From 36b2f3d9cd1805b07037269ffac5f008e56c468e Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 16 Jun 2026 19:23:47 +0000 Subject: [PATCH 1/3] Allow Node.js 20 for xanitizer-action until it ships Node.js 24 support RIGS-IT/xanitizer-action@v1 uses Node.js 20; as of 2026-06-16 GitHub Actions runners default to Node.js 24, causing an SSL handshake failure when the action connects to the Xanitizer license server. Set ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true at the job level as a temporary workaround until an updated action version is available. https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX --- .github/workflows/xanitizer.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml index d664deb..89eb30a 100644 --- a/.github/workflows/xanitizer.yml +++ b/.github/workflows/xanitizer.yml @@ -24,6 +24,11 @@ jobs: security-events: write actions: read + # xanitizer-action@v1 uses Node.js 20; allow it until an updated version + # ships with Node.js 24 support (Node.js 24 became default on 2026-06-16) + env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true + steps: - name: Checkout code uses: actions/checkout@v4 From dc5bbb037f0e13e22b177faa1099c2ffe7d32ef1 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 16 Jun 2026 19:26:17 +0000 Subject: [PATCH 2/3] Fix DevSkim output-directory Docker path and add Node.js 20 workaround DevSkim-Action@v1 runs in a Docker container where the workspace is mounted at /github/workspace. Passing output-directory: ${{ github.workspace }} (the runner's absolute path) causes the entrypoint to construct an invalid path: /github/workspace + /home/runner/work/... = bad nested path. Using output-directory: '.' resolves to /github/workspace/devskim-results.sarif inside the container, which maps correctly to $GITHUB_WORKSPACE on the runner. Also sets ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true for Node.js 20 compat on checkout@v4 and upload-sarif@v3 following the 2026-06-16 runner cutover. https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX --- .github/workflows/devskim.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 07b55f3..f936377 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -21,6 +21,10 @@ jobs: security-events: write actions: read + # checkout@v4 and upload-sarif@v3 use Node.js 20; allow until updated + env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true + steps: - name: Checkout code uses: actions/checkout@v4 @@ -31,7 +35,10 @@ jobs: directory-to-scan: . should-scan-archives: false output-filename: devskim-results.sarif - output-directory: ${{ github.workspace }} + # Use '.' so the entrypoint resolves to /github/workspace/devskim-results.sarif + # inside the container (passing ${{ github.workspace }} causes it to + # prepend /github/workspace to the runner absolute path, creating a bad path) + output-directory: '.' - name: Upload SARIF to Code Scanning uses: github/codeql-action/upload-sarif@v3 From 10b8851d2caad990f90eefe665ecc58b86f064ee Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 16 Jun 2026 19:34:16 +0000 Subject: [PATCH 3/3] Replace defunct Xanitizer with Gitleaks secret scanning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The RIGS-IT/xanitizer-action (last released Jan 2021) downloads the standalone Xanitizer tool from RIGS IT's distribution endpoint before any license check. That endpoint now fails the TLS handshake (SSL alert 40) because Xanitizer was acquired by WhiteSource (Feb 2022) and folded into the Mend.io platform — the standalone product and its download/license infrastructure no longer exist. No YAML edit or license can make this run. Xanitizer is also a SAST tool for Java/JS application source code, which this Markdown documentation repository does not contain. Removing it and adding Gitleaks, which scans the full git history for committed secrets and complements the DevSkim workflow. No GITLEAKS_LICENSE is required for personal-account repositories. https://claude.ai/code/session_01MtaSEMdzQA4Ttpa7nvtzaX --- .github/workflows/gitleaks.yml | 36 +++++++++++++++++ .github/workflows/xanitizer.yml | 69 --------------------------------- 2 files changed, 36 insertions(+), 69 deletions(-) create mode 100644 .github/workflows/gitleaks.yml delete mode 100644 .github/workflows/xanitizer.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..97e1594 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,36 @@ +name: CG Gitleaks Secret Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '23 9 * * 5' + workflow_dispatch: + +permissions: + contents: read + +jobs: + gitleaks: + runs-on: ubuntu-latest + + permissions: + contents: read + # Allow the action to annotate pull requests with any findings + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full history so Gitleaks can scan every commit for secrets + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GITLEAKS_LICENSE is only required for GitHub Organization accounts. + # This repository lives under a personal account, so none is needed. diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml deleted file mode 100644 index 89eb30a..0000000 --- a/.github/workflows/xanitizer.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: CG Xanitizer Security Analysis - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - schedule: - - cron: '41 8 * * 5' - workflow_dispatch: - -# Minimal repo-wide permissions -permissions: - contents: read - -jobs: - xanitizer: - # If you need Windows, switch to a matrix as shown in step 2 above. - runs-on: ubuntu-latest - - # Give code-scanning write access - permissions: - contents: read - security-events: write - actions: read - - # xanitizer-action@v1 uses Node.js 20; allow it until an updated version - # ships with Node.js 24 support (Node.js 24 became default on 2026-06-16) - env: - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - # — Java build (uncomment only if you use Java) — - - name: Setup JDK 11 - uses: actions/setup-java@v4 - with: - java-version: 11 - distribution: temurin - - - name: Compile Java - if: hashFiles('pom.xml') != '' || hashFiles('build.gradle') != '' - run: mvn -B compile - - # — JavaScript build (uncomment only if you use JS) — - - name: Install JS deps - if: hashFiles('package.json') != '' - run: npm install - - - name: Run Xanitizer - uses: RIGS-IT/xanitizer-action@v1 - with: - license: ${{ secrets.XANITIZER_LICENSE }} - - - name: Archive Xanitizer reports - uses: actions/upload-artifact@v4 - with: - name: xanitizer-reports - path: | - *-Findings-List.pdf - *-Findings-List.sarif - - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - # Point to workspace root; upload-sarif finds all *.sarif files there - sarif_file: ‘.’