From c993e842db8cce825ddecddf1587c1df500f0c00 Mon Sep 17 00:00:00 2001
From: Raphael005 <110637774+Raphael005@users.noreply.github.com>
Date: Sat, 28 Jun 2025 13:12:49 +0200
Subject: [PATCH 1/3] Create .name

---
 .idea/.name | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .idea/.name

diff --git a/.idea/.name b/.idea/.name
new file mode 100644
index 0000000000..700565b92d
--- /dev/null
+++ b/.idea/.name
@@ -0,0 +1 @@
+modules.xml
\ No newline at end of file

From a4fdc98937d3be4212597f3193ab2b6f2b666f90 Mon Sep 17 00:00:00 2001
From: Raphael005 <110637774+Raphael005@users.noreply.github.com>
Date: Sat, 28 Jun 2025 13:13:49 +0200
Subject: [PATCH 2/3] Add IntelliJ IDEA project configuration files

Added .idea directory files to set up project structure, JDK version, module, VCS mapping, and workspace settings for IntelliJ IDEA. This enables consistent development environment configuration for contributors using IntelliJ.
---
 .idea/misc.xml              |  6 ++++
 .idea/modules.xml           |  8 ++++++
 .idea/starter-workflows.iml |  9 ++++++
 .idea/vcs.xml               |  6 ++++
 .idea/workspace.xml         | 55 +++++++++++++++++++++++++++++++++++++
 5 files changed, 84 insertions(+)
 create mode 100644 .idea/misc.xml
 create mode 100644 .idea/modules.xml
 create mode 100644 .idea/starter-workflows.iml
 create mode 100644 .idea/vcs.xml
 create mode 100644 .idea/workspace.xml

diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 0000000000..89ee75358b
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_24" default="true" project-jdk-name="24" project-jdk-type="JavaSDK">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 0000000000..da3130baae
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/starter-workflows.iml" filepath="$PROJECT_DIR$/.idea/starter-workflows.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/starter-workflows.iml b/.idea/starter-workflows.iml
new file mode 100644
index 0000000000..d6ebd48059
--- /dev/null
+++ b/.idea/starter-workflows.iml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 0000000000..35eb1ddfbb
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
new file mode 100644
index 0000000000..0277beb02e
--- /dev/null
+++ b/.idea/workspace.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ChangeListManager">
+    <list default="true" id="18c9b736-1c05-4cec-8f62-bbb631a4b6ca" name="Changes" comment="" />
+    <option name="SHOW_DIALOG" value="false" />
+    <option name="HIGHLIGHT_CONFLICTS" value="true" />
+    <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
+    <option name="LAST_RESOLUTION" value="IGNORE" />
+  </component>
+  <component name="Git.Settings">
+    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
+  </component>
+  <component name="ProjectColorInfo">{
+  &quot;associatedIndex&quot;: 2
+}</component>
+  <component name="ProjectId" id="2z8NR3AfHunUkD84Os1L4IOF0fr" />
+  <component name="ProjectViewState">
+    <option name="hideEmptyMiddlePackages" value="true" />
+    <option name="showLibraryContents" value="true" />
+  </component>
+  <component name="PropertiesComponent">{
+  &quot;keyToString&quot;: {
+    &quot;ModuleVcsDetector.initialDetectionPerformed&quot;: &quot;true&quot;,
+    &quot;RunOnceActivity.ShowReadmeOnStart&quot;: &quot;true&quot;,
+    &quot;RunOnceActivity.git.unshallow&quot;: &quot;true&quot;,
+    &quot;git-widget-placeholder&quot;: &quot;main&quot;,
+    &quot;nodejs_package_manager_path&quot;: &quot;npm&quot;,
+    &quot;vue.rearranger.settings.migration&quot;: &quot;true&quot;
+  }
+}</component>
+  <component name="SharedIndexes">
+    <attachedChunks>
+      <set>
+        <option value="bundled-jdk-9823dce3aa75-fbdcb00ec9e3-intellij.indexing.shared.core-IU-251.26094.121" />
+        <option value="bundled-js-predefined-d6986cc7102b-b26f3e71634d-JavaScript-IU-251.26094.121" />
+      </set>
+    </attachedChunks>
+  </component>
+  <component name="TaskManager">
+    <task active="true" id="Default" summary="Default task">
+      <changelist id="18c9b736-1c05-4cec-8f62-bbb631a4b6ca" name="Changes" comment="" />
+      <created>1751108728985</created>
+      <option name="number" value="Default" />
+      <option name="presentableId" value="Default" />
+      <updated>1751108728985</updated>
+      <workItem from="1751108730598" duration="24000" />
+      <workItem from="1751108759501" duration="1000" />
+      <workItem from="1751109157130" duration="3000" />
+    </task>
+    <servers />
+  </component>
+  <component name="TypeScriptGeneratedFilesManager">
+    <option name="version" value="3" />
+  </component>
+</project>
\ No newline at end of file

