - Generated by Copilot
…kflow 🔒 - Generated by Copilot
- remove dependency on gitleaks-action (requires license) - call gitleaks-scan.yml reusable workflow instead - uses direct gitleaks binary (v8.29.0, no license required) 🔒 - Generated by Copilot
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 14 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…nsibility - rename workflow to support future integration of additional security tools - update workflow name from 'Gitleaks Security Scan' to 'Security Scan' - update README.md to reflect new workflow name and purpose 🔒 - Generated by Copilot
…t value - update dependency health table to use inputs.max-age-days - update next steps guidance to use inputs.max-age-days 🔧 - Generated by Copilot
- add CodeQL analysis workflow for JavaScript/TypeScript security scanning - add dependency review workflow for PR vulnerability checking - update weekly maintenance to use CodeQL instead of third-party tools - update security-scan orchestrator to call CodeQL and dependency review - remove obsolete configuration files 🔒 - Generated by Copilot
Dependency Review✅ No vulnerabilities or license issues found.Scanned Manifest Files.github/workflows/codeql-analysis.yml.github/workflows/dependency-pinning-scan.yml.github/workflows/dependency-review.yml.github/workflows/sha-staleness-check.yml |
Contributor
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
🔧 - Generated by Copilot
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- fix table syntax error in weekly-security-maintenance.yml - replace hardcoded threshold values with configurable input parameter - add comment about artifact sharing limitation between jobs - correct upload-sarif default documentation from true to false - update CodeQL schedule documentation to match actual workflow 🔧 - Generated by Copilot
This was referenced Jan 13, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Jan 19, 2026
🤖 I have created a release *beep* *boop* --- ## [1.1.0](hve-core-v1.0.0...hve-core-v1.1.0) (2026-01-19) ### ✨ Features * **.devcontainer:** add development container configuration ([#24](#24)) ([45debf5](45debf5)) * **.github:** add github metadata and mcp configuration ([#23](#23)) ([1cb898d](1cb898d)) * **agent:** Add automated installation via hve-core-installer agent ([#82](#82)) ([a2716d5](a2716d5)) * **agents:** add brd-builder.agent.md for building BRDs ([#122](#122)) ([bfdc9f3](bfdc9f3)) * **agents:** redesign installer with Codespaces support and method documentation ([#123](#123)) ([6329fc0](6329fc0)) * **ai:** Establish AI-Assisted Development Framework ([#48](#48)) ([f5199a4](f5199a4)) * **build:** implement automated release management with release-please ([#86](#86)) ([90150e2](90150e2)) * **chatmodes:** add architecture diagram builder agent ([#145](#145)) ([db24637](db24637)) * **config:** add development tools configuration files ([#19](#19)) ([9f97522](9f97522)) * **config:** add npm package configuration and dependencies ([#20](#20)) ([fcba198](fcba198)) * **copilot:** add GitHub Copilot instruction files ([#22](#22)) ([4927284](4927284)) * **copilot:** add specialized chat modes for development workflows ([#21](#21)) ([ae8495f](ae8495f)) * **docs:** add comprehensive AI artifact contribution documentation ([#76](#76)) ([d81cf96](d81cf96)) * **docs:** add getting started guide for project configuration ([#57](#57)) ([3b864fa](3b864fa)) * **docs:** add repository foundation and documentation files ([#18](#18)) ([ad7efb6](ad7efb6)), closes [#2](#2) * **docs:** add RPI workflow documentation and restructure docs folder ([#102](#102)) ([c3af708](c3af708)) * **extension:** hve core vs code extension ([#149](#149)) ([041a1fd](041a1fd)) * **extension:** implement pre-release versioning with agent maturity filtering ([#179](#179)) ([fb38233](fb38233)) * **instructions:** add authoring standards for prompt engineering artifacts ([#177](#177)) ([5de3af9](5de3af9)) * **instructions:** add extension quick install and enhance installer agent ([#176](#176)) ([48e3d58](48e3d58)) * **instructions:** add VS Code variant prompt and gitignore recommendation to installer ([#185](#185)) ([b400493](b400493)) * **instructions:** add writing style guide for markdown content ([#151](#151)) ([02df6a8](02df6a8)) * **instructions:** consolidate C# guidelines and update prompt agent fields ([#158](#158)) ([65342d4](65342d4)) * **instructions:** provide guidance on using safe commands to reduce interactive prompting ([#117](#117)) ([1268580](1268580)) * **linting:** add linting and validation scripts ([#26](#26)) ([66be136](66be136)) * **prompt-builder:** enhance prompt engineering instructions and validation protocols ([#155](#155)) ([bc5004f](bc5004f)) * **prompts:** add ADR placement planning and update template paths ([#69](#69)) ([380885f](380885f)) * **prompts:** add git workflow prompts from edge-ai ([#84](#84)) ([56d66b6](56d66b6)) * **prompts:** add github-add-issue prompt and github-issue-manager chatmode with delegation pattern ([#55](#55)) ([d0e1789](d0e1789)) * **prompts:** add PR template discovery and integration to pull-request prompt ([#141](#141)) ([b8a4c7a](b8a4c7a)) * **prompts:** add task research initiation prompt and rpi agent([#124](#124)) ([5113e3b](5113e3b)) * **release:** implement release management strategy ([#161](#161)) ([6164c3b](6164c3b)) * Risk Register Prompt ([#146](#146)) ([843982c](843982c)) * **scripts:** enhanced JSON Schema validation for markdown frontmatter ([#59](#59)) ([aba152c](aba152c)) * **security:** add checksum validation infrastructure ([#106](#106)) ([07528fb](07528fb)) * **security:** add security scanning scripts ([#25](#25)) ([82de5a1](82de5a1)) * **workflows:** add CodeQL security analysis to PR validation ([#132](#132)) ([e5b6e8f](e5b6e8f)) * **workflows:** add orchestration workflows and documentation ([#29](#29)) ([de442e0](de442e0)) * **workflows:** add security reusable workflows ([#28](#28)) ([2c74399](2c74399)) * **workflows:** add validation reusable workflows ([#27](#27)) ([f52352d](f52352d)) ### 🐛 Bug Fixes * **build:** add token parameter to release-please action ([#166](#166)) ([c9189ec](c9189ec)) * **build:** disable MD012 lint rule in CHANGELOG for release-please compatibility ([#173](#173)) ([54502d8](54502d8)), closes [#172](#172) * **build:** pin npm commands for OpenSSF Scorecard compliance ([#181](#181)) ([c29db54](c29db54)) * **build:** remediate GHSA-g9mf-h72j-4rw9 undici vulnerability ([#188](#188)) ([634bf36](634bf36)) * **build:** seed CHANGELOG.md with version entry for release-please frontmatter preservation ([#170](#170)) ([2b299ac](2b299ac)) * **build:** use GitHub App token for release-please ([#167](#167)) ([070e042](070e042)) * **build:** use hashtable splatting for named parameters ([#164](#164)) ([02a965f](02a965f)) * **devcontainer:** remove unused Python requirements check ([#78](#78)) ([f17a872](f17a872)), closes [#77](#77) * **docs:** fix broken links and update validation for .vscode/README.md ([#118](#118)) ([160ae7a](160ae7a)) * **docs:** improve language consistency in Automated Installation section ([#139](#139)) ([a932918](a932918)) * **docs:** replace install button anchor with VS Code protocol handler ([#111](#111)) ([41a265e](41a265e)) * **docs:** update install badges to use aka.ms redirect URLs ([#114](#114)) ([868f655](868f655)) * **linting:** use cross-platform path separators in gitignore pattern matching ([#121](#121)) ([3f0aa1b](3f0aa1b)) * **scripts:** accepts the token (YYYY-MM-dd) in frontmatter validation ([#133](#133)) ([2648215](2648215)) * **tools:** correct Method 5 path resolution in hve-core-installer ([#129](#129)) ([57ef20d](57ef20d)) ### 📚 Documentation * add comprehensive RPI workflow documentation ([#153](#153)) ([cbaa4a9](cbaa4a9)) * enhance README with contributing, responsible AI, and legal sections ([#52](#52)) ([a424adc](a424adc)) ### ♻️ Refactoring * **instructions:** consolidate and enhance AI artifact guidelines ([#206](#206)) ([54dd959](54dd959)) * migrate chatmodes to agents architecture ([#210](#210)) ([712b0b7](712b0b7)) ### 🔧 Maintenance * **build:** clean up workflow permissions for Scorecard compliance ([#183](#183)) ([64686e7](64686e7)) * **deps-dev:** bump cspell in the npm-dependencies group ([#61](#61)) ([38650eb](38650eb)) * **deps-dev:** bump glob from 10.4.5 to 10.5.0 ([#74](#74)) ([b3ca9fd](b3ca9fd)) * **deps-dev:** bump markdownlint-cli2 from 0.19.1 to 0.20.0 in the npm-dependencies group ([#134](#134)) ([ebfbe84](ebfbe84)) * **deps-dev:** bump the npm-dependencies group across 1 directory with 2 updates ([#109](#109)) ([936ab84](936ab84)) * **deps-dev:** bump the npm-dependencies group with 2 updates ([#30](#30)) ([cf99cbf](cf99cbf)) * **deps:** bump actions/upload-artifact from 5.0.0 to 6.0.0 in the github-actions group ([#142](#142)) ([91eac8a](91eac8a)) * **deps:** bump js-yaml, markdown-link-check and markdownlint-cli2 ([#75](#75)) ([af03d0e](af03d0e)) * **deps:** bump the github-actions group with 2 updates ([#108](#108)) ([3e56313](3e56313)) * **deps:** bump the github-actions group with 2 updates ([#135](#135)) ([4538a03](4538a03)) * **deps:** bump the github-actions group with 2 updates ([#62](#62)) ([d1e0c09](d1e0c09)) * **deps:** bump the github-actions group with 3 updates ([#87](#87)) ([ed550f4](ed550f4)) * **deps:** bump the github-actions group with 6 updates ([#162](#162)) ([ec5bb12](ec5bb12)) * **devcontainer:** enhance gitleaks installation with checksum verification ([#100](#100)) ([5a8507d](5a8507d)) * **devcontainer:** refactor setup scripts for improved dependency management ([#94](#94)) ([f5f50d1](f5f50d1)), closes [#98](#98) * **security:** configure GitHub branch protection for OpenSSF compliance ([#191](#191)) ([90aab1a](90aab1a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implemented comprehensive GitHub native security tooling for automated security analysis and vulnerability detection across the repository.
Security coverage includes CodeQL analysis (200+ vulnerability patterns), GitHub Secret Scanning (automatic), Dependabot Alerts (automatic), and custom SHA pinning validation. All workflows use SHA-pinned actions and follow security best practices.
Resolves: #15
🔒 - Generated by Copilot