Skip to content

[TT-15942]: Integrate Sentinel One CNS scanner workflow #7529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 19, 2025
+21 −0
Merged

[TT-15942]: Integrate Sentinel One CNS scanner workflow #7529

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
77df2d8
Added workflow file for S1 cns scans
asutosh Nov 10, 2025
deb7140
Use the merged workflow from main branch.
asutosh Nov 13, 2025
77abc02
Specify explicit read permission for the scanner job
asutosh Nov 13, 2025
00e9b84
Fix yamllint issues
asutosh Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/s1-cns-scans.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
name: SentinelOne CNS Scan

on: # yamllint disable-line rule:truthy
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
branches: [master]

jobs:
s1_scanner:
uses: TykTechnologies/github-actions/.github/workflows/s1-cns-scan.yml@main
permissions:

Check warning on line 12 in .github/workflows/s1-cns-scans.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The reusable workflow is referenced using the `main` branch, which can introduce unexpected changes or vulnerabilities. Workflows should be pinned to a specific commit SHA or a release tag to ensure immutability and security.
Raw output 
Replace `@main` with a specific, immutable reference like a commit SHA or a release tag (e.g., `@v1.2.3`). This ensures that you are using a specific, vetted version of the workflow, protecting against unexpected or malicious changes to the `main` branch.

Check warning on line 12 in .github/workflows/s1-cns-scans.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The reusable workflow is referenced using `@main`, which points to the latest version in the `main` branch. This can introduce instability if breaking changes are made to the reusable workflow, or security risks if the source repository is compromised. The workflow could fail unexpectedly or execute unintended code.
Raw output 
Pin the reusable workflow to a specific, immutable version using a commit SHA or a release tag (e.g., `@v1.2.3`). This ensures that the workflow is stable, predictable, and secure.

Check warning on line 12 in .github/workflows/s1-cns-scans.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The reusable workflow `TykTechnologies/github-actions/.github/workflows/s1-cns-scan.yml` is pinned to the `main` branch. This is not recommended as it can introduce unexpected changes or breakages into the CI pipeline. Workflows can be updated with breaking changes, and using `@main` will always pull the latest version, which may not be stable or secure.
Raw output 
It is a best practice to pin reusable workflows to a specific release tag or commit SHA to ensure stability and security. Please change `@main` to a specific tag (e.g., `@v1.0.0`) or a commit SHA.
contents: read
with:
iac_enabled: false
tag: service:vulnscan
scope_type: ACCOUNT
secrets:
S1_API_TOKEN: ${{ secrets.S1_API_TOKEN }}
CONSOLE_URL: ${{ secrets.S1_CONSOLE_URL }}
SCOPE_ID: ${{ secrets.S1_SCOPE_ID }}
Loading