From ee8e5b9c76f4f2ebfcc68e9a195e6346006802aa Mon Sep 17 00:00:00 2001
From: jpragyaj-svg <jpragyaj@gmail.com>
Date: Wed, 8 Apr 2026 06:40:59 +0000
Subject: [PATCH] ci: add Mend SCA workflow

Signed-off-by: jpragyaj-svg <jpragyaj@gmail.com>
---
 .github/workflows/lint.yml  |  2 -
 .github/workflows/mend.yml  | 85 +++++++++++++++++++++++++++++++++++++
 .github/workflows/trivy.yml | 33 --------------
 .whitesource                |  6 +--
 4 files changed, 88 insertions(+), 38 deletions(-)
 create mode 100644 .github/workflows/mend.yml
 delete mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 2cb6ed0e2..bb4b354c7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,7 +7,6 @@ on:
       - .github/**
       - assets/**
       - docs/**
-      - .whitesource
       - .yamlfmt
       - .yamllint
   push:
@@ -17,7 +16,6 @@ on:
       - .github/**
       - assets/**
       - docs/**
-      - .whitesource
       - .yamlfmt
       - .yamllint
 permissions: read-all
diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml
new file mode 100644
index 000000000..f5bfb5243
--- /dev/null
+++ b/.github/workflows/mend.yml
@@ -0,0 +1,85 @@
+---
+name: Mend SCA Security Scan
+on:
+  workflow_dispatch:
+  pull_request:
+    paths-ignore:
+      - .github/**
+      - assets/**
+      - docs/**
+      - .yamlfmt
+      - .yamllint
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - .github/**
+      - assets/**
+      - docs/**
+      - .yamlfmt
+      - .yamllint
+permissions: read-all
+jobs:
+  mend-sca:
+    name: Mend dependency scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      MEND_EMAIL: ${{ secrets.MEND_EMAIL }}
+      MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }}
+      MEND_URL: ${{ secrets.MEND_URL }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+      - name: Download and install Mend CLI
+        run: |
+          curl -fsSL https://downloads.mend.io/cli/linux_amd64/mend -o /usr/local/bin/mend
+          chmod +x /usr/local/bin/mend
+          mend version
+
+      - name: Run Mend dependency scan
+        id: mend_scan
+        continue-on-error: true
+        run: |
+          mend dep --dir . --scope "ansible-collection-netscaleradc" --non-interactive --export-results mend-results.json
+
+      - name: Convert results to SARIF
+        if: always() && steps.mend_scan.outcome != 'skipped'
+        continue-on-error: true
+        run: |
+          mend dep --dir . --scope "ansible-collection-netscaleradc" --non-interactive --format sarif --filename mend-output.sarif || true
+
+      - name: Upload Mend SARIF to GitHub Security tab
+        if: always() && hashFiles('mend-output.sarif') != ''
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
+        with:
+          sarif_file: mend-output.sarif
+
+      - name: Upload scan results as artifact
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: mend-scan-results
+          path: |
+            mend-results.json
+            mend-output.sarif
+          retention-days: 30
+
+      - name: Fail on scan errors
+        if: steps.mend_scan.outcome == 'failure'
+        run: |
+          echo "::error::Mend dependency scan found vulnerabilities or encountered errors."
+          exit 1
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
deleted file mode 100644
index cba265231..000000000
--- a/.github/workflows/trivy.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-name: Trivy Security Check
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-permissions: read-all
-jobs:
-  trivy-check:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
-        with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          exit-code: '1'
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
-        if: always()
-        with:
-          sarif_file: "trivy-results.sarif"
diff --git a/.whitesource b/.whitesource
index bb071b4a2..bc5a0e17c 100644
--- a/.whitesource
+++ b/.whitesource
@@ -6,10 +6,10 @@
     "baseBranches": []
   },
   "scanSettingsSAST": {
-    "enableScan": false,
-    "scanPullRequests": false,
+    "enableScan": true,
+    "scanPullRequests": true,
     "incrementalScan": true,
-    "baseBranches": [],
+    "baseBranches": ["main"],
     "snippetSize": 10
   },
   "checkRunSettings": {