feat: Adding AquaSec Night Scan workflow

[tmikula-dev]

Overview

This pull request introduces a new scheduled workflow for nightly AquaSec security scans. The workflow is set up to run automatically at a specified time and can also be triggered manually with configurable options.

Release Notes

• This PR adds a night security scan that promotes AquaSec findings in the repository into GH issues.

Related

Closes #167

Summary by CodeRabbit

• Chores
  • Added automated nightly security scanning to identify high-severity vulnerabilities. The scan can also be triggered manually when needed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 938421a7-5f99-4d35-b98c-b67aac4f73b4

📥 Commits

Reviewing files that changed from the base of the PR and between 9aca742 and 1cade80.

📒 Files selected for processing (1)

• .github/workflows/aquasec-night-scan.yml

---

Walkthrough

A new GitHub Actions workflow file .github/workflows/aquasec-night-scan.yml is added. It runs on a nightly cron schedule and supports manual workflow_dispatch with a dry-run input. It enforces concurrency cancellation per ref, applies least-privilege permissions, and delegates execution to a pinned revision of the AbsaOSS/organizational-workflows reusable workflow with Aqua credentials and scan parameters passed as secrets and inputs.

Changes

AquaSec Night Scan Workflow

Layer / File(s)	Summary
Triggers, concurrency, and permissions .github/workflows/aquasec-night-scan.yml	Adds workflow name, nightly cron (23 2 * * *) and workflow_dispatch triggers with a dry-run boolean input defaulting to false, a concurrency group scoped to the ref with cancel-in-progress: true, and permissions limited to contents: read, actions: read, issues: write.
Reusable workflow call and secret wiring .github/workflows/aquasec-night-scan.yml	Defines the aquasec-night-scan job calling AbsaOSS/organizational-workflows/.github/workflows/aquasec-scan.yml at a pinned commit SHA, wiring dry-run, min-severity: high, project-number, and project-org as inputs, and forwarding AQUA_KEY, AQUA_SECRET, AQUA_GROUP_ID, AQUA_REPOSITORY_ID, and TEAMS_WEBHOOK_URL as secrets.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• ABMC831
• Zejnilovic
• petr-pokorny-absa
• lsulak
• miroslavpojer

Poem

🐇 A rabbit checks the night sky with care,
Aqua scan runs while no one is there,
High severity found? An issue is made,
Secrets stay tucked in a secure arcade.
Each midnight the workflow hops right on cue! 🌙

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a new AquaSec Night Scan workflow file to the repository.
Description check	✅ Passed	The PR description follows the template with Overview, Release Notes, and Related sections all properly filled out with relevant details about the workflow and linked issue #167.
Linked Issues check	✅ Passed	The PR implementation meets all primary objectives from issue #167: the aquasec-night-scan.yml workflow has been created to run daily, it uses the reusable workflow to fetch AquaSec findings and create GitHub issues, and required repository labels and secrets are configured.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the AquaSec Night Scan workflow as specified in issue #167; no extraneous modifications to unrelated functionality are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/167-adding-security-solution-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tmikula-dev]

The result of a dry-run for this repository is following:

2026-06-18 10:07:52 - INFO - Security [DRY-RUN] - Sync complete:
Security [DRY-RUN] - Parent issues - created: 3
Security [DRY-RUN] - Child issues - created: 3, linked: 3

As a part of the solution, there were three labels created:

• scope:security
• type:tech-debt
• sec:adept-to-close

As a part of the solution, there were two Action secrets added:

• AQUA_GROUP_ID
• AQUA_REPOSITORY_ID