Implement DevSecOps through GitHub's Dependabot and CodeQL

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "nuget"
+    # location of package manifests
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,54 @@
+name: CodeQL Analysis
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 8 * * *'
+
+jobs:
+  analyze:
+    name: codeql-analysis
+    runs-on: windows-latest
+    steps:
+      - name: Setup .NET
+        id: setup_dotnet
+        uses: actions/setup-dotnet@v1
+        with:
+          dotnet-version: 5.0.x
+
+      - name: Checkout repository
+        id: checkout_repo
+        uses: actions/checkout@v2
+
+      - name: Clean .NET cache
+        id: clean_dotnet_cache
+        shell: pwsh
+        run: |
+          dotnet clean ./ModernWpf.sln --configuration Release 
+          dotnet nuget locals all --clear
+
+      - name: Install dependencies
+        id: dotnet_restore
+        shell: pwsh
+        run: |
+          dotnet restore
+
+      - name: Initialize CodeQL
+        id: init_codeql
+        uses: github/codeql-action/init@v1
+        with:
+          queries: security-and-quality
+
+      - name: Build
+        id: dotnet_build
+        shell: pwsh
+        run: |
+          dotnet build --configuration Release --no-restore
+
+      - name: Perform CodeQL Analysis
+        id: analyze_codeql
+        uses: github/codeql-action/analyze@v1
+
+# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)

CI-CD_DOCUMENTATION.md

@@ -0,0 +1,67 @@
+# ModernWpf CI/CD documentation
+
+## 1. Set up Dependabot
+
+Dependabot is a GitHub native security tool that goes through the dependencies in the project and creates alerts, and PRs with updates when a new and/or non-vulnerable version is found.
+
+- for PRs with version updates, this pipeline comes pre-configured for all current dependency sources in the project, so at "Insights" tab -> "Dependency graph" -> "Dependabot", you should be able to see all tracked sources of dependencies, when they have been checked last and view a full log of the last check
+
+![Dependabot_tab](/CI-CD_DOCUMENTATION/Dependabot_tab.png)
+
+![Dependabot_log_page](/CI-CD_DOCUMENTATION/Dependabot_log_page.png)
+
+### Set up security alerts and updates
+##### - GitHub, through Dependabot, also natively offers a security check for vulnerable dependencies
+
+1. Go to the project's GitHub repository and click on the **Settings** tab
+
+2. Go to **Security & analysis** section
+
+3. Click "Enable" for both "Dependabot alerts" and "Dependabot security updates"
+
+- By enabling "Dependabot alerts", you would be notified for any vulnerable dependencies in the project. At "Security" tab -> "Dependabot alerts", you can manage all alerts. By clicking on an alert, you would be able to see a detailed explanation of the vulnerability and a viable solution.
+
+![Dependabot_alerts_page](/CI-CD_DOCUMENTATION/Dependabot_alerts_page.png)
+
+![Dependabot_alert_page](/CI-CD_DOCUMENTATION/Dependabot_alert_page.png)
+
+- By enabling "Dependabot security updates", you authorize Dependabot to create PRs specifically for **security updates**
+
+![Dependabot_PRs](/CI-CD_DOCUMENTATION/Dependabot_PRs.png)
+
+### Set up Dependency graph
+##### - The "Dependency graph" option should be enabled by default for all public repos, but in case it isn't:
+
+1. Go to the project's GitHub repository and click on the **Settings** tab
+
+2. Go to **Security & analysis** section
+
+3. Click "Enable" for the "Dependency graph" option
+
+- this option enables the "Insights" tab -> "Dependency graph" section -> "Dependencies" tab, in which all the dependencies for the project are listed, under the different manifests they are included in
+
+![Dependabot_dependency_graph](/CI-CD_DOCUMENTATION/Dependabot_dependency_graph.png)
+
+NOTE: **screenshots are only exemplary**
+
+<br>
+
+## 2. CodeQL
+
+CodeQL is GitHub's own industry-leading semantic code analysis engine. CodeQL requires no setup, because it comes fully pre-configured by us. 
+
+To activate it and see its results, only a push commit or a merge of a PR to the default branch of your repository, is required. 
+
+We've also configured CodeQL to run on schedule, so every day at 8:00AM UTC, it automatically tests the code.
+
+- you can see the results here at **Security** tab -> **Code scanning alerts** -> **CodeQL**:
+
+![CodeQL_results](/CI-CD_DOCUMENTATION/CodeQL_results.png)
+
+- on the page of each result, you can see an explanation of what the problem is and also one or more solutions:
+
+![CodeQL_alert_page](/CI-CD_DOCUMENTATION/CodeQL_alert_page.png)
+
+#
+
+Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)