Merge branch 'dev' of https://github.com/MaibornWolff/SecObserve into stackable

Author: dervoeti

.github/workflows/build_push_release.yml

@@ -117,7 +117,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 24
       -
@@ -209,7 +209,7 @@ jobs:
           sbom-utility validate --input-file sbom_"$VERSION".json
       -
         name: Commit SBOMs
-        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7
         with:
           skip_fetch: true
           create_branch: true

.github/workflows/check_backend.yml

@@ -68,14 +68,14 @@ jobs:
             --env-file docker/backend/unittests/envs/sqlite \
             secobserve_backend_unittests:latest
       - name: "Upload coverage report"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: coverage-report
           path: backend/coverage.xml
           retention-days: 1
 
   check_code_sonarqube_backend:
-    if: github.repository == 'MaibornWolff/SecObserve'
+    if: github.repository == 'MaibornWolff/SecObserve' && (github.ref == 'refs/heads/dev' || github.event_name == 'pull_request')
     needs: [unittests]
     runs-on: ubuntu-latest
     steps:
@@ -84,12 +84,12 @@ jobs:
         with:
           fetch-depth: 0  
       - name: Download a single artifact
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: coverage-report
       - name: Run SonarQube scan for backend
         uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_BACKEND }}
         with:
           projectBaseDir: backend

.github/workflows/check_frontend.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 24
 
@@ -42,7 +42,7 @@ jobs:
           docker compose -f docker-compose-playwright.yml up --abort-on-container-exit --exit-code-from playwright
 
   check_code_sonarqube_frontend:
-    if: github.repository == 'MaibornWolff/SecObserve'
+    if: github.repository == 'MaibornWolff/SecObserve' && (github.ref == 'refs/heads/dev' || github.event_name == 'pull_request')
     runs-on: ubuntu-latest
     steps:
       - 

.github/workflows/check_licenses_dev.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - 
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 24
       - 

.github/workflows/generate_sboms.yml

@@ -16,7 +16,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 24
       -
@@ -108,7 +108,7 @@ jobs:
           sbom-utility validate --input-file sbom_"$VERSION".json
       - 
         name: Commit SBOMs
-        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7
         with:
           skip_fetch: true
           create_branch: true

.github/workflows/publish_docs.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - chore/documentation_process_logo
+      - chore/doc_integration
 
 permissions: read-all
 

.github/workflows/scan_sca_current.yml

@@ -16,7 +16,7 @@ jobs:
         name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          ref: 'v1.39.2'
+          ref: 'v1.40.0'
       -
         name: Run SCA vulnerability scanners
         uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@936a764a4e82cc89772941e082ba24c371c6ef90 # main

.github/workflows/scorecard.yml

@@ -59,14 +59,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
         with:
           sarif_file: results.sarif

backend/application/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "1.39.2"
+__version__ = "1.40.0"
 
 import pymysql
 

backend/application/core/api/serializers_observation.py

@@ -42,7 +42,7 @@
 )
 from application.core.queries.observation import get_current_observation_log
 from application.core.services.observation_log import create_observation_log
-from application.core.services.security_gate import check_security_gate
+from application.core.services.security_gate import check_security_gate_observation
 from application.core.types import (
     Assessment_Status,
     Severity,
@@ -362,7 +362,7 @@ def update(self, instance: Observation, validated_data: dict) -> Observation:
                 risk_acceptance_expiry_date=log_risk_acceptance_expiry_date,
             )
 
-        check_security_gate(observation.product)
+        check_security_gate_observation(observation)
         push_observation_to_issue_tracker(observation, get_current_user())
         if observation.branch:
             observation.branch.last_import = timezone.now()
@@ -457,7 +457,7 @@ def create(self, validated_data: dict) -> Observation:
             risk_acceptance_expiry_date=observation.risk_acceptance_expiry_date,
         )
 
-        check_security_gate(observation.product)
+        check_security_gate_observation(observation)
         push_observation_to_issue_tracker(observation, get_current_user())
         if observation.branch:
             observation.branch.last_import = timezone.now()