From b88eb6ee1514ab026571643a21e37a55c413e83a Mon Sep 17 00:00:00 2001
From: Stijnus <72551117+Stijnus@users.noreply.github.com>
Date: Sun, 31 Aug 2025 14:28:13 +0200
Subject: [PATCH] Fix security workflow to generate reports locally instead of
 uploading to GitHub Security (#1950)

- Changed security-events permission from write to read
- Disabled automatic SARIF upload in CodeQL analysis
- Removed Trivy SARIF upload step that was causing permission errors
- Added artifact uploads for all security scan results (CodeQL, Trivy secrets, SBOM)
- Reports are now available for download as workflow artifacts for local review
---
 .github/workflows/security.yaml | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index f4bc612..d35c165 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -12,7 +12,7 @@ on:
 permissions:
   actions: read
   contents: read
-  security-events: write
+  security-events: read
 
 jobs:
   codeql:
@@ -42,6 +42,16 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
+          upload: false
+
+      - name: Upload CodeQL results as artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: codeql-results-${{ matrix.language }}
+          path: |
+            **/results/**/*.sarif
+            **/results/**/*.sarif.json
 
   dependency-scan:
     name: Dependency Vulnerability Scan
@@ -75,6 +85,13 @@ jobs:
           format: spdx-json
           artifact-name: sbom.spdx.json
 
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: sbom-results
+          path: sbom.spdx.json
+
   secrets-scan:
     name: Secrets Detection
     runs-on: ubuntu-latest
@@ -94,8 +111,10 @@ jobs:
           output: 'trivy-secrets-results.sarif'
           scanners: 'secret'
 
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload Trivy secrets results as artifact
+        uses: actions/upload-artifact@v4
         if: always()
         with:
-          sarif_file: 'trivy-secrets-results.sarif'
\ No newline at end of file
+          name: trivy-secrets-results
+          path: trivy-secrets-results.sarif
+