From b818e0ef526862cbc9ade61410b93eae6db59053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9Cdevengine-mp=E2=80=9D?= <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 20:42:44 -0500
Subject: [PATCH 01/22] Added Helm chart for voting app

---
 .DS_Store                                     | Bin 0 -> 10244 bytes
 voting-app/.DS_Store                          | Bin 0 -> 6148 bytes
 voting-app/.helmignore                        |  23 +++
 voting-app/Chart.yaml                         |  24 +++
 voting-app/templates/.DS_Store                | Bin 0 -> 8196 bytes
 .../templates}/db-deployment.yaml             |   0
 .../templates}/db-service.yaml                |   0
 .../templates}/redis-deployment.yaml          |   0
 .../templates}/redis-service.yaml             |   0
 .../templates}/result-deployment.yaml         |   0
 .../templates}/result-service.yaml            |   0
 .../templates}/vote-deployment.yaml           |   0
 .../templates}/vote-service.yaml              |   0
 .../templates}/worker-deployment.yaml         |   0
 voting-app/values.yaml                        | 161 ++++++++++++++++++
 15 files changed, 208 insertions(+)
 create mode 100644 .DS_Store
 create mode 100644 voting-app/.DS_Store
 create mode 100644 voting-app/.helmignore
 create mode 100644 voting-app/Chart.yaml
 create mode 100644 voting-app/templates/.DS_Store
 rename {k8s-specifications => voting-app/templates}/db-deployment.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/db-service.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/redis-deployment.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/redis-service.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/result-deployment.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/result-service.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/vote-deployment.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/vote-service.yaml (100%)
 rename {k8s-specifications => voting-app/templates}/worker-deployment.yaml (100%)
 create mode 100644 voting-app/values.yaml

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..7c8474542cae15eeb44cee58906c56849a1389fa
GIT binary patch
literal 10244
zcmeHML2nyH6n>M2#BNf$NfRIiq*Z-EYFZLV2@*neomgN2O%z8Vp)F?Z-MCBEJJ#+x
zZW=}M4}b&Q;m(yKTsU&!$_*j$2jCA>;d`^|cD*rb%b}uWCYpV3XWsXA=UeX=zcCSs
zQpa8-GKnaM&eoX3VMyb7?kCzvGBN`zfG2V(B8M6{c1}d=0nLDBKr^5j&<tn>{tFD?
ze>S(=L~Qj@GoTsJ4BTgc^}$4ETTE;(wn{p1P$dBDD27#ok2*kM%)}NG+l#G&B4=DZ
zhy*H<5<|pr%$pnzTTE;(wlSPU3@4FXStJ#TP*(@eRN*9wvDHV-fM(z%16;emOcn*G
z+HVik?*S_L%jkD7W08kB8&MW@G1?}dniWqr>Yl741HW`7^vlPp!6TYOyaaX+IRd%_
zPf`m=NukQ@;>@BZ{16!raOPz)exJ!W{g8}9a)=9=97ZNbh`kC+-R01G5MO8TlVHhF
zd_?e=Gv4pmqj2!vM_8WHY)m8OZLIVXdRt*!+6AY~Z3HX9Xf{XiZ*tVTVLN#$Kh)cv
z8%7HYzlxDlqtA_v=f-mrxm(rSvRjR;s1uf~;0B*<O6k@6zE$6Hoo>yTS&@EZxxN!9
zfNMJlx%si{+p=4d9p4TWwi-|5^0|D?IDdG!_{Q?my!qzh^3l9`xVUiT%Dnm3((=(!
zJ~vx<{hf{4p4al_7g!mZNW`4Z#OL>qU&4DN#@xn!vRd&=f3?3GMt{Be(-V_to<D0$
zO`n^ZnVOxQec{EI=FZQ(QZvrgt;Sw6;B~A>PX;Bg<J@Qlu3c?g4cBjON6ww7>fUu~
z#&jlh!?8boFtmBlM$F8E0hR8(z;S$)Z*6xsbfWE)zf&{LhK)da-ntCk$d&%i%@9wa
z5;?7kzbkRYeLR7+Hcy3HP7uPLz--_0th(c^`6U@evbAFcf#o-y(g8<uwubcA1BWwh
zyYP7}g{yzX6c>sg^qtpY$Dl&&pdMgNNH<aV$t$XX{H8B`CtoP8C-XVFNZ05i+QP^C
zE`3Gc(0BAB{Y<~npL9=*i#c&YTog;<U2#>sFDl{_(Ga$9#pf}8r2heUHOZG45yE+-
z55Rsk@IC1_5zo2C=|if}3YF<PRjHhLDgQu3`lXz}onJ%zb=pj9nKr08h*HA#ZA#ek
zh$$m}73eagt3`GO!NQeBj6ncd<~oqkXfRd@R5~_~I0t_=q{3F>U}X?2Nom9=?L$7W
z@j4i%Bq$wsI*D^xypi345VbQHmYj!To*9W5%7~VfXID~&KJbi$jNu!O#0#sww`5)q
z7LfGofm7Wy1DXNNfM!55@RTudD!yNn_y5cP{QLh?wkmzQngPwg<1ipbSF5WfAo|sK
z7R;MjCi-XS+&HcmTLr;^LwH<m$K!;z<JHyz#uj*v8~kEod$Gj`+7tgV;P_ZwSJ(f#
P{^y;OfgO?mN&Wvf<nc$`

literal 0
HcmV?d00001

diff --git a/voting-app/.DS_Store b/voting-app/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..23ac7a36392e1e5b75bfe6a0b55e2a4fd79d8534
GIT binary patch
literal 6148
zcmeHKPfrs;6n|4HY^lfstpd?xV=pEUqzZB{hIPScV+@26ECSYTJCv2}PP4mh1wzsf
zpa;GC0la$Di$^bBy%|4(egUIzW~Txz#si5lWM4A#do%CP?EE%wW)}d6Q7feZQ~*%0
zag6q2cZ_g5ZygemGd+kz<nUnvcEE%R*d5;CM94tM!2iYouiajlgDtFD7Y@~L#%9HW
z%?fDehl7D_;-?VQ0J@?0JH~7CecR?6!@LyFgesm2rqJ6W$mPFB6dGPtKF_;C)wVo;
za`H2YbVbi}_b5F|T-nHOu}0Q6{hDW(?iwF0GiDcBx>;DUXd|yC=9uG~mP1_;V3jDk
ztUt7z5^ET&=9D}Un+*&~Oo`>y(Y?L&wVA1L?Rt7<e_Y#3PfkydYd5B5_V;5-GIjOl
zQhwX6IP5v61`k6#4TbbcY{3guj$y+p*5%&Fr`F!Ss%mR@vEKOEzH|NRz~In8Vj!7J
zp1&|WGCFcGuMQQ=;&$2PPd&$M<{Ea5u9aP@l&zXY%PHr4`pnN-yELy3wz)3R(&K}v
z<((?}Bn~D-y1Oo=j>xyLx#>|qcSv8&tNmWlWwyP@Jj=J3v%2mf=NX??GR`K$73;|N
zLY14m73zA39Wl8L+bmFf!7-Tcv&yRJx~5a6#t!%7*^10rbScl2vry-INzHx__)O{d
zTgsI{Q6Uv5cw;46nnaTNVCzDUEj!Giv6Q|jO$v;`ZFm4HunoKL5?;d_cn=@p3w(ng
zq=$@<%Vdm9ky~Vz+#?zCh!jbQSmbFCA8EbrOERAX;-PZP>#k>A$7W6$tvoUgbu0@T
zYFH%R!3BD>sK_hyJY0Y{JgLaXR^lg36vl@PgbbWI2Kf1)VdJPvYz8Qf4(uX0<n|~>
zE~xX*1&*3TU1Bppw4jh66fp=T@)v^y;W)2JKV4!oz#trmSQ+!km5KaAA!2o$*MvI|
zJ;1OJ83-9T%0O2zRQdgX=g<HDM}xvq$Uw-zsbYXc=d<$$Zb{y)9h>8Kt%mIhHZI(+
p8K4NkPF}}C;aBl6HX&%!xPqulYzBxkDB*{Ipdsu+2L34nzX1P@1IGXW

literal 0
HcmV?d00001

diff --git a/voting-app/.helmignore b/voting-app/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/voting-app/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/voting-app/Chart.yaml b/voting-app/Chart.yaml
new file mode 100644
index 0000000000..f2ade08a44
--- /dev/null
+++ b/voting-app/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: voting-app
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
diff --git a/voting-app/templates/.DS_Store b/voting-app/templates/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..61a031043e0b8f46a007f6050138d82b068bd560
GIT binary patch
literal 8196
zcmeHMO-~a+7=EXsY^BN~pkOrF*oz4SK|v12SgS^fQHUi7e%0-EC@ag%W_JrBA?Xj$
zgWmP-)uUcKdhzPbnD__u4;X#tqgoc~(HNZ}Gtav-?=v6Iq_g`D06>cM>KMQP09cp>
z+Fe-ekVL!4+fqi?<PZt+0Yab<K@201Z1Xl1MggOMQNSo*6fg?>4GQ2pTO_N^dtbGh
z(kNgQ_%9U@=YxY;U_oO;p*%XUkRbqK2Ug33HpT&x<7g~sY$%je>{CS#L{o_lF^HmL
zyCd8Y3mO{=6&;A81JNTB9ib38I`SOp4y2&altuxgz;*>h?4E-%EMepxY>D4P2&Mw=
zRRUf?AMvv)VjlS}6IuY>P(>E{0f%*1L7QRRKZ3T4Pigk66x+fvL-cIpPmZPh_oIJ;
ze<9v5aHyk2+j5_!xH<4~ZZ%|5yqysD6Fbf^BMz0;6=vZ&Ov5Z(f)a8PcnHZ>O)^o6
zk;C4_9mpz<=(V3==5vbIo8r01_T)N$r>WSH7cD!oTdERc8E>5@2=&`|R@UNB@AB(P
z82E8AI{JZRc6IFD(`j{DUDn;w5??DNZc>knZgg8b&2k=8nzmb+^XXdI?z_NQ;`)q6
zlHgY<y4<<xvnpRJ@;a-=l3P*@R@Tav?ZX=zV<#uahn-VnlbgfN#@Oh@#ISREd~$O$
zYxU<(oVih64pta{jPu7t^zje-)br2s30f_y_q|oUCi1?yrcburTvc{&S8m__ZoB6|
zZ%<!Oe}DhMLj!|{2alBP-iqrj*CH|73q0UaF{snqwaBlQLf7+IZ9bt7lal|4mhA&6
z*Bi8Y?^o6AdWb%Kzba&Rmm^A<>~DH;F{a6Ui@i{`yJIinK`_H(Kk+$RxD%t+Qwd#}
zVv8I{Tt%IyL(vq^(I`gT#+knxxD^^qvm#FtzOvv(k;`hdxGp?JZyske5fwen`)G@`
z<j;LoLgouso5pcv*pOES#tD5*OC!m@4GPlE&N9wuHeZ<0O%@EndAJ61undpjDLjXl
z@CM$&NB9EYNGBO2$H)*FCuhkya)nHhTf`$(;*$r8pJ{IMQQe;g5~I<w&8ww|1)SBe
zw)tIP-v3)AGfzf=HVW)g^#daQztsNzzYW_|8wHF4|AGRf<6`Ne_>^qEb<>LypT!R5
t`<O)%ehr0^f`xDq^)ehs{P_<<v>n}6(AZFjEtt$jfRw=$Mu9)7zz<JmP0#=U

literal 0
HcmV?d00001

diff --git a/k8s-specifications/db-deployment.yaml b/voting-app/templates/db-deployment.yaml
similarity index 100%
rename from k8s-specifications/db-deployment.yaml
rename to voting-app/templates/db-deployment.yaml
diff --git a/k8s-specifications/db-service.yaml b/voting-app/templates/db-service.yaml
similarity index 100%
rename from k8s-specifications/db-service.yaml
rename to voting-app/templates/db-service.yaml
diff --git a/k8s-specifications/redis-deployment.yaml b/voting-app/templates/redis-deployment.yaml
similarity index 100%
rename from k8s-specifications/redis-deployment.yaml
rename to voting-app/templates/redis-deployment.yaml
diff --git a/k8s-specifications/redis-service.yaml b/voting-app/templates/redis-service.yaml
similarity index 100%
rename from k8s-specifications/redis-service.yaml
rename to voting-app/templates/redis-service.yaml
diff --git a/k8s-specifications/result-deployment.yaml b/voting-app/templates/result-deployment.yaml
similarity index 100%
rename from k8s-specifications/result-deployment.yaml
rename to voting-app/templates/result-deployment.yaml
diff --git a/k8s-specifications/result-service.yaml b/voting-app/templates/result-service.yaml
similarity index 100%
rename from k8s-specifications/result-service.yaml
rename to voting-app/templates/result-service.yaml
diff --git a/k8s-specifications/vote-deployment.yaml b/voting-app/templates/vote-deployment.yaml
similarity index 100%
rename from k8s-specifications/vote-deployment.yaml
rename to voting-app/templates/vote-deployment.yaml
diff --git a/k8s-specifications/vote-service.yaml b/voting-app/templates/vote-service.yaml
similarity index 100%
rename from k8s-specifications/vote-service.yaml
rename to voting-app/templates/vote-service.yaml
diff --git a/k8s-specifications/worker-deployment.yaml b/voting-app/templates/worker-deployment.yaml
similarity index 100%
rename from k8s-specifications/worker-deployment.yaml
rename to voting-app/templates/worker-deployment.yaml
diff --git a/voting-app/values.yaml b/voting-app/values.yaml
new file mode 100644
index 0000000000..4fa1ef5c42
--- /dev/null
+++ b/voting-app/values.yaml
@@ -0,0 +1,161 @@
+# Default values for voting-app.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+  repository: nginx
+  # This sets the pull policy for images.
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created.
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account.
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  type: ClusterIP
+  # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+  port: 80
+
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+    # - secretName: chart-example-tls
+    #   hosts:
+    #     - chart-example.local
+
+# -- Expose the service via gateway-api HTTPRoute
+# Requires Gateway API resources and suitable controller installed within the cluster
+# (see: https://gateway-api.sigs.k8s.io/guides/)
+httpRoute:
+  # HTTPRoute enabled.
+  enabled: false
+  # HTTPRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+  - name: gateway
+    sectionName: http
+    # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+  - chart-example.local
+  # List of rules and filters applied.
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /headers
+  #   filters:
+  #   - type: RequestHeaderModifier
+  #     requestHeaderModifier:
+  #       set:
+  #       - name: My-Overwrite-Header
+  #         value: this-is-the-only-value
+  #       remove:
+  #       - User-Agent
+  # - matches:
+  #   - path:
+  #       type: PathPrefix
+  #       value: /echo
+  #     headers:
+  #     - name: version
+  #       value: v2
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+readinessProbe:
+  httpGet:
+    path: /
+    port: http
+
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+  # - name: foo
+  #   secret:
+  #     secretName: mysecret
+  #     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+  # - name: foo
+  #   mountPath: "/etc/foo"
+  #   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

From 39a3754aab4a85da78f6f23a7105aa0d9b9190eb Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 22:17:12 -0500
Subject: [PATCH 02/22] Create sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 88 ++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 .github/workflows/sysdig-inline-scan.yml

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
new file mode 100644
index 0000000000..f0d25cec50
--- /dev/null
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -0,0 +1,88 @@
+name: Sysdig Inline Image Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      ############################################################
+      # Authenticate Sysdig CLI Scanner
+      ############################################################
+      - name: Download Sysdig CLI Scanner
+        run: |
+          curl -sLo sysdig-cli-scanner \
+            https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
+          chmod +x sysdig-cli-scanner
+
+      - name: Verify Sysdig API token exists
+        run: |
+          if [ -z "${{ secrets.SYSDIG_SECURE_TOKEN }}" ]; then
+            echo "ERROR: Missing SYSDIG_SECURE_TOKEN secret"
+            exit 1
+          fi
+
+      ############################################################
+      # Build Docker images for vote, worker, result
+      ############################################################
+
+      - name: Build vote image
+        run: docker build -t vote-app:latest ./vote
+
+      - name: Build worker image
+        run: docker build -t worker-app:latest ./worker
+
+      - name: Build result image
+        run: docker build -t result-app:latest ./result
+
+      ############################################################
+      # Scan Images with Sysdig CLI Scanner
+      ############################################################
+
+      - name: Scan vote image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
+            --output vote-scan.json \
+            docker://vote-app:latest
+
+      - name: Scan worker image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
+            --output worker-scan.json \
+            docker://worker-app:latest
+
+      - name: Scan result image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
+            --output result-scan.json \
+            docker://result-app:latest
+
+      ############################################################
+      # Upload scan results as GitHub artifacts
+      ############################################################
+
+      - name: Upload Sysdig scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: sysdig-scan-reports
+          path: |
+            vote-scan.json
+            worker-scan.json
+            result-scan.json

From ede953a9992f6369bb455d6a7d293de999d88f5a Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 22:25:07 -0500
Subject: [PATCH 03/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index f0d25cec50..f512e53a1a 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -22,10 +22,14 @@ jobs:
       ############################################################
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sLo sysdig-cli-scanner \
-            https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
+          curl -L \
+            -H "User-Agent: Sysdig-GitHub-Actions" \
+            -o sysdig-cli-scanner \
+            https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/release/sysdig-cli-scanner-linux-amd64
+
           chmod +x sysdig-cli-scanner
 
+
       - name: Verify Sysdig API token exists
         run: |
           if [ -z "${{ secrets.SYSDIG_SECURE_TOKEN }}" ]; then

From 7c4d4a2b263e575e5168ce82d19f126aac61a6a2 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 22:39:46 -0500
Subject: [PATCH 04/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index f512e53a1a..c23a2be61d 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -17,19 +17,16 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+
       ############################################################
-      # Authenticate Sysdig CLI Scanner
+      # Download & install Sysdig CLI Scanner (reliable method)
       ############################################################
+      
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -L \
-            -H "User-Agent: Sysdig-GitHub-Actions" \
-            -o sysdig-cli-scanner \
-            https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/release/sysdig-cli-scanner-linux-amd64
-
+          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
           chmod +x sysdig-cli-scanner
 
-
       - name: Verify Sysdig API token exists
         run: |
           if [ -z "${{ secrets.SYSDIG_SECURE_TOKEN }}" ]; then

From befa689b271eb98a7bbf2bced429e3073614f2de Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:03:33 -0500
Subject: [PATCH 05/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 112 ++++++++++-------------
 1 file changed, 47 insertions(+), 65 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index c23a2be61d..5d9729e850 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -1,43 +1,18 @@
-name: Sysdig Inline Image Scan
+name: Sysdig Voting App Scan
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+  workflow_dispatch:
 
 jobs:
-  build-and-scan:
+  scan-voting-app:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout repository
+      #1 Checkout repo
+      - name: Check out repository
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-
-      ############################################################
-      # Download & install Sysdig CLI Scanner (reliable method)
-      ############################################################
-      
-      - name: Download Sysdig CLI Scanner
-        run: |
-          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
-          chmod +x sysdig-cli-scanner
-
-      - name: Verify Sysdig API token exists
-        run: |
-          if [ -z "${{ secrets.SYSDIG_SECURE_TOKEN }}" ]; then
-            echo "ERROR: Missing SYSDIG_SECURE_TOKEN secret"
-            exit 1
-          fi
-
-      ############################################################
-      # Build Docker images for vote, worker, result
-      ############################################################
-
+      #2 Build vote, worker, and result Docker images
       - name: Build vote image
         run: docker build -t vote-app:latest ./vote
 
@@ -47,43 +22,50 @@ jobs:
       - name: Build result image
         run: docker build -t result-app:latest ./result
 
-      ############################################################
-      # Scan Images with Sysdig CLI Scanner
-      ############################################################
-
+      #3 Scan vote image using Sysdig Scan Action
       - name: Scan vote image
-        run: |
-          ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
-            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
-            --output vote-scan.json \
-            docker://vote-app:latest
+        id: scan-vote
+        uses: sysdiglabs/scan-action@v4
+        with:
+          image-tag: vote-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+
+      - name: Upload vote SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif-vote.json
 
+      #4 Scan worker image
       - name: Scan worker image
-        run: |
-          ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
-            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
-            --output worker-scan.json \
-            docker://worker-app:latest
+        id: scan-worker
+        uses: sysdiglabs/scan-action@v4
+        with:
+          image-tag: worker-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+
+      - name: Upload worker SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif-worker.json
 
+      #5 Scan result image
       - name: Scan result image
-        run: |
-          ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
-            --token ${{ secrets.SYSDIG_SECURE_TOKEN }} \
-            --output result-scan.json \
-            docker://result-app:latest
-
-      ############################################################
-      # Upload scan results as GitHub artifacts
-      ############################################################
-
-      - name: Upload Sysdig scan results
-        uses: actions/upload-artifact@v4
+        id: scan-result
+        uses: sysdiglabs/scan-action@v4
+        with:
+          image-tag: result-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+
+      - name: Upload result SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          name: sysdig-scan-reports
-          path: |
-            vote-scan.json
-            worker-scan.json
-            result-scan.json
+          sarif_file: ${{ github.workspace }}/sarif-result.json

From 24619957739b8fb08f739e8cf3662f7904615dc9 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:10:25 -0500
Subject: [PATCH 06/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 5d9729e850..993d1e6a20 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -1,7 +1,10 @@
 name: Sysdig Voting App Scan
 
 on:
-  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
 
 jobs:
   scan-voting-app:

From 95f42a0c9943b081b32ac78039b81510eb38fe9e Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:18:00 -0500
Subject: [PATCH 07/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 96 ++++++++++++------------
 1 file changed, 48 insertions(+), 48 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 993d1e6a20..7bb42d6b15 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -1,4 +1,4 @@
-name: Sysdig Voting App Scan
+name: Sysdig Inline Image Scan
 
 on:
   push:
@@ -7,15 +7,25 @@ on:
     branches: [ "main" ]
 
 jobs:
-  scan-voting-app:
+  build-and-scan:
     runs-on: ubuntu-latest
 
     steps:
-      #1 Checkout repo
-      - name: Check out repository
+      #1 Checkout your forked repo
+      - name: Checkout repository
         uses: actions/checkout@v4
 
-      #2 Build vote, worker, and result Docker images
+      #2 Setup Docker Buildx
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      #3 Download latest Sysdig CLI Scanner
+      - name: Download Sysdig CLI Scanner
+        run: |
+          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+          chmod +x sysdig-cli-scanner
+
+      #4 Build Docker images for vote, worker, result
       - name: Build vote image
         run: docker build -t vote-app:latest ./vote
 
@@ -25,50 +35,40 @@ jobs:
       - name: Build result image
         run: docker build -t result-app:latest ./result
 
-      #3 Scan vote image using Sysdig Scan Action
-      - name: Scan vote image
-        id: scan-vote
-        uses: sysdiglabs/scan-action@v4
-        with:
-          image-tag: vote-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
+      #5 Scan images with Sysdig CLI Scanner
+      - name: Scan vote image with Sysdig
+        env:
+          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --output vote-scan.json \
+            docker://vote-app:latest
 
-      - name: Upload vote SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif-vote.json
+      - name: Scan worker image with Sysdig
+        env:
+          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --output worker-scan.json \
+            docker://worker-app:latest
 
-      #4 Scan worker image
-      - name: Scan worker image
-        id: scan-worker
-        uses: sysdiglabs/scan-action@v4
-        with:
-          image-tag: worker-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
-
-      - name: Upload worker SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif-worker.json
-
-      #5 Scan result image
-      - name: Scan result image
-        id: scan-result
-        uses: sysdiglabs/scan-action@v4
-        with:
-          image-tag: result-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
-          stop-on-processing-error: true
+      - name: Scan result image with Sysdig
+        env:
+          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --output result-scan.json \
+            docker://result-app:latest
 
-      - name: Upload result SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
+      # 6️⃣ Upload Sysdig scan results as artifacts
+      - name: Upload Sysdig scan results
+        uses: actions/upload-artifact@v4
         with:
-          sarif_file: ${{ github.workspace }}/sarif-result.json
+          name: sysdig-scan-reports
+          path: |
+            vote-scan.json
+            worker-scan.json
+            result-scan.json

From 4bb853954f299ffb86cc53a7231950ca2f4654ec Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:30:41 -0500
Subject: [PATCH 08/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 7bb42d6b15..ec9e60214c 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -38,8 +38,9 @@ jobs:
       #5 Scan images with Sysdig CLI Scanner
       - name: Scan vote image with Sysdig
         env:
-          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://secure.sysdig.com \
             --output vote-scan.json \
@@ -47,8 +48,9 @@ jobs:
 
       - name: Scan worker image with Sysdig
         env:
-          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://secure.sysdig.com \
             --output worker-scan.json \
@@ -56,8 +58,9 @@ jobs:
 
       - name: Scan result image with Sysdig
         env:
-          SYSDIG_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://secure.sysdig.com \
             --output result-scan.json \

From 8f87f71b5eb56123de23b87a41964c720a7eb3fd Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:47:33 -0500
Subject: [PATCH 09/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index ec9e60214c..f463f70b07 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -40,9 +40,8 @@ jobs:
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --standalone \
             --output vote-scan.json \
             docker://vote-app:latest
 
@@ -50,9 +49,8 @@ jobs:
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --standalone \
             --output worker-scan.json \
             docker://worker-app:latest
 
@@ -60,9 +58,8 @@ jobs:
         env:
           SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --standalone \
             --output result-scan.json \
             docker://result-app:latest
 

From 6d0ef182ec48c59cd634dbc22e37da0cb5df8f9e Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Thu, 11 Dec 2025 23:55:07 -0500
Subject: [PATCH 10/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 102 +++++++++++------------
 1 file changed, 50 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index f463f70b07..ca22e36ca6 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -1,31 +1,19 @@
-name: Sysdig Inline Image Scan
+name: Sysdig Voting App Image Scans
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+  workflow_dispatch:
 
 jobs:
-  build-and-scan:
+  build-scan-images:
     runs-on: ubuntu-latest
 
     steps:
-      #1 Checkout your forked repo
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      #2 Setup Docker Buildx
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
 
-      #3 Download latest Sysdig CLI Scanner
-      - name: Download Sysdig CLI Scanner
-        run: |
-          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
-          chmod +x sysdig-cli-scanner
+      #1 Checkout code
+      - name: Check out repository
+        uses: actions/checkout@v4
 
-      #4 Build Docker images for vote, worker, result
+      #2 Build Docker images
       - name: Build vote image
         run: docker build -t vote-app:latest ./vote
 
@@ -35,40 +23,50 @@ jobs:
       - name: Build result image
         run: docker build -t result-app:latest ./result
 
-      #5 Scan images with Sysdig CLI Scanner
-      - name: Scan vote image with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-        run: |
-          ./sysdig-cli-scanner \
-            --standalone \
-            --output vote-scan.json \
-            docker://vote-app:latest
+      #3 Scan vote image with Sysdig
+      - name: Scan vote image
+        id: scan-vote
+        uses: sysdiglabs/scan-action@v5
+        with:
+          image-tag: vote-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+
+      - name: Upload vote SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
 
-      - name: Scan worker image with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-        run: |
-          ./sysdig-cli-scanner \
-            --standalone \
-            --output worker-scan.json \
-            docker://worker-app:latest
+      #4 Scan worker image
+      - name: Scan worker image
+        id: scan-worker
+        uses: sysdiglabs/scan-action@v5
+        with:
+          image-tag: worker-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
 
-      - name: Scan result image with Sysdig
-        env:
-          SECURE_API_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-        run: |
-          ./sysdig-cli-scanner \
-            --standalone \
-            --output result-scan.json \
-            docker://result-app:latest
+      - name: Upload worker SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ github.workspace }}/sarif.json
+
+      #5 Scan result image
+      - name: Scan result image
+        id: scan-result
+        uses: sysdiglabs/scan-action@v5
+        with:
+          image-tag: result-app:latest
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
 
-      # 6️⃣ Upload Sysdig scan results as artifacts
-      - name: Upload Sysdig scan results
-        uses: actions/upload-artifact@v4
+      - name: Upload result SARIF
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          name: sysdig-scan-reports
-          path: |
-            vote-scan.json
-            worker-scan.json
-            result-scan.json
+          sarif_file: ${{ github.workspace }}/sarif.json

From 20a89c6eb75813d2dfd8f308d9647dd6cbf7c4c5 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Fri, 12 Dec 2025 00:08:06 -0500
Subject: [PATCH 11/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 43 +++++++++++++-----------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index ca22e36ca6..603a352887 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -4,16 +4,13 @@ on:
   workflow_dispatch:
 
 jobs:
-  build-scan-images:
+  scan-images:
     runs-on: ubuntu-latest
 
     steps:
-
-      #1 Checkout code
-      - name: Check out repository
+      - name: Checkout repo
         uses: actions/checkout@v4
 
-      #2 Build Docker images
       - name: Build vote image
         run: docker build -t vote-app:latest ./vote
 
@@ -23,15 +20,17 @@ jobs:
       - name: Build result image
         run: docker build -t result-app:latest ./result
 
-      #3 Scan vote image with Sysdig
-      - name: Scan vote image
+      # Scan vote image
+      - name: Scan vote image (standalone)
         id: scan-vote
-        uses: sysdiglabs/scan-action@v5
+        uses: sysdiglabs/scan-action@v6
         with:
           image-tag: vote-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
+          standalone: true
+          db-path: ./sysdig-db
           stop-on-processing-error: true
+          skip-upload: false
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
       - name: Upload vote SARIF
         if: success() || failure()
@@ -39,15 +38,17 @@ jobs:
         with:
           sarif_file: ${{ github.workspace }}/sarif.json
 
