From cc490bf549d9142cb3a6007f78864dab3bf8c788 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 11:39:17 +0100
Subject: [PATCH 01/14] Test of AquaSec API

---
 .github/workflows/trivy_repository_scan.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/trivy_repository_scan.yml b/.github/workflows/trivy_repository_scan.yml
index dfe3a26..a030b1b 100644
--- a/.github/workflows/trivy_repository_scan.yml
+++ b/.github/workflows/trivy_repository_scan.yml
@@ -30,7 +30,11 @@ jobs:
           trivy fs . \
             --format sarif \
             --scanners vuln,secret,misconfig,license \
+            --sast \
             --output trivy_repository_report.sarif
+        env:
+          AQUA_KEY: ${{ secrets.AQUA_KEY }}
+          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
 
       - name: Upload SARIF to GitHub Security Hub
         uses: github/codeql-action/upload-sarif@v4

From 345b1afcb18962a4d409e17d3c69be70a61f9267 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 14:45:40 +0100
Subject: [PATCH 02/14] Test of AquaSec API

---
 .github/workflows/aquasec_repository_scan.yml |  79 ++++++++++
 .github/workflows/trivy_repository_scan.yml   | 147 ------------------
 2 files changed, 79 insertions(+), 147 deletions(-)
 create mode 100644 .github/workflows/aquasec_repository_scan.yml
 delete mode 100644 .github/workflows/trivy_repository_scan.yml

