Enhance CI workflows and security scans; update dependencies and configurations for improved performance and security practices (#7)

Author: Som3a99

.github/workflows/ci-tests-coverage.yml

@@ -4,32 +4,52 @@ on:
   push:
     branches: ["**"]
   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   test:
+    name: Build & Test
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 8.0.x
 
+      - name: Cache NuGet packages
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
       - name: Restore
         run: dotnet restore CompanyManagementSystem.sln
 
+      - name: Build
+        run: dotnet build CompanyManagementSystem.sln --configuration Release --no-restore
+
       - name: Test with coverage
         run: |
           dotnet test Tests/Tests.csproj \
             --configuration Release \
+            --no-build \
+            --verbosity normal \
             --collect:"XPlat Code Coverage" \
-            --results-directory TestResults
+            --results-directory TestResults \
+            --logger "trx;LogFileName=test-results.trx"
 
-      - name: Upload coverage artifacts
-        uses: actions/upload-artifact@v4
+      - name: Upload test results and coverage
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-results-and-coverage
-          path: TestResults
+          path: TestResults

.github/workflows/codeql-analysis.yml

@@ -27,15 +27,22 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 8.0.x
 
+      - name: Cache NuGet packages
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
@@ -44,6 +51,6 @@ jobs:
         run: dotnet build CompanyManagementSystem.sln --configuration Release --no-restore || dotnet build CompanyManagementSystem.sln --configuration Release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/gitleaks.yml

@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_CONFIG: .gitleaks.toml

.github/workflows/owasp-zap.yml

@@ -6,8 +6,8 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    # Weekly scan on Wednesday at 2 AM UTC
     - cron: "0 2 * * 3"
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -17,68 +17,133 @@ jobs:
   zap-baseline:
     name: ZAP Baseline Scan
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     services:
       sqlserver:
         image: mcr.microsoft.com/mssql/server:2022-latest
         env:
           ACCEPT_EULA: Y
-          SA_PASSWORD: TestP@ssw0rd123!
+          MSSQL_SA_PASSWORD: TestP@ssw0rd123!
         ports:
           - 1433:1433
         options: >-
-          --health-cmd "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'TestP@ssw0rd123!' -C -Q 'SELECT 1'"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
+          --health-cmd "(/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'TestP@ssw0rd123!' -C -Q 'SELECT 1' -b 2>/dev/null || /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P 'TestP@ssw0rd123!' -Q 'SELECT 1' -b 2>/dev/null) && exit 0 || exit 1"
+          --health-interval 15s
+          --health-timeout 10s
+          --health-retries 10
+          --health-start-period 40s
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 8.0.x
 
+      - name: Cache NuGet packages
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
       - name: Restore and build
         run: |
           dotnet restore CompanyManagementSystem.sln
-          dotnet build ERP.PL/ERP.PL.csproj --configuration Release --no-restore
+          dotnet publish ERP.PL/ERP.PL.csproj --configuration Release --no-restore --output ./publish
+
+      - name: Wait for SQL Server to be ready
+        run: |
+          echo "Waiting for SQL Server to accept connections..."
+          for i in $(seq 1 30); do
+            if nc -z localhost 1433 2>/dev/null; then
+              echo "SQL Server is accepting connections!"
+              break
+            fi
+            echo "Attempt $i: SQL Server not ready yet..."
+            sleep 3
+          done
 
       - name: Start application
         env:
           ASPNETCORE_ENVIRONMENT: Testing
-          ASPNETCORE_URLS: http://localhost:5000
+          ASPNETCORE_URLS: "http://0.0.0.0:5000"
           ConnectionStrings__DefaultConnection: "Server=localhost,1433;Database=ERPDB_ZAP;User Id=sa;Password=TestP@ssw0rd123!;TrustServerCertificate=True;"
           Database__ApplyMigrationsOnStartup: "true"
           Seed__Mode: "None"
+          Logging__LogLevel__Default: "Warning"
         run: |
-          dotnet run --project ERP.PL/ERP.PL.csproj --configuration Release --no-build &
-          echo "Waiting for application to start..."
-          for i in $(seq 1 30); do
-            if curl -s -o /dev/null -w "%{http_code}" http://localhost:5000/health | grep -q "200"; then
-              echo "Application is ready!"
+          cd publish
+          dotnet ERP.PL.dll > ../app.log 2>&1 &
+          APP_PID=$!
+          echo "APP_PID=$APP_PID" >> $GITHUB_ENV
+          echo "Application started with PID $APP_PID"
+          cd ..
+
+          echo "Waiting for application to become healthy..."
+          READY=false
+          for i in $(seq 1 60); do
+            if curl -sf -o /dev/null -m 5 http://localhost:5000/health 2>/dev/null; then
+              echo "Application is healthy and ready! (attempt $i)"
+              READY=true
               break
             fi
-            echo "Attempt $i: Waiting..."
+
+            # Check if process is still running
+            if ! kill -0 $APP_PID 2>/dev/null; then
+              echo "::error::Application process exited unexpectedly!"
+              echo "=== Application Logs ==="
+              cat app.log || true
+              exit 1
+            fi
+
+            echo "Attempt $i/60: Waiting for health check..."
             sleep 5
           done
 
+          if [ "$READY" != "true" ]; then
+            echo "::error::Application did not become healthy within 5 minutes"
+            echo "=== Application Logs ==="
+            tail -100 app.log || true
+            kill $APP_PID 2>/dev/null || true
+            exit 1
+          fi
+
       - name: Run OWASP ZAP Baseline Scan
-        uses: zaproxy/action-baseline@v0.14.0
+        uses: zaproxy/action-baseline@7c4deb10e6261301961c86d65d54a516394f9aed # v0.14.0
         with:
           target: "http://localhost:5000"
           rules_file_name: ".zap/rules.tsv"
           cmd_options: "-a -j"
-          allow_issue_writing: true
-          fail_action: true
+          allow_issue_writing: false
+          fail_action: false
           artifact_name: "zap-report"
 
+      - name: Stop application
+        if: always()
+        run: |
+          if [ -n "$APP_PID" ]; then
+            echo "Stopping application (PID: $APP_PID)..."
+            kill $APP_PID 2>/dev/null || true
+            wait $APP_PID 2>/dev/null || true
+          fi
+
+      - name: Upload application logs
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: app-logs
+          path: app.log
+          if-no-files-found: ignore
+
       - name: Upload ZAP Report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: zap-security-report
           path: |
             report_html.html
             report_json.json
+          if-no-files-found: ignore

.github/workflows/security-gate.yml

@@ -8,6 +8,7 @@ on:
     branches: [main, develop]
   pull_request:
     branches: [main, develop]
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -19,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check for hardcoded secrets in config files
         run: |
@@ -93,15 +94,23 @@ jobs:
   build-and-test:
     name: Build Verification
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: 8.0.x
 
+      - name: Cache NuGet packages
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
       - name: Restore
         run: dotnet restore CompanyManagementSystem.sln