Integrate SCA and static security scanning workflows

[Copilot]

Purpose

Resolves the need for automated security scanning infrastructure. Currently no SCA or static analysis scans are present for the CDS repository.

Goals

Implement automated security scanning to:

• Detect dependency vulnerabilities and license compliance issues
• Identify security vulnerabilities and code quality issues in source code
• Scan for secrets, misconfigurations, and filesystem vulnerabilities

Approach

Added three GitHub Actions workflows with scheduled and event-triggered execution:

• FOSSA SCA Scan (.github/workflows/fossa-scan.yml)

  • Analyzes Go module dependencies for CVEs and license compliance
  • Requires FOSSA_API_KEY secret configuration

• CodeQL Analysis (.github/workflows/codeql-analysis.yml)

  • Static analysis using security-extended and security-and-quality query suites
  • Results automatically uploaded to GitHub Security tab

• Trivy Security Scan (.github/workflows/trivy-scan.yml)

  • Scans for vulnerabilities, secrets, and IaC misconfigurations
  • Filters CRITICAL/HIGH/MEDIUM severity, outputs SARIF to Security tab

All workflows trigger on push/PR to main/mvp branches and run weekly on Mondays (staggered at 00:00, 02:00, 04:00 UTC). Explicit permissions configured per security best practices.

User stories

• As a developer, I need automated vulnerability detection in dependencies and code
• As a security engineer, I need centralized security findings in GitHub Security tab
• As a maintainer, I need weekly scans to catch newly disclosed vulnerabilities

Release note

Integrated FOSSA, CodeQL, and Trivy security scanning workflows with automated execution on code changes and weekly schedules.

Documentation

Added docs/SECURITY_SCANNING.md with setup instructions, scan interpretation guide, and troubleshooting steps. Updated README.md to reference security scanning documentation.

Training

N/A - Infrastructure change, no user-facing training impact

Certification

N/A - Internal security tooling, no certification impact

Marketing

N/A - Security infrastructure addition

Automation tests

• Unit tests

  N/A - Workflow configuration files

• Integration tests

  YAML syntax validation performed, CodeQL security check passed with 0 alerts

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes
• Ran FindSecurityBugs plugin and verified report? N/A - No Java code changes
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A - Security scanning infrastructure

Related PRs

None

Migrations (if applicable)

N/A - New feature addition

Test environment

GitHub Actions runners (ubuntu-latest) with Go 1.24.0

Learning

Reviewed GitHub Advanced Security documentation, FOSSA/CodeQL/Trivy integration patterns, and SARIF output format specifications for Security tab integration.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Integrate SCA and Static Scans for the CDS</issue_title>
<issue_description>### Current Limitation

Currently no SCA and static scans are present for the CDS

Suggested Improvement

Integrate SCA scans using JFrod/FOSSA and static scans

Version

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Integrate SCA and Static Scans for the CDS #71

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}