eclipse-tractusx
diff --git a/‎.github/dependabot.yml‎
Lines changed: 40 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 12 additions & 19 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 12 additions & 19 deletions
diff --git a/‎.github/workflows/dependencies-frontend.yaml‎
Lines changed: 88 additions & 0 deletions b/‎.github/workflows/dependencies-frontend.yaml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎.github/workflows/kics.yaml‎
Lines changed: 66 additions & 0 deletions b/‎.github/workflows/kics.yaml‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎.github/workflows/trivy.yml‎
Lines changed: 69 additions & 0 deletions b/‎.github/workflows/trivy.yml‎
Lines changed: 69 additions & 0 deletions
@@ -0,0 +1,40 @@
+###############################################################
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+version: 2
+registries:
+  github-central-pipelines:
+    type: git
+    url: https://github.com
+    username: x-access-token
+    password: ${{ secrets.CENTRAL_PIPELINES_READ_ONLY_GH_TOKEN }}
+
+updates:
+  # Github Actions
+  -
+    package-ecosystem: "github-actions"
+    directory: /
+    labels:
+      - "dependabot"
+      - "github-actions"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependencies:
+        dependency-type: "production"
@@ -22,13 +22,21 @@ name: "CodeQL"
 on:
   push:
     branches: ["main"]
+    paths:
+      - "ichub-backend/**/*.py"
+      - "ichub-frontend/**/*.py"
     paths-ignore:
+      - "**/*.yml"
+      - "**/*.yaml"
       - "**/*.md"
       - "**/*.txt"
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["main"]
+    paths:
+      - "ichub-backend/**/*.py"
+      - "ichub-frontend/**/*.py"
     paths-ignore:
+      - "**/*.yml"
+      - "**/*.yaml"
       - "**/*.md"
       - "**/*.txt"
   schedule:
@@ -45,15 +53,6 @@ jobs:
       contents: read
       security-events: write
 
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["python"] # Define languages here
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
-        # Use only 'java' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -62,7 +61,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
-          languages: ${{ matrix.language }}
+          languages: python
           # If you wish to specify custom queries, you can do so here or in a config file
           # By default, queries listed here will override any specified in a config file
           # Prefix the list here with "+" to use these queries and those in the config file
@@ -71,12 +70,6 @@ jobs:
           # Use +security-extended,security-and-quality for wider security and better code quality
           queries: +security-extended,security-and-quality
 
-      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift)
-      # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
-
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
@@ -89,5 +82,5 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:python"
           fail-on: error
@@ -0,0 +1,88 @@
+###############################################################
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+name: Check Frontend Dependencies
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ichub-frontend/package-lock.json
+      - DEPENDENCIES_ICHUB-FRONTEND
+      - .github/workflows/dependencies-frontend.yaml
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - ichub-frontend/package-lock.json
+      - DEPENDENCIES_ICHUB-FRONTEND
+      - .github/workflows/dependencies-frontend.yaml
+  workflow_dispatch:
+
+jobs:
+  check-dependencies:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up JDK 17
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Generate Dependencies file
+        run: |
+          curl -L --output ./dash.jar 'https://repo.eclipse.org/service/local/artifact/maven/redirect?r=dash-licenses&g=org.eclipse.dash&a=org.eclipse.dash.licenses&v=LATEST'
+
+          java -jar ./dash.jar ichub-frontend/package-lock.json -project automotive.tractusx -summary DEPENDENCIES_ICHUB-FRONTEND || true
+
+      - name: Check if dependencies were changed
+        id: dependencies-changed
+        run: |
+          changed=$(git diff DEPENDENCIES_ICHUB-FRONTEND)
+          if [[ -n "$changed" ]]; then
+            echo "dependencies changed"
+            echo "changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "dependencies not changed"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for restricted dependencies
+        run: |
+          restricted=$(grep ' restricted,' DEPENDENCIES_ICHUB-FRONTEND || true)
+          if [[ -n "$restricted" ]]; then
+            echo "The following dependencies are restricted: $restricted"
+            exit 1
+          fi
+        if: steps.dependencies-changed.outputs.changed == 'true'
+
+      - name: Upload DEPENDENCIES_ICHUB-FRONTEND file
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          path: DEPENDENCIES_ICHUB-FRONTEND
+        if: steps.dependencies-changed.outputs.changed == 'true'
+
+      - name: Signal need to update DEPENDENCIES_ICHUB
+        run: |
+          echo "Dependencies need to be updated (updated DEPENDENCIES_ICHUB file has been uploaded to workflow run)"
+          exit 1
+        if: steps.dependencies-changed.outputs.changed == 'true'
@@ -0,0 +1,66 @@
+###############################################################
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+name: KICS
+
+on:
+  push:
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run KICS Scan with SARIF result
+        uses: checkmarx/kics-github-action@3246fb456a46d1ea8848ae18793c036718b19fe0 # v2.1.5
+        with:
+          path: "." # Scanning directory .
+          output_path: kicsResults/ # Output path for SARIF results
+          output_formats: "json,sarif" # Output format
+          # ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens
+          fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors
+          # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan
+          # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build
+          disable_secrets: true # No secret scanning
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: kicsResults/results.sarif
@@ -0,0 +1,69 @@
+###############################################################
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+name: "Trivy"
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+env:
+  IMAGE_NAMESPACE: 'tractusx'
+  ICHUB_BACKEND_IMAGE_NAME: "ichub-backend"
+  DATASPACE_SDK_IMAGE_NAME: "dataspace-sdk"
+  INDUSTRY_SDK_IMAGE_NAME: "industry-sdk"
+
+jobs:
+  analyze-ichub-backend:
+    name: Analyze ICHub Backend
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build ichub-backend Docker image
+        id: build-docker-ichub-backend
+        run: |
+            cd ichub-backend
+            docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.ICHUB_BACKEND_IMAGE_NAME }}:latest .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.ICHUB_BACKEND_IMAGE_NAME }}:latest" # Pull image from Docker Hub and run Trivy vulnerability scanner
+          format: "sarif"
+          output: "trivy-results-ichub-backend.sarif"
+          severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+          hide-progress: false
+          exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        if: always()
+        with:
+          sarif_file: "trivy-results-ichub-backend.sarif"