-      #4 Scan worker image
-      - name: Scan worker image
+      # Scan worker image
+      - name: Scan worker image (standalone)
         id: scan-worker
-        uses: sysdiglabs/scan-action@v5
+        uses: sysdiglabs/scan-action@v6
         with:
           image-tag: worker-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
+          standalone: true
+          db-path: ./sysdig-db
           stop-on-processing-error: true
+          skip-upload: false
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
       - name: Upload worker SARIF
         if: success() || failure()
@@ -55,15 +56,17 @@ jobs:
         with:
           sarif_file: ${{ github.workspace }}/sarif.json
 
-      #5 Scan result image
-      - name: Scan result image
+      # Scan result image
+      - name: Scan result image (standalone)
         id: scan-result
-        uses: sysdiglabs/scan-action@v5
+        uses: sysdiglabs/scan-action@v6
         with:
           image-tag: result-app:latest
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
-          stop-on-failed-policy-eval: true
+          standalone: true
+          db-path: ./sysdig-db
           stop-on-processing-error: true
+          skip-upload: false
+          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
 
       - name: Upload result SARIF
         if: success() || failure()

From 352bfd1f04ccb6d3af026fcee862811f4491e3dd Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Tue, 16 Dec 2025 20:34:10 -0500
Subject: [PATCH 12/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 603a352887..ef89ab4037 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -12,20 +12,20 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Build vote image
-        run: docker build -t vote-app:latest ./vote
+        run: docker build -t dockersamples/examplevotingapp_vote:latest ./vote
 
       - name: Build worker image
-        run: docker build -t worker-app:latest ./worker
+        run: docker build -t dockersamples/examplevotingapp_worker:latest ./worker
 
       - name: Build result image
-        run: docker build -t result-app:latest ./result
+        run: docker build -t dockersamples/examplevotingapp_result:latest ./result
 
       # Scan vote image
       - name: Scan vote image (standalone)
         id: scan-vote
         uses: sysdiglabs/scan-action@v6
         with:
-          image-tag: vote-app:latest
+          image-tag: dockersamples/examplevotingapp_vote:latest
           standalone: true
           db-path: ./sysdig-db
           stop-on-processing-error: true
@@ -43,7 +43,7 @@ jobs:
         id: scan-worker
         uses: sysdiglabs/scan-action@v6
         with:
-          image-tag: worker-app:latest
+          image-tag: dockersamples/examplevotingapp_worker:latest
           standalone: true
           db-path: ./sysdig-db
           stop-on-processing-error: true
@@ -61,7 +61,7 @@ jobs:
         id: scan-result
         uses: sysdiglabs/scan-action@v6
         with:
-          image-tag: result-app:latest
+          image-tag: dockersamples/examplevotingapp_result:latest
           standalone: true
           db-path: ./sysdig-db
           stop-on-processing-error: true

From 8dea02c10cfee4d0446a1db566f012604d676d6d Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Tue, 16 Dec 2025 21:10:10 -0500
Subject: [PATCH 13/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 102 ++++++++++-------------
 1 file changed, 46 insertions(+), 56 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index ef89ab4037..95e9272d48 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -8,68 +8,58 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-
-      - name: Build vote image
-        run: docker build -t dockersamples/examplevotingapp_vote:latest ./vote
-
-      - name: Build worker image
-        run: docker build -t dockersamples/examplevotingapp_worker:latest ./worker
-
-      - name: Build result image
-        run: docker build -t dockersamples/examplevotingapp_result:latest ./result
+    - uses: actions/checkout@v4
 
       # Scan vote image
-      - name: Scan vote image (standalone)
-        id: scan-vote
-        uses: sysdiglabs/scan-action@v6
-        with:
-          image-tag: dockersamples/examplevotingapp_vote:latest
-          standalone: true
-          db-path: ./sysdig-db
-          stop-on-processing-error: true
-          skip-upload: false
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+    - name: Build vote image
+      run: docker build -t dockersamples/examplevotingapp_vote:latest vote/
 
-      - name: Upload vote SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+    - name: Scan vote image
+      uses: sysdiglabs/scan-action@v6
+      with:
+        image-tag: dockersamples/examplevotingapp_vote:latest
+        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
+        stop-on-failed-policy-eval: true
+        stop-on-processing-error: true
+
+    - name: Upload vote SARIF
+      if: success() || failure()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ github.workspace }}/sarif.json
 
       # Scan worker image
-      - name: Scan worker image (standalone)
-        id: scan-worker
-        uses: sysdiglabs/scan-action@v6
-        with:
-          image-tag: dockersamples/examplevotingapp_worker:latest
-          standalone: true
-          db-path: ./sysdig-db
-          stop-on-processing-error: true
-          skip-upload: false
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+    - name: Build vote image
+      run: docker build -t dockersamples/examplevotingapp_worker:latest worker/
+
+    - name: Scan worker image
+      uses: sysdiglabs/scan-action@v6
+      with:
+        image-tag: dockersamples/examplevotingapp_worker:latest
+        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
+        stop-on-failed-policy-eval: true
+        stop-on-processing-error: true
 
-      - name: Upload worker SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+    - name: Upload worker SARIF
+      if: success() || failure()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ github.workspace }}/sarif.json
 
       # Scan result image
-      - name: Scan result image (standalone)
-        id: scan-result
-        uses: sysdiglabs/scan-action@v6
-        with:
-          image-tag: dockersamples/examplevotingapp_result:latest
-          standalone: true
-          db-path: ./sysdig-db
-          stop-on-processing-error: true
-          skip-upload: false
-          sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+    - name: Build result image
+      run: docker build -t dockersamples/examplevotingapp_result:latest result/
+
+    - name: Scan result image
+      uses: sysdiglabs/scan-action@v6
+      with:
+        image-tag: dockersamples/examplevotingapp_result:latest
+        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
+        stop-on-failed-policy-eval: true
+        stop-on-processing-error: true
 
-      - name: Upload result SARIF
-        if: success() || failure()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ github.workspace }}/sarif.json
+    - name: Upload result SARIF
+      if: success() || failure()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ github.workspace }}/sarif.json

From 1edccdaf2da52aae98f4bef4c78affbea6128523 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 13:40:51 -0500
Subject: [PATCH 14/22] Create iac-scan.yml

IaC File Scan
---
 .github/workflows/iac-scan.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 .github/workflows/iac-scan.yml

diff --git a/.github/workflows/iac-scan.yml b/.github/workflows/iac-scan.yml
new file mode 100644
index 0000000000..a6d2eb17d3
--- /dev/null
+++ b/.github/workflows/iac-scan.yml
@@ -0,0 +1,21 @@
+name: Sysdig IaC Scan
+
+on: [push, pull_request]
+
+jobs:
+  iac-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Scan infrastructure
+        uses: sysdiglabs/scan-action@v6
+        with:
+          sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
+          sysdig-secure-url: ${{ secrets.SYSDIG_SECURE_URL }}
+          mode: iac
+          # Define the path to your IaC files
+          iac-scan-path: './voting-app/templates' 
+          # Optional: set a minimum severity to fail the pipeline
+          minimum-severity: 'high' 

From 4ec75e826d4fb0a5f2f48f012ae18f3461d758ec Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 14:23:19 -0500
Subject: [PATCH 15/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 137 +++++++++++++----------
 1 file changed, 80 insertions(+), 57 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 95e9272d48..e86491c875 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -1,65 +1,88 @@
 name: Sysdig Voting App Image Scans
 
 on:
-  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
 
 jobs:
-  scan-images:
+  build-and-scan:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
-
-      # Scan vote image
-    - name: Build vote image
-      run: docker build -t dockersamples/examplevotingapp_vote:latest vote/
-
-    - name: Scan vote image
-      uses: sysdiglabs/scan-action@v6
-      with:
-        image-tag: dockersamples/examplevotingapp_vote:latest
-        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
-        stop-on-failed-policy-eval: true
-        stop-on-processing-error: true
-
-    - name: Upload vote SARIF
-      if: success() || failure()
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: ${{ github.workspace }}/sarif.json
-
-      # Scan worker image
-    - name: Build vote image
-      run: docker build -t dockersamples/examplevotingapp_worker:latest worker/
-
-    - name: Scan worker image
-      uses: sysdiglabs/scan-action@v6
-      with:
-        image-tag: dockersamples/examplevotingapp_worker:latest
-        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
-        stop-on-failed-policy-eval: true
-        stop-on-processing-error: true
-
-    - name: Upload worker SARIF
-      if: success() || failure()
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: ${{ github.workspace }}/sarif.json
-
-      # Scan result image
-    - name: Build result image
-      run: docker build -t dockersamples/examplevotingapp_result:latest result/
-
-    - name: Scan result image
-      uses: sysdiglabs/scan-action@v6
-      with:
-        image-tag: dockersamples/examplevotingapp_result:latest
-        sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }}
-        stop-on-failed-policy-eval: true
-        stop-on-processing-error: true
-
-    - name: Upload result SARIF
-      if: success() || failure()
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: ${{ github.workspace }}/sarif.json
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      ############################################################
+      # Authenticate Sysdig CLI Scanner
+      ############################################################
+      - name: Download Sysdig CLI Scanner
+        run: |
+          curl -sLo sysdig-cli-scanner \
+          https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
+          chmod +x sysdig-cli-scanner
+
+      - name: Verify Sysdig API token exists
+        run: |
+          if [ -z "${{ secrets.SECURE_API_TOKEN }}" ]; then
+            echo "ERROR: Missing SECURE_API_TOKEN secret"
+            exit 1
+          fi
+
+      ############################################################
+      # Build Docker images for vote, worker, result
+      ############################################################
+
+      - name: Build vote image
+        run: docker build -t vote-app:latest ./vote
+
+      - name: Build worker image
+        run: docker build -t worker-app:latest ./worker
+
+      - name: Build result image
+        run: docker build -t result-app:latest ./result
+
+      ############################################################
+      # Scan Images with Sysdig CLI Scanner
+      ############################################################
+
+      - name: Scan vote image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SECURE_API_TOKEN }} \
+            --output vote-scan.json \
+            docker://vote-app:latest
+
+      - name: Scan worker image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SECURE_API_TOKEN }} \
+            --output worker-scan.json \
+            docker://worker-app:latest
+
+      - name: Scan result image
+        run: |
+          ./sysdig-cli-scanner \
+            --apiurl https://secure.sysdig.com \
+            --token ${{ secrets.SECURE_API_TOKEN }} \
+            --output result-scan.json \
+            docker://result-app:latest
+
+      ############################################################
+      # Upload scan results as GitHub artifacts
+      ############################################################
+
+      - name: Upload Sysdig scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: sysdig-scan-reports
+          path: |
+            vote-scan.json
+            worker-scan.json
+            result-scan.json

From 9f024bc80a4219df8d5bf0476c164675151c9236 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 14:28:33 -0500
Subject: [PATCH 16/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index e86491c875..1cd234ef2e 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -53,7 +53,7 @@ jobs:
       - name: Scan vote image
         run: |
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --apiurl https://app.us4.sysdig.com/ \
             --token ${{ secrets.SECURE_API_TOKEN }} \
             --output vote-scan.json \
             docker://vote-app:latest
@@ -61,7 +61,7 @@ jobs:
       - name: Scan worker image
         run: |
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --apiurl https://app.us4.sysdig.com/ \
             --token ${{ secrets.SECURE_API_TOKEN }} \
             --output worker-scan.json \
             docker://worker-app:latest
@@ -69,7 +69,7 @@ jobs:
       - name: Scan result image
         run: |
           ./sysdig-cli-scanner \
-            --apiurl https://secure.sysdig.com \
+            --apiurl https://app.us4.sysdig.com/ \
             --token ${{ secrets.SECURE_API_TOKEN }} \
             --output result-scan.json \
             docker://result-app:latest

From cce46095d7b736a3e8324f343671e4ef8f5565da Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 16:20:29 -0500
Subject: [PATCH 17/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 1cd234ef2e..cf5a955de7 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -22,8 +22,7 @@ jobs:
       ############################################################
       - name: Download Sysdig CLI Scanner
         run: |
-          curl -sLo sysdig-cli-scanner \
-          https://download.sysdig.com/scanner/sysdig-cli-scanner/latest/sysdig-cli-scanner-linux-amd64
+          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
           chmod +x sysdig-cli-scanner
 
       - name: Verify Sysdig API token exists

From 22683a39de57869230761b2b712755c8d5bcd370 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 16:50:55 -0500
Subject: [PATCH 18/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index cf5a955de7..88d829ef23 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -51,27 +51,33 @@ jobs:
 
       - name: Scan vote image
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --token ${{ secrets.SECURE_API_TOKEN }} \
             --output vote-scan.json \
             docker://vote-app:latest
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan worker image
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --token ${{ secrets.SECURE_API_TOKEN }} \
             --output worker-scan.json \
             docker://worker-app:latest
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan result image
         run: |
+          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --token ${{ secrets.SECURE_API_TOKEN }} \
             --output result-scan.json \
             docker://result-app:latest
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       ############################################################
       # Upload scan results as GitHub artifacts

From 3ca85623d7f22f383a90b1660692bbe5b939de71 Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 16:58:13 -0500
Subject: [PATCH 19/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 88d829ef23..383594c8da 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -20,9 +20,10 @@ jobs:
       ############################################################
       # Authenticate Sysdig CLI Scanner
       ############################################################
-      - name: Download Sysdig CLI Scanner
+      - name: Download Sysdig Scanner (stable)
         run: |
-          curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+          curl -sL https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.24.1/linux/amd64/sysdig-cli-scanner \
+            -o sysdig-cli-scanner
           chmod +x sysdig-cli-scanner
 
       - name: Verify Sysdig API token exists
@@ -51,7 +52,6 @@ jobs:
 
       - name: Scan vote image
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
             --output vote-scan.json \
@@ -61,7 +61,6 @@ jobs:
 
       - name: Scan worker image
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
             --output worker-scan.json \
@@ -71,7 +70,6 @@ jobs:
 
       - name: Scan result image
         run: |
-          chmod +x ./sysdig-cli-scanner
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
             --output result-scan.json \

From a8f72ce2ca8074ac414d203c3f39f7b48a07881c Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 17:05:15 -0500
Subject: [PATCH 20/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 383594c8da..c3bb203848 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -54,7 +54,6 @@ jobs:
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --output vote-scan.json \
             docker://vote-app:latest
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
@@ -63,7 +62,6 @@ jobs:
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --output worker-scan.json \
             docker://worker-app:latest
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
@@ -72,20 +70,6 @@ jobs:
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
-            --output result-scan.json \
             docker://result-app:latest
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
-
-      ############################################################
-      # Upload scan results as GitHub artifacts
-      ############################################################
-
-      - name: Upload Sysdig scan results
-        uses: actions/upload-artifact@v4
-        with:
-          name: sysdig-scan-reports
-          path: |
-            vote-scan.json
-            worker-scan.json
-            result-scan.json

From fd1b12b69404b37f6ff5dceb8379b8c92ee3011a Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 17:58:08 -0500
Subject: [PATCH 21/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index c3bb203848..85637fa01f 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -51,6 +51,7 @@ jobs:
       ############################################################
 
       - name: Scan vote image
+        continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
@@ -59,6 +60,7 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan worker image
+        continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
@@ -67,9 +69,30 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan result image
+        continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
             --apiurl https://app.us4.sysdig.com/ \
             docker://result-app:latest
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+
+      - name: Security gate decision
+        run: |
+          FAILED=0
+
+          for scan in vote worker result; do
+            if [[ "${{ steps['scan_' + scan].outcome }}" == "failure" ]]; then
+              echo "❌ $scan image failed Sysdig policy evaluation"
+              FAILED=1
+            else
+              echo "✅ $scan image passed Sysdig policies"
+            fi
+          done
+
+          if [[ "$FAILED" -eq 1 ]]; then
+            echo "Blocking deployment due to policy violations"
+            exit 1
+          else
+            echo "All images passed security policies"
+          fi

From 360c2d6223b0116b881980779ae9d0cefdb1cf9e Mon Sep 17 00:00:00 2001
From: devengine-mp <matthewpeters50@gmail.com>
Date: Wed, 17 Dec 2025 18:14:26 -0500
Subject: [PATCH 22/22] Update sysdig-inline-scan.yml

---
 .github/workflows/sysdig-inline-scan.yml | 32 +++++++++++++-----------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/sysdig-inline-scan.yml b/.github/workflows/sysdig-inline-scan.yml
index 85637fa01f..616abc08aa 100644
--- a/.github/workflows/sysdig-inline-scan.yml
+++ b/.github/workflows/sysdig-inline-scan.yml
@@ -51,6 +51,7 @@ jobs:
       ############################################################
 
       - name: Scan vote image
+        id: scan_vote
         continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
@@ -60,6 +61,7 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan worker image
+        id: scan_worker
         continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
@@ -69,6 +71,7 @@ jobs:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
       - name: Scan result image
+        id: scan_result
         continue-on-error: true
         run: |
           ./sysdig-cli-scanner \
@@ -77,22 +80,21 @@ jobs:
         env:
           SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
 
-      - name: Security gate decision
+      ############################################################
+      # Final Security Gate (Fail AFTER all scans)
+      ############################################################
+      
+      - name: Evaluate Sysdig scan results
         run: |
-          FAILED=0
-
-          for scan in vote worker result; do
-            if [[ "${{ steps['scan_' + scan].outcome }}" == "failure" ]]; then
-              echo "❌ $scan image failed Sysdig policy evaluation"
-              FAILED=1
-            else
-              echo "✅ $scan image passed Sysdig policies"
-            fi
-          done
-
-          if [[ "$FAILED" -eq 1 ]]; then
-            echo "Blocking deployment due to policy violations"
+          echo "Vote scan result:   ${{ steps.scan_vote.outcome }}"
+          echo "Worker scan result: ${{ steps.scan_worker.outcome }}"
+          echo "Result scan result: ${{ steps.scan_result.outcome }}"
+
+          if [[ "${{ steps.scan_vote.outcome }}" == "failure" || \
+                "${{ steps.scan_worker.outcome }}" == "failure" || \
+                "${{ steps.scan_result.outcome }}" == "failure" ]]; then
+            echo "❌ One or more images failed Sysdig policy evaluation"
             exit 1
           else
-            echo "All images passed security policies"
+            echo "✅ All images passed Sysdig policy evaluation"
           fi