Refactor GitHub Actions workflows: consolidate permissions and remove deprecated Defender workflow

CalinL · CalinL · commit b3471cce1724 · 2025-04-21T10:11:42.000-04:00
diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml
@@ -15,25 +15,27 @@ env:
   fail-build: false # Set to true to fail the build if vulnerabilities are found
   imageName: "webapp01"
   tag: ${{ github.sha }}
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
   
 jobs:
   anchore-grype-scan:
     name: Anchore Grype Vulnerability Scan
 
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Build an image from Dockerfile
         uses: docker/build-push-action@v4
         with:
+          context: ./src/webapp01
+          file: ./src/webapp01/Dockerfile
           tags: "${{ env.imageName }}:${{ env.tag }}"
           push: false
           load: true
diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml
@@ -16,17 +16,17 @@ env:
   imageName: "webapp01"
   tag: ${{ github.sha }}    
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+  
 jobs:
   trivy:
     name: Trivy vulnerability scanner
 
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml b/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml
@@ -1,4 +1,4 @@
-name: "CodeQL Advanced"
+name: "SAST - Code Scanning - CodeQL Advanced"
 
 on:
   push:
@@ -20,10 +20,8 @@ jobs:
     permissions:
       # required for all workflows
       security-events: write
-
       # required to fetch internal or private CodeQL packs
       packages: read
-
       # only required for workflows in private repositories
       actions: read
       contents: read
diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml
