From ab9ed6b0460b54dc5fa831794ec41e025b19a7bf Mon Sep 17 00:00:00 2001
From: GabrielVasilescu04 <gabriel.vasilescu@uipath.com>
Date: Tue, 7 Oct 2025 16:58:17 +0300
Subject: [PATCH] chore: add security scans

---
 .github/workflows/ci.yml      |  2 +-
 .pipelines/security-scans.yml | 49 +++++++++++++++++++++++++++++++++++
 .pipelines/variables.yml      |  2 ++
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 .pipelines/security-scans.yml
 create mode 100644 .pipelines/variables.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 10192fb7f..383039232 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,4 +19,4 @@ jobs:
     uses: ./.github/workflows/lint.yml
 
   test:
-    uses: ./.github/workflows/test.yml
+    uses: ./.github/workflows/test.yml
\ No newline at end of file
diff --git a/.pipelines/security-scans.yml b/.pipelines/security-scans.yml
new file mode 100644
index 000000000..4895d04cb
--- /dev/null
+++ b/.pipelines/security-scans.yml
@@ -0,0 +1,49 @@
+trigger:
+    branches:
+      include:
+        - main
+
+pr: none
+
+resources:
+  repositories:
+    - repository: codeql
+      type: github
+      name: UiPath/AzurePipelinesTemplates
+      ref: refs/tags/uipath.security.codeql.1.9.5
+      endpoint: UiPath
+    - repository: fossa
+      type: github
+      name: UiPath/AzurePipelinesTemplates
+      ref: refs/tags/uipath.security.fossa.3.0.13
+      endpoint: UiPath
+
+variables:
+  - template: ./variables.yml
+
+stages:
+  - stage: FOSSA
+    dependsOn: []
+    jobs:
+      - job: FOSSA
+        steps:
+          - template: Security/fossa.steps.yml@fossa
+            parameters:
+              OS: linux
+              azureSubscription: $(azureInternalProductionEaConnectionName)
+              FOSSAFlags: '--project "Agent Hub" --branch "$(Build.SourceBranch)" --revision "$(Build.SourceVersion)-$(Build.BuildId)"'
+              FOSSATestFlags: '--project "Agent Hub" --revision "$(Build.SourceVersion)-$(Build.BuildId)"'
+              ${{ if contains(variables['Build.SourceBranch'], 'main') }}:
+                publishSecurityReports: true
+
+
+  - stage: CODEQL
+    dependsOn: []
+    jobs:
+      - job: CODEQL
+        steps:
+          - template: Security/codeql.interpreted.steps.yml@codeql
+            parameters:
+              os: 'linux64'
+              language: 'python'
+              azureSubscription: $(azureInternalProductionEaConnectionName)
\ No newline at end of file
diff --git a/.pipelines/variables.yml b/.pipelines/variables.yml
new file mode 100644
index 000000000..203be10e1
--- /dev/null
+++ b/.pipelines/variables.yml
@@ -0,0 +1,2 @@
+variables:
+  azureInternalProductionEaConnectionName: Internal-Production-EA
\ No newline at end of file