From a38aab53f3435f44143cc71f1964d18cf3329aa9 Mon Sep 17 00:00:00 2001
From: Reuel Albert <66895085+ReuelAlbert-Dev@users.noreply.github.com>
Date: Mon, 11 Aug 2025 10:41:03 +0800
Subject: [PATCH 1/3] Create pysa.yml

---
 .github/workflows/pysa.yml | 50 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .github/workflows/pysa.yml

diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml
new file mode 100644
index 000000000..591afff88
--- /dev/null
+++ b/.github/workflows/pysa.yml
@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Python Static Analyzer (Pysa) with
+# GitHub's Code Scanning feature.
+#
+# Python Static Analyzer (Pysa) is a security-focused static
+# analysis tool that tracks flows of data from where they
+# originate to where they terminate in a dangerous location.
+#
+# See https://pyre-check.org/docs/pysa-basics/
+
+name: Pysa
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '26 1 * * 0'
+
+permissions:
+    contents: read
+
+jobs:
+  pysa:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Run Pysa
+        uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
+        with:
+          # To customize these inputs:
+          # See https://github.com/facebook/pysa-action#inputs
+          repo-directory: './'
+          requirements-path: 'requirements.txt'
+          infer-types: true
+          include-default-sapp-filters: true

From 75abbb39b2ab6d4bb2f90d4236d24fc90800a17c Mon Sep 17 00:00:00 2001
From: Reuel Albert <66895085+ReuelAlbert-Dev@users.noreply.github.com>
Date: Sun, 24 Aug 2025 11:05:39 +0800
Subject: [PATCH 2/3] Potential fix for code scanning alert no. 4: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/publish-pypi.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 0d9eb2de0..1961c9c83 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -31,6 +31,8 @@ jobs:
           path: dist/
 
   checks:
+    permissions:
+      contents: read
     uses: ./.github/workflows/shared.yml
 
   pypi-publish:

From 5e4ac89829fda015d75a7e6c93f082dcdd11ac8b Mon Sep 17 00:00:00 2001
From: Reuel Albert <66895085+ReuelAlbert-Dev@users.noreply.github.com>
Date: Sun, 14 Sep 2025 10:53:33 +0800
Subject: [PATCH 3/3] Create black-duck-security-scan-ci.yml

---
 .../workflows/black-duck-security-scan-ci.yml | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .github/workflows/black-duck-security-scan-ci.yml

diff --git a/.github/workflows/black-duck-security-scan-ci.yml b/.github/workflows/black-duck-security-scan-ci.yml
new file mode 100644
index 000000000..b6a58df18
--- /dev/null
+++ b/.github/workflows/black-duck-security-scan-ci.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines.
+# For more information about configuring your workflow,
+# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan
+
+name: CI Black Duck security scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '30 19 * * 3'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+      - name: Black Duck SCA scan
+        uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
+        with:
+          ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ----------
+          blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
+          blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
+
+          ### ---------- COVERITY SCANNING: REQUIRED FIELDS ----------
+          coverity_url: ${{ vars.COVERITY_URL }}
+          coverity_user: ${{ secrets.COVERITY_USER }}
+          coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
+
+          ### ---------- POLARIS SCANNING: REQUIRED FIELDS ----------
+          polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
+          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+          polaris_assessment_types: "SCA,SAST"
+
+          ### ---------- SRM SCANNING: REQUIRED FIELDS ----------
+          srm_url: ${{ vars.SRM_URL }}
+          srm_apikey: ${{ secrets.SRM_API_KEY }}
+          srm_assessment_types: "SCA,SAST"
+