From 5c040e3615fe67deba75c897bbf55137fd46846c Mon Sep 17 00:00:00 2001
From: Raffi <110637774+Raphael005@users.noreply.github.com>
Date: Fri, 15 May 2026 01:24:04 +0200
Subject: [PATCH 3/3] Add Checkov IaC security scanning starter workflow

Adds a Code Scanning starter workflow for Checkov, a popular
open-source static analysis tool for infrastructure as code.

The workflow:
- Scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles, and more
- Outputs results in SARIF format for the GitHub Security tab
- Pins bridgecrewio/checkov-action to a full commit SHA
- Uses least-privilege permissions
- Requires no paid service or 3rd-party data upload

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 code-scanning/checkov.yml                     | 58 +++++++++++++++++++
 .../properties/checkov.properties.json        |  7 +++
 2 files changed, 65 insertions(+)
 create mode 100644 code-scanning/checkov.yml
 create mode 100644 code-scanning/properties/checkov.properties.json

diff --git a/code-scanning/checkov.yml b/code-scanning/checkov.yml
new file mode 100644
index 0000000000..ef6d175093
--- /dev/null
+++ b/code-scanning/checkov.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Checkov is a static code analysis tool for infrastructure as code (IaC).
+# It scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates,
+# Bicep, Dockerfiles, and more for security and compliance misconfigurations.
+#
+# Documentation:    https://www.checkov.io/
+# Getting started:  https://www.checkov.io/1.Welcome/Quick%20Start.html
+
+name: Checkov
+
+on:
+  push:
+    branches: [ $default-branch, $protected-branches ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ $default-branch ]
+  schedule:
+    - cron: $cron-weekly
+
+permissions:
+  contents: read
+
+jobs:
+  checkov:
+    name: Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read         # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read          # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Checkov
+        uses: bridgecrewio/checkov-action@4048c972aae68d0b983a48bb3479aab2d877b898
+        with:
+          # Scan the entire repository. Narrow this down to a specific
+          # directory if your IaC files live in a subdirectory, e.g.:
+          #   directory: terraform/
+          directory: .
+          # Emit results in SARIF format for upload to the Security tab.
+          output_format: sarif
+          output_file_path: checkov-results.sarif
+          # Prevent the step from failing the workflow so that SARIF results
+          # are always uploaded, even when issues are found.
+          soft_fail: true
+
+      - name: Upload Checkov scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: checkov-results.sarif
diff --git a/code-scanning/properties/checkov.properties.json b/code-scanning/properties/checkov.properties.json
new file mode 100644
index 0000000000..7a0c6b5ca3
--- /dev/null
+++ b/code-scanning/properties/checkov.properties.json
@@ -0,0 +1,7 @@
+{
+    "name": "Checkov",
+    "creator": "Bridgecrew",
+    "description": "Scan infrastructure as code (Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles, and more) for security and compliance misconfigurations.",
+    "iconName": "checkov",
+    "categories": ["Code Scanning", "terraform", "kubernetes", "dockerfile", "cloudformation", "helm"]
+}