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
new file mode 100644
index 0000000..078a94f
--- /dev/null
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -0,0 +1,79 @@
+name: AquaSec Full Repository Scan
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [ opened, synchronize ]
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  security-events: write
+
+jobs:
+  aquasec:
+    name: AquaSec Full Repository Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Retrieve AquaSec Scan Results
+        env:
+          AQUA_KEY: ${{ secrets.AQUA_KEY }}
+          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
+        run: |
+          echo "=== Authenticating with AquaSec ==="
+          
+          TIMESTAMP=$(date +%s)
+          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
+          METHOD="POST"
+          POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}'
+          STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
+          SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
+          
+          AUTH_RESPONSE=$(curl -s -X POST "$AUTH_ENDPOINT" \
+            -H "Content-Type: application/json" \
+            -H "X-API-Key: $AQUA_KEY" \
+            -H "X-Timestamp: $TIMESTAMP" \
+            -H "X-Signature: $SIGNATURE" \
+            -d "$POST_BODY")
+                    
+          RESPONSE_STATUS=$(echo AUTH_RESPONSE | jq -r '.status')
+          
+          if [ $RESPONSE_STATUS -eq 200 ]; then
+           echo "Login successful."
+           BEARER_TOKEN=$(echo $AUTH_RESPONSE | jq -r '.data')
+          else
+           echo "Login failed. Status: $AUTH_RESPONSE"
+           exit 1
+          fi
+          
+          echo "=== Getting Repository ID from GitHub ==="
+          
+          REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
+          
+          if [ -z "$REPO_ID" ] || [ "$REPO_ID" == "null" ]; then
+            echo "Failed to get repository ID from GitHub"
+            exit 1
+          fi
+          
+          echo "=== Receiving AquaSec Scan Results ==="
+          
+          SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
+          SCAN_RESULTS=$(curl -s -X GET \
+            "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
+            -H "Authorization: Bearer $BEARER_TOKEN" \
+            -H "Accept: application/json")
+          
+          if [ -z "$SCAN_RESULTS" ]; then
+            echo "Failed to retrieve scan results"
+            exit 1
+          fi
+          
+          echo "=== Scan Results ==="
+          echo "$SCAN_RESULTS" | jq '.'
diff --git a/.github/workflows/trivy_repository_scan.yml b/.github/workflows/trivy_repository_scan.yml
deleted file mode 100644
index a030b1b..0000000
--- a/.github/workflows/trivy_repository_scan.yml
+++ /dev/null
@@ -1,147 +0,0 @@
-name: Trivy Full Repository Scan
-
-on:
-  workflow_dispatch:
-  pull_request:
-    types: [ opened, synchronize ]
-
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-  security-events: write
-
-jobs:
-  trivy:
-    name: Trivy Full Repository Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-          fetch-depth: 0
-
-      - name: Setup Trivy
-        uses: aquasecurity/setup-trivy@v0.2.4
-
-      - name: Run Trivy filesystem scan
-        run: |
-          trivy fs . \
-            --format sarif \
-            --scanners vuln,secret,misconfig,license \
-            --sast \
-            --output trivy_repository_report.sarif
-        env:
-          AQUA_KEY: ${{ secrets.AQUA_KEY }}
-          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
-
-      - name: Upload SARIF to GitHub Security Hub
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: trivy_repository_report.sarif
-
-      - name: Create scan summary table
-        id: scan_summary_table
-        run: |
-          python <<'PY'
-          import os
-          import json
-          import sys
-          from collections import defaultdict, Counter
-      
-          SARIF_PATH = "trivy_repository_report.sarif"
-          SEVERITIES = ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
-          CATEGORIES = ["vulnerability", "secret", "misconfiguration", "license"]
-      
-          try:
-              # Parse results from SARIF
-              with open(SARIF_PATH, "r", encoding="utf-8") as f:
-                  sarif = json.load(f)
-      
-              # Validate SARIF structure
-              if "runs" not in sarif or not sarif["runs"]:
-                  raise ValueError("SARIF file contains no runs")
-      
-              run = sarif["runs"][0]
-              if "tool" not in run or "driver" not in run["tool"]:
-                  raise ValueError("SARIF structure missing expected tool/driver keys")
-      
-              rules = run["tool"]["driver"].get("rules", [])
-              results = run.get("results", [])
-              category_severity_counts = defaultdict(Counter)
-      
-          except (IOError, json.JSONDecodeError, KeyError, ValueError) as e:
-              print(f"Error processing SARIF file: {e}", file=sys.stderr)
-              sys.exit(1)
-      
-          # Count results by category and severity
-          for result in results:
-              try:
-                  rule_idx = result.get("ruleIndex")
-                  if rule_idx is None or rule_idx >= len(rules):
-                      continue
-                  rule = rules[rule_idx]
-                  tags = rule.get("properties", {}).get("tags", [])
-                  # Find category and severity
-                  category = next((c for c in CATEGORIES if c in tags), None)
-                  severity = next((s for s in SEVERITIES if s in tags), None)
-                  if category and severity:
-                      category_severity_counts[category][severity] += 1
-              except (KeyError, IndexError, TypeError) as e:
-                  print(f"Warning: Error processing result: {e}", file=sys.stderr)
-                  continue
-      
-          # Build Markdown summary table
-          headers = ["TRIVY"] + SEVERITIES + ["TOTAL"]
-          summary_table = "| " + " | ".join(headers) + " |\n"
-          summary_table += "|---|---|---|---|---|---|\n"
-      
-          # Rows with counts for each category
-          total_severity = Counter()
-          total_all = 0
-          for category in CATEGORIES:
-              row = [category]
-              category_total = 0
-              for severity in SEVERITIES:
-                  count = category_severity_counts[category][severity]
-                  row.append(str(count))
-                  total_severity[severity] += count
-                  category_total += count
-              row.append(f"**{category_total}**")
-              total_all += category_total
-              summary_table += "| " + " | ".join(row) + " |\n"
-      
-          total_row = ["**➡️ Total**"] + [f"**{total_severity[sev]}**" for sev in SEVERITIES] + [f"**{total_all}**"]
-          summary_table += "| " + " | ".join(total_row) + " |"
-          
-          # Set summary table output
-          try:
-              if "GITHUB_OUTPUT" in os.environ:
-                with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as f:
-                  f.write("table<<EOF\n")
-                  f.write(summary_table + "\n")
-                  f.write("EOF\n")
-              else:
-                  print("Warning: GITHUB_OUTPUT not set", file=sys.stderr)
-          except IOError as e:
-              print(f"Error writing output: {e}", file=sys.stderr)
-              sys.exit(1)
-          PY
-
-      - name: GitHub scan summary comment
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const link = `https://github.com/${context.repo.owner}/${context.repo.repo}/security/code-scanning?query=pr%3A${context.issue.number}+is%3Aopen`;
-            const sentence = `Trivy has completed a full security repository scan ✅ You can find the analysis results for this PR branch on [this overview](${link}).\n Below is the summary of the findings:`;
-            const summaryTable = `${{ steps.scan_summary_table.outputs.table }}`;
-            const body = `${sentence}\n\n${summaryTable}`;
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body
-            });

From 10807d784e739f6e52eff57107a41bf225e70e56 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 14:57:43 +0100
Subject: [PATCH 03/14] Test of AquaSec API

---
 .github/workflows/aquasec_repository_scan.yml | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 078a94f..41783ad 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -28,7 +28,7 @@ jobs:
           AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
         run: |
           echo "=== Authenticating with AquaSec ==="
-          
+  
           TIMESTAMP=$(date +%s)
           AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           METHOD="POST"
@@ -42,22 +42,23 @@ jobs:
             -H "X-Timestamp: $TIMESTAMP" \
             -H "X-Signature: $SIGNATURE" \
             -d "$POST_BODY")
-                    
-          RESPONSE_STATUS=$(echo AUTH_RESPONSE | jq -r '.status')
           
-          if [ $RESPONSE_STATUS -eq 200 ]; then
-           echo "Login successful."
-           BEARER_TOKEN=$(echo $AUTH_RESPONSE | jq -r '.data')
+          RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
+          
+          if [ "$RESPONSE_STATUS" = "200" ]; then
+            echo "Login successful."
+            BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
+            echo "::add-mask::$BEARER_TOKEN"
           else
-           echo "Login failed. Status: $AUTH_RESPONSE"
-           exit 1
+            echo "Login failed"
+            exit 1
           fi
           
           echo "=== Getting Repository ID from GitHub ==="
           
           REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
           
-          if [ -z "$REPO_ID" ] || [ "$REPO_ID" == "null" ]; then
+          if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
             echo "Failed to get repository ID from GitHub"
             exit 1
           fi
@@ -76,4 +77,4 @@ jobs:
           fi
           
           echo "=== Scan Results ==="
-          echo "$SCAN_RESULTS" | jq '.'
+          echo "$SCAN_RESULTS" | jq '.'
\ No newline at end of file

From 66f5c8959d611a5e083cbf7a47cea82ddbd6d27d Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 15:01:55 +0100
Subject: [PATCH 04/14] AquaSec workflow fix

---
 .github/workflows/aquasec_repository_scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 41783ad..d213ac3 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -30,7 +30,7 @@ jobs:
           echo "=== Authenticating with AquaSec ==="
   
           TIMESTAMP=$(date +%s)
-          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
+          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/"
           METHOD="POST"
           POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"

From 77f0e240b2ff7b5835957d4ce9be2ffcfcb65a07 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 15:15:52 +0100
Subject: [PATCH 05/14] AquaSec workflow fix

---
 .github/workflows/aquasec_repository_scan.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index d213ac3..4494099 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -29,14 +29,14 @@ jobs:
         run: |
           echo "=== Authenticating with AquaSec ==="
   
-          TIMESTAMP=$(date +%s)
+          TIMESTAMP=$(date -u +%s)
           AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/"
           METHOD="POST"
-          POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}'
+          POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
           SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
           
-          AUTH_RESPONSE=$(curl -s -X POST "$AUTH_ENDPOINT" \
+          AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
             -H "Content-Type: application/json" \
             -H "X-API-Key: $AQUA_KEY" \
             -H "X-Timestamp: $TIMESTAMP" \

From 2713be6af852c44273f4a21f5cbcee2b2baa162c Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 15:24:46 +0100
Subject: [PATCH 06/14] AquaSec workflow fix

---
 .github/workflows/aquasec_repository_scan.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 4494099..f3d166d 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -28,9 +28,9 @@ jobs:
           AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
         run: |
           echo "=== Authenticating with AquaSec ==="
-  
+          
           TIMESTAMP=$(date -u +%s)
-          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/"
+          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           METHOD="POST"
           POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"

