[TT-15942]: Integrate Sentinel One CNS scanner workflow

[asutosh]

Description

This adds a github action workflow that will scan the code base for vulnerabilities, secrets, misconfigurations etc. on every pull request.
These can be manged based on centrally set up rules on the S1 console.

Related Issue

TT-15942

Motivation and Context

This is to integrate S1 with our repositories so that everything can be managed centrally in the S1 console.

How This Has Been Tested

This is not very testable, as it requires the workflow to be added and then run to actually see how it behaves.
But some scans have been done independently locally for testing.

Screenshots (if appropriate)

NA

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

[probelabs]

🔍 Code Analysis Results

This PR introduces a new GitHub Actions workflow to integrate the SentinelOne CNS (Cloud Native Security) scanner. The workflow is designed to automatically scan the codebase for vulnerabilities, secrets, and misconfigurations on every pull request targeting the master branch.

Files Changed Analysis

• File Added: .github/workflows/s1-cns-scans.yml
• Changes: 21 lines added, 0 deleted.
• Summary: A single new workflow file is added to the repository. This file defines a GitHub Actions job that calls a reusable workflow from a central repository to perform the security scan.

Architecture & Impact Assessment

• What this PR accomplishes: This PR enhances development security by embedding automated security scanning directly into the pull request lifecycle. This helps in identifying and remediating potential security issues before they are merged into the main codebase.
• Key technical changes introduced:
  • A new workflow file, .github/workflows/s1-cns-scans.yml, is created.
  • The workflow is configured to trigger on opened, reopened, synchronize, and ready_for_review events for pull requests targeting the master branch.
  • It leverages a reusable workflow (TykTechnologies/github-actions/.github/workflows/s1-cns-scan.yml@main), promoting consistency and centralized management of the scanning logic.
  • Infrastructure-as-Code (IaC) scanning is explicitly disabled (iac_enabled: false).
• Affected system components:
  • CI/CD Pipeline: A new security scanning check is added to the pull request process. This may slightly increase the overall time for PR checks to complete.
  • Developer Workflow: Developers will receive security feedback directly within their pull requests. Depending on the configuration in the central workflow, this scan could become a required check, blocking merges until critical issues are addressed.
• Workflow Visualization:

  graph TD
      A[Developer opens/updates PR to master] --> B{GitHub Action Trigger};
      B --> C[Job: s1_scanner];
      C --> D["Uses: TykTechnologies/github-actions/.github/workflows/s1-cns-scan.yml@main"];
      D --> E[Execute SentinelOne Scan];
      E --> F[Report findings on PR];
  

  Loading

Scope Discovery & Context Expansion

• The change is confined to this repository's CI configuration but introduces a dependency on the TykTechnologies/github-actions repository and the external SentinelOne service.
• The actual scanning logic, including the specific tools used and failure criteria, is defined within the reusable workflow. A deeper understanding would require examining the s1-cns-scan.yml file in the TykTechnologies/github-actions repository.
• Security Risk & Best Practice: The reusable workflow is pinned to the main branch, which is a mutable reference. This poses a supply-chain risk, as any changes to the main branch of the source repository will be automatically picked up. It is strongly recommended to pin the workflow to a specific immutable version (e.g., a release tag or a commit SHA) to ensure stability and security.
• The configuration iac_enabled: false is notable. This repository contains several Infrastructure-as-Code files (e.g., Dockerfile, docker-compose.yml). Disabling IaC scanning means potential misconfigurations in these files will not be detected by this workflow.
• The workflow relies on repository secrets (S1_API_TOKEN, S1_CONSOLE_URL, S1_SCOPE_ID) to authenticate with the SentinelOne platform. These must be correctly configured in the repository's settings for the workflow to function.

Metadata

• Review Effort: 1 / 5
• Primary Label: feature

---

Powered by Visor from Probelabs

Last updated: 2025-11-19T13:04:21.522Z | Triggered by: synchronize | Commit: 00e9b84

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

🔍 Code Analysis Results

Security Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/s1-cns-scans.yml:12	The reusable workflow is referenced using the `main` branch, which can introduce unexpected changes or vulnerabilities. Workflows should be pinned to a specific commit SHA or a release tag to ensure immutability and security. 💡 Suggestion Replace `@main` with a specific, immutable reference like a commit SHA or a release tag (e.g., `@v1.2.3`). This ensures that you are using a specific, vetted version of the workflow, protecting against unexpected or malicious changes to the `main` branch.

Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/s1-cns-scans.yml:12	The reusable workflow is referenced using `@main`, which points to the latest version in the `main` branch. This can introduce instability if breaking changes are made to the reusable workflow, or security risks if the source repository is compromised. The workflow could fail unexpectedly or execute unintended code. 💡 Suggestion Pin the reusable workflow to a specific, immutable version using a commit SHA or a release tag (e.g., `@v1.2.3`). This ensures that the workflow is stable, predictable, and secure.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/s1-cns-scans.yml:12	The reusable workflow `TykTechnologies/github-actions/.github/workflows/s1-cns-scan.yml` is pinned to the `main` branch. This is not recommended as it can introduce unexpected changes or breakages into the CI pipeline. Workflows can be updated with breaking changes, and using `@main` will always pull the latest version, which may not be stable or secure. 💡 Suggestion It is a best practice to pin reusable workflows to a specific release tag or commit SHA to ensure stability and security. Please change `@main` to a specific tag (e.g., `@v1.0.0`) or a commit SHA.

✅ Dependency Check Passed

No dependency issues found – changes LGTM.

✅ Connectivity Check Passed

No connectivity issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2025-11-19T13:04:22.913Z | Triggered by: synchronize | Commit: 00e9b84

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected

[github-actions]

🚨 Jira Linter Failed

Commit: 00e9b84
Failed at: 2025-11-19 13:02:43 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'feat/tt-15942/sentinel-one-cns' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud