Azure · hdamecharla · Mar 18, 2025 · Mar 13, 2025 · Mar 17, 2025 · Mar 17, 2025
@@ -0,0 +1,59 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main", "development"]
+  pull_request:
+    branches: ["main", "development"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "python"]
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          category: "/language:${{matrix.language}}"
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |
@@ -30,6 +30,10 @@ jobs:
         run: |
           pytest --cov=src/ --cov-fail-under=85 --cov-report=xml tests/
 
+      - name: Run pylint
+        run: |
+          pylint --load-plugins=pylint.extensions.docparams --fail-under=9 --disable=R $(git ls-files '*.py') --rcfile=./pyproject.toml
+
       - name: Check code formatting with black
         run: |
           black --check src/ tests/ --config pyproject.toml
@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '32 4 * * 5'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: results.sarif
@@ -0,0 +1,43 @@
+---
+  name: trivy
+
+  on:
+    pull_request:
+      types: [ 'opened', 'reopened', 'synchronize' ]
+    merge_group:
+    workflow_dispatch:
+
+
+  permissions:
+    actions: read
+    contents: read
+    security-events: write
+
+  jobs:
+    build:
+      name: 'trivy scan'
+      runs-on: ubuntu-latest
+      steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy vulnerability scanner (file system)
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: .
+          format: 'sarif'
+          scanners: 'vuln,secret,config'
+          output: report-fs.sarif
+
+      - name: Upload Trivy report (fs) GitHub Security
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: report-fs.sarif
+          category: 'fs'
@@ -9,8 +9,6 @@
 - **WORKSPACES**: System-specific configuration and credentials management
 - **Reporting Engine**: Generates detailed HTML test reports
 
-
-
 ## Architecture
 
 ### High-Level Framework Structure
@@ -81,7 +79,8 @@ graph TB
 ```
 
 ## Directory Structure
-```
+
+```plain
 src/
 ├── module_utils/          # Shared utilities and constants
 ├── modules/              # Custom Ansible modules
@@ -119,4 +118,4 @@ sequenceDiagram
         Framework->>Reporting: Generate Failure Report
         Reporting-->>User: Failure Report
     end
-```
+```
@@ -16,4 +16,4 @@
 | Secondary Node Kill | Process | The Secondary Node Kill test examines cluster resilience by forcefully terminating HANA processes on the secondary node using the kill -9 signal. The test validates that the primary node maintains normal operation while the secondary node undergoes recovery, ensuring cluster stability and proper data synchronization after the recovery process completes. | [node-kill.md](./pseudocode/node-kill.md) |
 | Secondary Echo B | System | The Secondary Echo B test simulates an uncontrolled system crash on the secondary HANA node by executing the 'echo b' command, triggering an immediate reboot without proper shutdown procedures. The test validates that the primary node maintains operation, verifies cluster stability, and ensures system replication resumes correctly after the secondary node recovers. | [echo-b.md](./pseudocode/echo-b.md) |
 | Filesystem Freeze | Storage | The Filesystem Freeze test validates cluster behavior when the primary node's filesystem becomes unresponsive. It simulates a storage issue by freezing the filesystem on the primary node running HANA database, which triggers automatic failover to the secondary node. The test verifies proper cluster reaction, resource migration, and data consistency after recovery. | [freeze-filesystem.md](./pseudocode/freeze-filesystem.md) |
-| SBD Fencing | Fencing | Validates cluster fencing mechanism by killing the SBD inquisitor process on the primary node. Tests proper fence detection, node isolation, and automated failover to ensure cluster integrity during hardware or communication failures. | [sbd-fencing.md](./pseudocode/sbd-fencing.md) |
+| SBD Fencing | Fencing | Validates cluster fencing mechanism by killing the SBD inquisitor process on the primary node. Tests proper fence detection, node isolation, and automated failover to ensure cluster integrity during hardware or communication failures. | [sbd-fencing.md](./pseudocode/sbd-fencing.md) |
@@ -32,7 +32,7 @@ In summary, SAP High Availability testing is an integral part of the overall SAP
 
 #### Optional Components
 
-- **Analytics Integration** [Telemetry Setup Information](./docs/TELEMETRY_SETUP.md)
+- **Analytics Integration** [Telemetry Setup Information](./TELEMETRY_SETUP.md)
   - Azure Log Analytics
   - Azure Data Explorer
 
@@ -232,4 +232,4 @@ cd WORKSPACES/SYSTEM/<SYSTEM_CONFIG_NAME>/quality_assurance/
 
 ## Additional Resources
 
-- [Azure SAP Documentation](https://docs.microsoft.com/azure/sap)
+- [Azure SAP Documentation](https://docs.microsoft.com/azure/sap)
@@ -7,7 +7,7 @@ This guide outlines the steps to create an Azure Data Explorer (Kusto) cluster a
 ## Azure Data Explorer (Kusto) Cluster Setup
 
 1. **Log in to the Azure Portal:**  
-   Navigate to https://portal.azure.com and sign in with your Azure credentials.
+   Navigate to [Azure Portal](https://portal.azure.com) and sign in with your Azure credentials.
 
 2. **Create a Resource Group:**  
    - Click on "Resource groups" in the left navigation pane.  
@@ -43,12 +43,12 @@ This guide outlines the steps to create an Azure Data Explorer (Kusto) cluster a
     - **adx_cluster_fqdn:** Azure Data Explorer Cluster FQDN [Data Ingestion URI].
     - **adx_database_name:** Azure Data Explorer Database Name [Database Name]
     - **adx_client_id:** Azure Data Explorer Client ID [MSI Client ID]
-    - **telemetry_table_name:** Name of the table in the ADX database [SAP_AUTOMATION_QA]
+    - **telemetry_table_name:** Name of the table in the ADX database SAP_AUTOMATION_QA
 
 ## Azure Log Analytics Workspace Setup
 
 1. **Log in to the Azure Portal:**  
-   Use https://portal.azure.com with your credentials.
+   Login to [Azure Portal](https://portal.azure.com) with your credentials.
 
 2. **Create a Resource Group (if needed):**  
    If you haven't already created a resource group for Log Analytics, follow the same step as above.
@@ -65,7 +65,7 @@ This guide outlines the steps to create an Azure Data Explorer (Kusto) cluster a
 4. **Assign Azure Roles for Data Ingestion:**  
    To ingest or work with data in a Log Analytics Workspace, assign the following roles:
    - **Log Analytics Contributor:** Grants permissions to submit and manage data in the workspace.
-   
+
    To assign a role:
    - Navigate to the Log Analytics Workspace resource.
    - Click on "Access control (IAM)."  
@@ -75,4 +75,4 @@ This guide outlines the steps to create an Azure Data Explorer (Kusto) cluster a
 5. **Parameters**
     - **laws_workspace_id:** Log Analytics Workspace ID [Workspace ID]
     - **laws_shared_key:** Log Analytics Shared Key [Primary Key]
-    - **telemetry_table_name:** Name of the table in Log Analytics [SAP_AUTOMATION_QA]
+    - **telemetry_table_name:** Name of the table in Log Analytics SAP_AUTOMATION_QA