From 83308262330f55c1659a5b220575c4bf5736d4f4 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 15:26:45 +0100
Subject: [PATCH 07/14] AquaSec workflow fix

---
 .github/workflows/aquasec_repository_scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index f3d166d..d615f6b 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -30,7 +30,7 @@ jobs:
           echo "=== Authenticating with AquaSec ==="
           
           TIMESTAMP=$(date -u +%s)
-          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
+          AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens"
           METHOD="POST"
           POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"

From 8d1b523cf01898522500309c5c052ce1adc66419 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Thu, 27 Nov 2025 15:28:56 +0100
Subject: [PATCH 08/14] AquaSec workflow fix

---
 .github/workflows/aquasec_repository_scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index d615f6b..b17def9 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -30,7 +30,7 @@ jobs:
           echo "=== Authenticating with AquaSec ==="
           
           TIMESTAMP=$(date -u +%s)
-          AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens"
+          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com"
           METHOD="POST"
           POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"

From 371f052d60f0cafb6001f53795da57d45d6bc7a6 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 11:03:34 +0100
Subject: [PATCH 09/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index b17def9..1bd2ed3 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -27,20 +27,29 @@ jobs:
           AQUA_KEY: ${{ secrets.AQUA_KEY }}
           AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
         run: |
+          set -euo pipefail
+          
           echo "=== Authenticating with AquaSec ==="
           
-          TIMESTAMP=$(date -u +%s)
-          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com"
           METHOD="POST"
-          POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}'
+          AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens"
+          TIMESTAMP=$(date -u +%s)
+          POST_BODY='{
+            # 1155 for CAO
+            "group_id": 1228,
+            "allowed_endpoints": ["GET", "POST"],
+            "validity": 240,
+            "csp_roles": ["developer", "devops"]
+          }'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
           SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
+
           
           AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
             -H "Content-Type: application/json" \
             -H "X-API-Key: $AQUA_KEY" \
-            -H "X-Timestamp: $TIMESTAMP" \
             -H "X-Signature: $SIGNATURE" \
+            -H "X-Timestamp: $TIMESTAMP" \
             -d "$POST_BODY")
           
           RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
@@ -54,20 +63,11 @@ jobs:
             exit 1
           fi
           
-          echo "=== Getting Repository ID from GitHub ==="
-          
-          REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id')
-          
-          if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then
-            echo "Failed to get repository ID from GitHub"
-            exit 1
-          fi
-          
           echo "=== Receiving AquaSec Scan Results ==="
           
           SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
           SCAN_RESULTS=$(curl -s -X GET \
-            "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \
+            "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }} \
             -H "Authorization: Bearer $BEARER_TOKEN" \
             -H "Accept: application/json")
           

From 057d3f88b4e0d39f8c8e42b9db804926cb58abd2 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 11:08:11 +0100
Subject: [PATCH 10/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 1bd2ed3..951f84f 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -35,8 +35,7 @@ jobs:
           AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens"
           TIMESTAMP=$(date -u +%s)
           POST_BODY='{
-            # 1155 for CAO
-            "group_id": 1228,
+            "group_id": 1155,
             "allowed_endpoints": ["GET", "POST"],
             "validity": 240,
             "csp_roles": ["developer", "devops"]

From 0d3ff0e6a9c7813d7efb7361b7adad99b3d2cff1 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 11:14:03 +0100
Subject: [PATCH 11/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 951f84f..d1684aa 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -32,7 +32,7 @@ jobs:
           echo "=== Authenticating with AquaSec ==="
           
           METHOD="POST"
-          AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens"
+          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           TIMESTAMP=$(date -u +%s)
           POST_BODY='{
             "group_id": 1155,

From c099d52979bb6941b801713d610f0a5d7aa3fa90 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 12:01:28 +0100
Subject: [PATCH 12/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index d1684aa..08f3820 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -35,15 +35,13 @@ jobs:
           AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           TIMESTAMP=$(date -u +%s)
           POST_BODY='{
-            "group_id": 1155,
-            "allowed_endpoints": ["GET", "POST"],
-            "validity": 240,
-            "csp_roles": ["developer", "devops"]
+            "group_id": 1228,
+            "allowed_endpoints": ["GET"],
+            "validity": 240
           }'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
           SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
 
-          
           AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
             -H "Content-Type: application/json" \
             -H "X-API-Key: $AQUA_KEY" \

From 445a2d4507da261cea5d9b84dc52b5abfb112457 Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 12:27:48 +0100
Subject: [PATCH 13/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 08f3820..2a98271 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -30,15 +30,12 @@ jobs:
           set -euo pipefail
           
           echo "=== Authenticating with AquaSec ==="
+          echo "${{ github.repository_id }}"
           
           METHOD="POST"
           AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           TIMESTAMP=$(date -u +%s)
-          POST_BODY='{
-            "group_id": 1228,
-            "allowed_endpoints": ["GET"],
-            "validity": 240
-          }'
+          POST_BODY='{"group_id":1228,"allowed_endpoints":["GET"],"validity":240}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
           SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
 
@@ -54,9 +51,8 @@ jobs:
           if [ "$RESPONSE_STATUS" = "200" ]; then
             echo "Login successful."
             BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
-            echo "::add-mask::$BEARER_TOKEN"
           else
-            echo "Login failed"
+            echo "Login failed with error message: $(echo "$AUTH_RESPONSE" | jq -r '.errors')"
             exit 1
           fi
           

From a661cb0982e7efaeab551d7af7cc7aa7d070bb0b Mon Sep 17 00:00:00 2001
From: "Tobias.Mikula" <tobias.mikula@absa.africa>
Date: Wed, 10 Dec 2025 14:21:36 +0100
Subject: [PATCH 14/14] AquaSec Scan update

---
 .github/workflows/aquasec_repository_scan.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml
index 2a98271..5d65080 100644
--- a/.github/workflows/aquasec_repository_scan.yml
+++ b/.github/workflows/aquasec_repository_scan.yml
@@ -26,24 +26,23 @@ jobs:
         env:
           AQUA_KEY: ${{ secrets.AQUA_KEY }}
           AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
+          REPOSITORY_ID: ${{ secrets.AQUA_REPOSITORY_ID }}
         run: |
           set -euo pipefail
           
           echo "=== Authenticating with AquaSec ==="
-          echo "${{ github.repository_id }}"
-          
           METHOD="POST"
           AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
           TIMESTAMP=$(date -u +%s)
           POST_BODY='{"group_id":1228,"allowed_endpoints":["GET"],"validity":240}'
           STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
-          SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')
+          SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "${AQUA_SECRET}" -hex | sed 's/.*= //g')
 
-          AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
+          AUTH_RESPONSE=$(curl -s -X $METHOD "$AUTH_ENDPOINT" \
             -H "Content-Type: application/json" \
             -H "X-API-Key: $AQUA_KEY" \
-            -H "X-Signature: $SIGNATURE" \
             -H "X-Timestamp: $TIMESTAMP" \
+            -H "X-Signature: $SIGNATURE" \
             -d "$POST_BODY")
           
           RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')
@@ -58,9 +57,8 @@ jobs:
           
           echo "=== Receiving AquaSec Scan Results ==="
           
-          SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
-          SCAN_RESULTS=$(curl -s -X GET \
-            "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }} \
+          SCAN_RESULTS_ENDPOINT="https://eu-1.codesec.aquasec.com/api/v1/scans/results"
+          SCAN_RESULTS=$(curl -s -X GET "$SCAN_RESULTS_ENDPOINT?repositoryIds=${REPOSITORY_ID}" \
             -H "Authorization: Bearer $BEARER_TOKEN" \
             -H "Accept: application/json")
           
@@ -70,4 +68,4 @@ jobs:
           fi
           
           echo "=== Scan Results ==="
-          echo "$SCAN_RESULTS" | jq '.'
\ No newline at end of file
+          echo "$SCAN_RESULTS"
\ No newline at end of file