[Security] Add Dependency Scanning to CI/CD Pipeline

[emmanuelknafo]

Summary

Implement dependency scanning and static analysis in the CI/CD pipeline to detect vulnerable packages and security issues before deployment.

Threats Addressed

• T-009: Supply Chain Attack (Medium Risk)

Current State

• No automated dependency scanning in repository
• No SAST/DAST integration in CI/CD pipeline
• Vulnerable dependencies may go undetected

Acceptance Criteria

• GitHub Dependabot enabled for NuGet packages
• Dependabot security updates enabled
• GitHub Advanced Security enabled (if available)
• CodeQL analysis added to CI/CD workflow
• Dependency review action added to PR workflow
• Secret scanning enabled for repository

Implementation Reference

Add the following to .github/workflows/security.yml:

\\yaml
name: Security Scanning

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1' # Weekly on Monday

jobs:
dependency-review:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4

codeql:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: csharp
- name: Build
run: dotnet build src/webapp01/webapp01.csproj
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
\\

Additional Configuration

Create \dependabot.yml\ in .github/:

\\yaml
version: 2
updates:

• package-ecosystem: nuget
  directory: /src/webapp01
  schedule:
  interval: weekly
  open-pull-requests-limit: 10
  \\

Priority

P2 - High - Implement within 30 days