Implement comprehensive security measures including workflows for security scans, secret scanning, and vulnerability assessments; update configuration files to enhance security practices.

Author: Som3a99

.github/dependabot.yml

@@ -0,0 +1,44 @@
+version: 2
+
+registries: {}
+
+updates:
+  # NuGet packages for ERP.PL
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Group minor/patch updates together to reduce PR noise
+    groups:
+      dotnet-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+    # Auto-merge patch-level security updates
+    reviewers:
+      - "Som3a99"
+
+  # GitHub Actions workflows
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,49 @@
+name: "CodeQL Security Analysis"
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    # Run weekly on Monday at 4 AM UTC
+    - cron: "0 4 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze C# Code
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["csharp"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Build solution
+        run: dotnet build CompanyManagementSystem.sln --configuration Release --no-restore || dotnet build CompanyManagementSystem.sln --configuration Release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/gitleaks.yml

@@ -0,0 +1,36 @@
+name: Gitleaks Secret Scanning
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    # Weekly full scan on Monday at 3 AM UTC
+    - cron: "0 3 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_CONFIG: .gitleaks.toml
+
+      - name: Upload Gitleaks SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+        continue-on-error: true

.github/workflows/owasp-zap.yml

@@ -0,0 +1,84 @@
+name: OWASP ZAP Dynamic Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly scan on Wednesday at 2 AM UTC
+    - cron: "0 2 * * 3"
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  zap-baseline:
+    name: ZAP Baseline Scan
+    runs-on: ubuntu-latest
+    services:
+      sqlserver:
+        image: mcr.microsoft.com/mssql/server:2022-latest
+        env:
+          ACCEPT_EULA: Y
+          SA_PASSWORD: TestP@ssw0rd123!
+        ports:
+          - 1433:1433
+        options: >-
+          --health-cmd "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'TestP@ssw0rd123!' -C -Q 'SELECT 1'"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore and build
+        run: |
+          dotnet restore CompanyManagementSystem.sln
+          dotnet build ERP.PL/ERP.PL.csproj --configuration Release --no-restore
+
+      - name: Start application
+        env:
+          ASPNETCORE_ENVIRONMENT: Testing
+          ASPNETCORE_URLS: http://localhost:5000
+          ConnectionStrings__DefaultConnection: "Server=localhost,1433;Database=ERPDB_ZAP;User Id=sa;Password=TestP@ssw0rd123!;TrustServerCertificate=True;"
+          Database__ApplyMigrationsOnStartup: "true"
+          Seed__Mode: "None"
+        run: |
+          dotnet run --project ERP.PL/ERP.PL.csproj --configuration Release --no-build &
+          echo "Waiting for application to start..."
+          for i in $(seq 1 30); do
+            if curl -s -o /dev/null -w "%{http_code}" http://localhost:5000/health | grep -q "200"; then
+              echo "Application is ready!"
+              break
+            fi
+            echo "Attempt $i: Waiting..."
+            sleep 5
+          done
+
+      - name: Run OWASP ZAP Baseline Scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: "http://localhost:5000"
+          rules_file_name: ".zap/rules.tsv"
+          cmd_options: "-a -j"
+          allow_issue_writing: true
+          fail_action: true
+          artifact_name: "zap-report"
+
+      - name: Upload ZAP Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-security-report
+          path: |
+            report_html.html
+            report_json.json

.github/workflows/security-gate.yml

@@ -0,0 +1,117 @@
+name: Security Gate
+
+# This workflow acts as a required check that aggregates all security scan results.
+# Configure this as a required status check for branch protection.
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security-lint:
+    name: Security Lint & Configuration Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for hardcoded secrets in config files
+        run: |
+          echo "=== Scanning for potential hardcoded secrets ==="
+          FOUND=0
+
+          # Check appsettings files for non-empty passwords/keys
+          for file in $(find . -name "appsettings*.json" -not -path "*/bin/*" -not -path "*/obj/*"); do
+            echo "Checking $file..."
+
+            # Check for non-empty password fields
+            if grep -Pi '"(password|secret|apikey|api_key|token)":\s*"[^"]{8,}"' "$file"; then
+              echo "::error file=$file::Potential hardcoded secret found in $file"
+              FOUND=1
+            fi
+
+            # Check for connection strings with inline passwords
+            if grep -Pi 'Password=[^;]{6,}' "$file"; then
+              echo "::error file=$file::Potential hardcoded database password in $file"
+              FOUND=1
+            fi
+          done
+
+          if [ $FOUND -eq 1 ]; then
+            echo ""
+            echo "::error::Hardcoded secrets detected! Move secrets to environment variables or user-secrets."
+            exit 1
+          else
+            echo "No hardcoded secrets found."
+          fi
+
+      - name: Check .gitignore completeness
+        run: |
+          echo "=== Checking .gitignore ==="
+          MISSING=0
+
+          REQUIRED_PATTERNS=(
+            "appsettings.Production.json"
+            "*.pfx"
+            "*.key"
+            ".env"
+          )
+
+          for pattern in "${REQUIRED_PATTERNS[@]}"; do
+            if ! grep -qF "$pattern" .gitignore; then
+              echo "::warning::Missing .gitignore entry: $pattern"
+              MISSING=1
+            fi
+          done
+
+          # Check for dangerous negation rules that expose secret files
+          if grep -q '!.*appsettings.*\.json' .gitignore; then
+            echo "::error::Dangerous .gitignore negation rule found that may expose config files with secrets"
+            exit 1
+          fi
+
+          if [ $MISSING -eq 1 ]; then
+            echo "::warning::Some recommended .gitignore patterns are missing"
+          else
+            echo ".gitignore looks good."
+          fi
+
+      - name: Verify SECURITY.md exists
+        run: |
+          if [ ! -f "SECURITY.md" ]; then
+            echo "::warning::SECURITY.md not found. Consider adding a security policy."
+          else
+            echo "SECURITY.md found."
+          fi
+
+  build-and-test:
+    name: Build Verification
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore
+        run: dotnet restore CompanyManagementSystem.sln
+
+      - name: Build
+        run: dotnet build CompanyManagementSystem.sln --configuration Release --no-restore
+
+      - name: Run tests
+        run: |
+          dotnet test Tests/Tests.csproj \
+            --configuration Release \
+            --no-build \
+            --verbosity normal \
+            --logger "trx;LogFileName=test-results.trx"

.github/workflows/security-scans.yml

@@ -1,10 +1,15 @@
 name: Security Scans
 
 on:
+  push:
+    branches: [main, develop]
   pull_request:
   schedule:
     - cron: "0 3 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     if: github.event_name == 'pull_request'
@@ -14,6 +19,8 @@ jobs:
         uses: actions/checkout@v4
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
 
   dotnet-vulnerability-scan:
     runs-on: ubuntu-latest
@@ -30,4 +37,23 @@ jobs:
         run: dotnet restore CompanyManagementSystem.sln
 
       - name: Scan NuGet vulnerabilities
-        run: dotnet list CompanyManagementSystem.sln package --vulnerable --include-transitive
+        run: |
+          dotnet list CompanyManagementSystem.sln package --vulnerable --include-transitive 2>&1 | tee vuln-report.txt
+          if grep -q "has the following vulnerable packages" vuln-report.txt; then
+            echo "::error::Vulnerable packages detected!"
+            exit 1
+          fi
+
+  dotnet-build-warnings:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Build with security analyzers
+        run: dotnet build CompanyManagementSystem.sln --configuration Release /p:TreatWarningsAsErrors=false