Update workflow actions to latest versions for improved security and …

[CalinL]

This pull request updates and standardizes the versions of GitHub Actions used across all workflow files, primarily by switching to commit-pinned references for better security and reliability. It also introduces a new workflow for ESLint static analysis. The most important changes are grouped below:

Security and Dependency Scanning Actions:

• Updated all actions/checkout steps from version tags (e.g., @v5) to commit-pinned references for improved security and traceability across all workflows. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
• Updated all third-party scanning and artifact upload actions (e.g., docker/build-push-action, anchore/scan-action, aquasecurity/trivy-action, github/codeql-action/upload-sarif, actions/upload-artifact, etc.) to use commit-pinned references, ensuring consistent and secure builds. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23]

Tool and Workflow Upgrades:

• Upgraded several scanning tools and actions to their latest versions, including docker/build-push-action, anchore/scan-action, aquasecurity/trivy-action, checkmarx/kics-github-action, zaproxy/action-full-scan, and ossf/scorecard-action, providing improved features and bug fixes. [1] [2] [3] [4] [5] [6]

Addition of New Static Analysis Workflow:

• Added a new workflow file .github/workflows/SAST-ESLint.yml to run ESLint static analysis on JavaScript/TypeScript code, generating SARIF results for GitHub Security tab integration.

SARIF Upload Standardization:

• Standardized the use of github/codeql-action/upload-sarif across workflows, updating to the latest commit-pinned version for consistency in uploading security scan results. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

General Maintenance:

• Updated documentation and comments where necessary to reflect new action versions and improve workflow clarity.

These changes enhance the security, reliability, and maintainability of the CI/CD workflows by ensuring all actions are pinned to specific commits and by keeping scanning tools up to date.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA e8f4307.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/IACS-Checkmarx-kics.yml

Package	Version	License	Issue Type
checkmarx/kics-github-action	05aa5eb70eede1355220f4ca5238d96b397e30a6	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/checkmarx/kics-github-action	05aa5eb70eede1355220f4ca5238d96b397e30a6	Unknown	Unknown
actions/github/codeql-action/upload-sarif	d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/github/codeql-action/upload-sarif	d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-dotnet	c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	53b83947a5a98c8d113130e565377fae1a50d02f	🟢 6	Details Check Score Reason Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	ea165f8d65b6e75b540449e92b4886f43607fa02	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/IACS-Checkmarx-kics.yml
• .github/workflows/SAST-Kubesec.yml
• .github/workflows/ci.yml
• .github/workflows/security-agent-workflow.yml