From 17e786ebd9e69ab0ca70e7f8be49e5bc6eff53a5 Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 00:18:25 +0530
Subject: [PATCH 01/15] Added Nancy to GitHub Actions workflow for security
 scanning

---
 .github/workflows/build-verify.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 14bb125..839df8f 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -38,6 +38,14 @@ jobs:
         run: |
           ./build-binaries.sh github.com/microcks/microcks-cli
 
+      - name: Install Nancy
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/sonatype-nexus-community/nancy/main/scripts/install-latest.sh | sh
+
+      - name: Run Nancy
+        run: |
+          nancy sleuth
+
       - name: Set environment for branch
         run: |
           set -x
@@ -97,4 +105,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --yes ${images}
+          cosign sign --yes ${images}
\ No newline at end of file

From 3d7c5450cb250f21ea7154525097ac2c229cf8a3 Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 00:30:40 +0530
Subject: [PATCH 02/15] Added Nancy to GitHub Actions workflow for security
 scanning

---
 .github/workflows/build-verify.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 839df8f..6512b81 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -41,6 +41,7 @@ jobs:
       - name: Install Nancy
         run: |
           curl -sSfL https://raw.githubusercontent.com/sonatype-nexus-community/nancy/main/scripts/install-latest.sh | sh
+          sudo mv nancy /usr/local/bin/
 
       - name: Run Nancy
         run: |

From 60598e858e3ab182fce7a8c643abb194bd606eb9 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 00:33:17 +0530
Subject: [PATCH 03/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 839df8f..07efb78 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -41,6 +41,7 @@ jobs:
       - name: Install Nancy
         run: |
           curl -sSfL https://raw.githubusercontent.com/sonatype-nexus-community/nancy/main/scripts/install-latest.sh | sh
+          sudo mv nancy /usr/local/bin/
 
       - name: Run Nancy
         run: |
@@ -105,4 +106,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --yes ${images}
\ No newline at end of file
+          cosign sign --yes ${images}

From 3ac27a8a7b7a125b0a61d1d289b1ada3514ab7fc Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 00:43:18 +0530
Subject: [PATCH 04/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 07efb78..8b4551f 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -23,7 +23,6 @@ jobs:
     steps:
       - name: Get current date
         id: date
-        #run: echo "::set-output name=date::$(date +'%Y-%m-%dT%H:%M:%S')"
         run: echo "date=$(date +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
 
       - name: Checkout Code
@@ -40,8 +39,7 @@ jobs:
 
       - name: Install Nancy
         run: |
-          curl -sSfL https://raw.githubusercontent.com/sonatype-nexus-community/nancy/main/scripts/install-latest.sh | sh
-          sudo mv nancy /usr/local/bin/
+          go install github.com/sonatype-nexus-community/nancy/cmd/nancy@latest
 
       - name: Run Nancy
         run: |
@@ -56,7 +54,7 @@ jobs:
           elif [[ $GITHUB_REF == "refs/tags/$GITHUB_REF_NAME" ]]; then
             echo "IMAGE_TAG=$GITHUB_REF_NAME" >> "$GITHUB_ENV"
             echo "PACKAGE_IMAGE=true" >> "$GITHUB_ENV"
-          else
+          else:
             echo "PACKAGE_IMAGE=false" >> "$GITHUB_ENV"
           fi
 

From e912f1f93a51e88b9caf2ebcba7697065ac958ee Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 00:51:06 +0530
Subject: [PATCH 05/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 8b4551f..282bc8f 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Install Nancy
         run: |
-          go install github.com/sonatype-nexus-community/nancy/cmd/nancy@latest
+          go install github.com/sonatype-nexus-community/nancy@latest
 
       - name: Run Nancy
         run: |

From 13ab8f23717b54332c2083841f59317265f82ed8 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 00:54:25 +0530
Subject: [PATCH 06/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 282bc8f..6fa9397 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -39,7 +39,9 @@ jobs:
 
       - name: Install Nancy
         run: |
-          go install github.com/sonatype-nexus-community/nancy@latest
+          NANCY_VERSION=v0.1.17
+          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-linux.amd64-${NANCY_VERSION} | sudo tee /usr/local/bin/nancy > /dev/null
+          sudo chmod +x /usr/local/bin/nancy
 
       - name: Run Nancy
         run: |
@@ -54,7 +56,7 @@ jobs:
           elif [[ $GITHUB_REF == "refs/tags/$GITHUB_REF_NAME" ]]; then
             echo "IMAGE_TAG=$GITHUB_REF_NAME" >> "$GITHUB_ENV"
             echo "PACKAGE_IMAGE=true" >> "$GITHUB_ENV"
-          else:
+          else
             echo "PACKAGE_IMAGE=false" >> "$GITHUB_ENV"
           fi
 

