From ac2a9c143b146e3690e383c1d439d993fbb61edf Mon Sep 17 00:00:00 2001
From: PPawlowski <piotr@devopswizards.com>
Date: Tue, 13 Jan 2026 14:23:56 +0100
Subject: [PATCH 1/3] Introduce `Codebase SAST Scan` reusable workflow

---
 .github/workflows/sast_scan.yaml | 49 ++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 .github/workflows/sast_scan.yaml

diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml
new file mode 100644
index 0000000..7306713
--- /dev/null
+++ b/.github/workflows/sast_scan.yaml
@@ -0,0 +1,49 @@
+name: Codebase SAST Scan
+on:
+  workflow_call:
+    inputs:
+      fail_on_severity:
+        description: 'Fail the scan if vulnerabilities of this severity or higher are found. Valid values: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, NONE'
+        required: false
+        type: string
+        default: 'NONE'
+
+jobs:
+  trivy-scan:
+    name: Trivy Security Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Cache vulnerability database
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        with:
+          path: .cache/trivy
+          key: ${{ runner.os }}-trivy-db-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-db-
+
+      - name: Perform SAST scan
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: '.github/trivy.yaml'
+          output: 'trivy-results.sarif'
+        env:
+          TRIVY_FAIL_ON_SEVERITY: ${{ inputs.fail_on_severity }}
+
+      - name: Upload scan results to GitHub
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy-sast'

From 2063ca252896458eaf9abc2eafc81676da70d36d Mon Sep 17 00:00:00 2001
From: PPawlowski <piotr@devopswizards.com>
Date: Tue, 13 Jan 2026 14:37:19 +0100
Subject: [PATCH 2/3] Adkjust job name

---
 .github/workflows/sast_scan.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml
index 7306713..1d67573 100644
--- a/.github/workflows/sast_scan.yaml
+++ b/.github/workflows/sast_scan.yaml
@@ -9,8 +9,8 @@ on:
         default: 'NONE'
 
 jobs:
-  trivy-scan:
-    name: Trivy Security Scan
+  codebase-scan:
+    name: Codebase Scan
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 4beca8d986ae225436a5b6efaa1e48a14912c797 Mon Sep 17 00:00:00 2001
From: PPawlowski <piotr@devopswizards.com>
Date: Wed, 14 Jan 2026 09:41:34 +0100
Subject: [PATCH 3/3] Bump codeql-action/upload-sarif to `4.31.10`

---
 .github/workflows/sast_scan.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sast_scan.yaml b/.github/workflows/sast_scan.yaml
index 1d67573..9a7c6f7 100644
--- a/.github/workflows/sast_scan.yaml
+++ b/.github/workflows/sast_scan.yaml
@@ -42,7 +42,7 @@ jobs:
           TRIVY_FAIL_ON_SEVERITY: ${{ inputs.fail_on_severity }}
 
       - name: Upload scan results to GitHub
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'