From 48e4f6df87e5aaf67116492211c5a47bb7d3f35f Mon Sep 17 00:00:00 2001
From: Jakub Jarosz <j.jarosz@f5.com>
Date: Tue, 20 May 2025 11:45:12 +0100
Subject: [PATCH 1/3] add mend document

Signed-off-by: Jakub Jarosz <j.jarosz@f5.com>
---
 README.md | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/README.md b/README.md
index 422fc41..e2f567a 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,64 @@
 # Compliance-rules
+
 Compliance repo with main rules for SCA and SAST scan
+
+This repository provides common GitHub workflows for Mend and CodeQL scans.
+
+## Configure Mand workflow in a GitHub repository
+
+- Create `mend.yml` workflow in your project repository
+
+```yaml
+name: Mend
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      branch:
+        type: string
+        required: false
+        default: main
+  workflow_call:
+    inputs:
+      branch:
+        type: string
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  mend:
+    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@main
+    secrets: inherit
+    with:
+      product_name: ptd-demo2_${{ github.head_ref || github.ref_name }}
+      project_name: ptd-demo2
+```
+
+- In the `mend` job reference the main mend workflow (in this repository)
+
+```yaml
+uses: nginxinc/compliance-rules/.github/workflows/mend.yml@main
+```
+
+- Configure `product_name` and `project_name` variables. They represent github repository name.
+
+```yaml
+product_name: <your_repo_name>_${{ github.head_ref || github.ref_name }}
+project_name: <your_repo_name>
+```
+
+### Mend Workflow
+
+1. GitHub triggers the mend workflow defined in a project repository (for example `ProjectABC`)
+1. Mend job references mend rules (main `mend.yml`) defined in the workflow in this repository.
+1. Mend scans the `ProjectABC` code and generates vulenerability report.
+1. Depends on the scan (vulnerability) rules defined in the main `mand.yml` the pipeline fails or passes the scan.
+1. The GitHub repository (`ProjectA`) must be configured to reject PRs (prevent from merging with the `main` branch) if the mend pipeline fails.  

From 754fe23f22e3f24fed4f2b8511616d27f633d9e4 Mon Sep 17 00:00:00 2001
From: Jakub Jarosz <j.jarosz@f5.com>
Date: Tue, 20 May 2025 17:29:04 +0100
Subject: [PATCH 2/3] add codeql docs

Signed-off-by: Jakub Jarosz <j.jarosz@f5.com>
---
 README.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e2f567a..51c29ff 100644
--- a/README.md
+++ b/README.md
@@ -55,10 +55,64 @@ product_name: <your_repo_name>_${{ github.head_ref || github.ref_name }}
 project_name: <your_repo_name>
 ```
 
-### Mend Workflow
+### Mend workflow
 
 1. GitHub triggers the mend workflow defined in a project repository (for example `ProjectABC`)
 1. Mend job references mend rules (main `mend.yml`) defined in the workflow in this repository.
 1. Mend scans the `ProjectABC` code and generates vulenerability report.
 1. Depends on the scan (vulnerability) rules defined in the main `mand.yml` the pipeline fails or passes the scan.
 1. The GitHub repository (`ProjectA`) must be configured to reject PRs (prevent from merging with the `main` branch) if the mend pipeline fails.  
+
+## Configure CodeQL workflow in a GitHub repository
+
+- Create `codeql.yml` workflow in your project repository
+
+```yaml
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      branch:
+        type: string
+        required: false
+        default: main
+  workflow_call:
+    inputs:
+      branch:
+        type: string
+        required: true
+
+concurrency:
+  group: ${{ github.ref_name }}-codeql
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  codeql:
+    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@main
+    with:
+      requested_languages: go
+```
+
+- In the `codeql` job reference the main `codeql` workflow (in this repository)
+
+```yaml
+uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@main
+```
+
+### CodeQL workflow
+
+1. GitHub triggers the CodeQL workflow defined in a project repository (for example `ProjectABC`)
+1. CodeQL job references `codeql` rules (main `codeql.yml`) defined in the workflow in this repository.
+1. CodeQL analyses the `ProjectABC` code.
+1. Depends on the results the pipeline fails or passes.
+1. The GitHub repository (`ProjectA`) must be configured to reject PRs (prevent from merging with the `main` branch) if the codeql detects issues and the pipeline fails.  

From 26fdad43d6dbe60a5233d0ce73d6db8c5b0aa28d Mon Sep 17 00:00:00 2001
From: Jakub Jarosz <j.jarosz@f5.com>
Date: Wed, 21 May 2025 17:13:52 +0100
Subject: [PATCH 3/3] update references to product, project and tags

Signed-off-by: Jakub Jarosz <j.jarosz@f5.com>
---
 README.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 51c29ff..4ad909d 100644
--- a/README.md
+++ b/README.md
@@ -35,24 +35,24 @@ permissions:
 
 jobs:
   mend:
-    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@main
+    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@<git_tag>
     secrets: inherit
     with:
-      product_name: ptd-demo2_${{ github.head_ref || github.ref_name }}
-      project_name: ptd-demo2
+      product_name: <caller_product_name>_${{ github.head_ref || github.ref_name }}
+      project_name: <caller_project_name>
 ```
 
 - In the `mend` job reference the main mend workflow (in this repository)
 
 ```yaml
-uses: nginxinc/compliance-rules/.github/workflows/mend.yml@main
+uses: nginxinc/compliance-rules/.github/workflows/mend.yml@<git_tag>
 ```
 
-- Configure `product_name` and `project_name` variables. They represent github repository name.
+- Configure `product_name` and `project_name` variables. They represent caller github repository `product` and `project` name.
 
 ```yaml
-product_name: <your_repo_name>_${{ github.head_ref || github.ref_name }}
-project_name: <your_repo_name>
+product_name: <caller_product_name>_${{ github.head_ref || github.ref_name }}
+project_name: <caller_project_name>
 ```
 
 ### Mend workflow
@@ -98,7 +98,7 @@ permissions:
 
 jobs:
   codeql:
-    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@main
+    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@<git_tag>
     with:
       requested_languages: go
 ```
@@ -106,7 +106,7 @@ jobs:
 - In the `codeql` job reference the main `codeql` workflow (in this repository)
 
 ```yaml
-uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@main
+uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@<git_tag>
 ```
 
 ### CodeQL workflow