From f26aa289ecbd668269c47acfa12ede49d1abdd21 Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 01:33:15 +0530
Subject: [PATCH 07/15] Fix: Integrate Nancy vulnerability scanning and correct
 image signing

---
 .github/workflows/build-verify.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 1d347e2..74482e7 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -39,7 +39,9 @@ jobs:
 
       - name: Install Nancy
         run: |
-          curl -sSfL https://raw.githubusercontent.com/sonatype-nexus-community/nancy/main/scripts/install-latest.sh | sh
+          NANCY_VERSION=v0.1.17
+          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-linux.amd64-${NANCY_VERSION} | sudo tee /usr/local/bin/nancy > /dev/null
+          sudo chmod +x /usr/local/bin/nancy
 
       - name: Run Nancy
         run: |
@@ -93,15 +95,22 @@ jobs:
             org.opencontainers.image.revision=${GITHUB_SHA}
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}},docker.io/microcks/microcks-cli:${{env.IMAGE_TAG}}
+        
+      - name: Get Image Digest
+        id: get-digest
+        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
+        run: |
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}} | cut -d'@' -f2)
+          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Sign the image with GitHub OIDC Token
         env:
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
           TAGS: quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}} docker.io/microcks/microcks-cli:${{env.IMAGE_TAG}}
           COSIGN_EXPERIMENTAL: "true"
+        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
         run: |
           images=""
           for tag in ${TAGS}; do
-            images+="${tag}@${DIGEST} "
+            images+="${tag}@${{ steps.get-digest.outputs.DIGEST }} "
           done
-          cosign sign --yes ${images}
+          cosign sign --yes ${images}
\ No newline at end of file

From d3c8ed37f4f9fcbdca43cbfeba32903cfbc85b38 Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 01:37:50 +0530
Subject: [PATCH 08/15] Fix: Integrate Nancy vulnerability scanning and correct
 image signing

---
 .github/workflows/build-verify.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 74482e7..522a08a 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -44,6 +44,8 @@ jobs:
           sudo chmod +x /usr/local/bin/nancy
 
       - name: Run Nancy
+        env:
+          OSSINDEX_API_TOKEN: ""
         run: |
           nancy sleuth
 

From 7e4288a1e6a754627334f3fde6df4938d0c01a2d Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 01:41:18 +0530
Subject: [PATCH 09/15] Fix: Integrate Nancy vulnerability scanning and correct
 image signing

---
 .github/workflows/build-verify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 522a08a..630e152 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -45,7 +45,7 @@ jobs:
 
       - name: Run Nancy
         env:
-          OSSINDEX_API_TOKEN: ""
+          NANCY_SKIP_OSSINDEX: "true"
         run: |
           nancy sleuth
 

From ad6a11d154138433cfdbec8197dd5a5990bf877d Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 01:49:40 +0530
Subject: [PATCH 10/15] Fix: Install Nancy correctly and add /usr/local/bin to
 PATH

---
 .github/workflows/build-verify.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 630e152..663da7e 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -12,7 +12,7 @@ on:
       - '.gitignore'
       - 'LICENSE'
       - '*.md'
-permissions: 
+permissions:
   contents: read
   id-token: write # needed for signing the images with GitHub OIDC Token
 
@@ -35,18 +35,20 @@ jobs:
 
       - name: Build Go packages
         run: |
-          ./build-binaries.sh github.com/microcks/microcks-cli
+          ./build-binaries.sh github.com/microcks-cli
 
       - name: Install Nancy
         run: |
-          NANCY_VERSION=v0.1.17
-          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-linux.amd64-${NANCY_VERSION} | sudo tee /usr/local/bin/nancy > /dev/null
-          sudo chmod +x /usr/local/bin/nancy
+          NANCY_VERSION=v0.0.44
+          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-darwin.amd64-${NANCY_VERSION} -o nancy
+          chmod +x nancy
+          sudo mv nancy /usr/local/bin/nancy
 
       - name: Run Nancy
         env:
           NANCY_SKIP_OSSINDEX: "true"
         run: |
+          export PATH=$PATH:/usr/local/bin
           nancy sleuth
 
       - name: Set environment for branch
@@ -97,7 +99,7 @@ jobs:
             org.opencontainers.image.revision=${GITHUB_SHA}
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}},docker.io/microcks/microcks-cli:${{env.IMAGE_TAG}}
-        
+
       - name: Get Image Digest
         id: get-digest
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'

From 2b3f0adcf329df8b8165fac69c3b0ed64354d0a1 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 02:09:36 +0530
Subject: [PATCH 11/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 663da7e..2835cec 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Build Go packages
         run: |
-          ./build-binaries.sh github.com/microcks-cli
+          ./build-binaries.sh github.com/microcks/microcks-cli
 
       - name: Install Nancy
         run: |
@@ -117,4 +117,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${{ steps.get-digest.outputs.DIGEST }} "
           done
-          cosign sign --yes ${images}
\ No newline at end of file
+          cosign sign --yes ${images}

From f6ac4faa90a111512dff3d2f804b6e6747a1be62 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 02:13:30 +0530
Subject: [PATCH 12/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 2835cec..4c91c0a 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -2,7 +2,7 @@ name: build-verify-package
 on:
   push:
     paths-ignore:
-      #- '.github/**'
+      - '.github/**'
       - '.gitignore'
       - 'LICENSE'
       - '*.md'
@@ -40,13 +40,11 @@ jobs:
       - name: Install Nancy
         run: |
           NANCY_VERSION=v0.0.44
-          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-darwin.amd64-${NANCY_VERSION} -o nancy
+          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-linux.amd64-${NANCY_VERSION} -o nancy
           chmod +x nancy
           sudo mv nancy /usr/local/bin/nancy
 
       - name: Run Nancy
-        env:
-          NANCY_SKIP_OSSINDEX: "true"
         run: |
           export PATH=$PATH:/usr/local/bin
           nancy sleuth
@@ -100,21 +98,14 @@ jobs:
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}},docker.io/microcks/microcks-cli:${{env.IMAGE_TAG}}
 
-      - name: Get Image Digest
-        id: get-digest
-        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
-        run: |
-          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}} | cut -d'@' -f2)
-          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
-
       - name: Sign the image with GitHub OIDC Token
         env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
           TAGS: quay.io/microcks/microcks-cli:${{env.IMAGE_TAG}} docker.io/microcks/microcks-cli:${{env.IMAGE_TAG}}
           COSIGN_EXPERIMENTAL: "true"
-        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
         run: |
           images=""
           for tag in ${TAGS}; do
-            images+="${tag}@${{ steps.get-digest.outputs.DIGEST }} "
+            images+="${tag}@${DIGEST} "
           done
           cosign sign --yes ${images}

From 7597a27096208853f28e4229483052d05b58428e Mon Sep 17 00:00:00 2001
From: devznsh <devanshgaur999@gmail.com>
Date: Sat, 15 Feb 2025 02:24:34 +0530
Subject: [PATCH 13/15] Fix: Integrate Nancy vulnerability scanning and correct
 image signing

---
 .github/workflows/build-verify.yml | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 4c91c0a..3e52b4c 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -37,17 +37,9 @@ jobs:
         run: |
           ./build-binaries.sh github.com/microcks/microcks-cli
 
-      - name: Install Nancy
-        run: |
-          NANCY_VERSION=v0.0.44
-          curl -sSfL https://github.com/sonatype-nexus-community/nancy/releases/download/${NANCY_VERSION}/nancy-linux.amd64-${NANCY_VERSION} -o nancy
-          chmod +x nancy
-          sudo mv nancy /usr/local/bin/nancy
-
       - name: Run Nancy
         run: |
-          export PATH=$PATH:/usr/local/bin
-          nancy sleuth
+          go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth
 
       - name: Set environment for branch
         run: |
@@ -108,4 +100,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --yes ${images}
+          cosign sign --yes ${images}
\ No newline at end of file

From 61fe994dc0b759e68f62a299ccd75c43dd7e9820 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 02:25:58 +0530
Subject: [PATCH 14/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 3e52b4c..39de9c6 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -100,4 +100,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --yes ${images}
\ No newline at end of file
+          cosign sign --yes ${images}

From e2f340611b4e03fb2d1436de0379f760e3de2f28 Mon Sep 17 00:00:00 2001
From: Devansh Gaur <122698012+devznsh@users.noreply.github.com>
Date: Sat, 15 Feb 2025 02:33:21 +0530
Subject: [PATCH 15/15] Update build-verify.yml

---
 .github/workflows/build-verify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 39de9c6..36cc783 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -14,7 +14,7 @@ on:
       - '*.md'
 permissions:
   contents: read
-  id-token: write # needed for signing the images with GitHub OIDC Token
+  id-token: write 
 
 jobs:
   build-verify-package: