Checkmarx · cx-ricardo-jesus · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/workflows/alert-update-terraform-modules.yaml b/.github/workflows/alert-update-terraform-modules.yaml
@@ -24,11 +24,17 @@ jobs:
           python3 -u .github/scripts/watchers/terraform-modules-update.py \
             -c assets/libraries/common.json \
             -u https://registry.terraform.io/v1/modules
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "feat(queries): update terraform registry data on commons.json"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "feat(queries): update terraform registry data on commons.json"
           delete-branch: true
           branch: feature/kicsbot-update-queries-docs

diff --git a/.github/workflows/check-apache-license.yaml b/.github/workflows/check-apache-license.yaml
@@ -21,10 +21,16 @@ jobs:
       if: env.USERNAME != 'kicsbot' && env.USERNAME != 'dependabot[bot]'
       run: |
         echo "$BODY" | grep -iPq "^I submit this contribution under the Apache-2.0 license.$" || echo "CHECK_FAILED=true" >> $GITHUB_ENV
+    - name: Generate KICS Bot token
+      id: kics-bot-token
+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+      with:
+        client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+        private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
     - name: Check for comment tag
       if: env.CHECK_FAILED != 'true'
       run: |
-        comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \
+        comments=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" \
             -X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments")
         if echo "$comments" | grep -q "apache_license"; then
           echo "TAG_EXISTS=true" >> $GITHUB_ENV
@@ -39,7 +45,7 @@ jobs:
           Deleting comment...
         comment-tag: apache_license
         mode: delete
-        github-token: ${{ secrets.KICS_BOT_PAT }}
+        github-token: ${{ steps.kics-bot-token.outputs.token }}
     - name: Add comment if no license
       if: env.CHECK_FAILED == 'true'
       uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa
@@ -48,7 +54,7 @@ jobs:
         comment-tag: apache_license
         mode: recreate
         create-if-not-exists: true
-        github-token: ${{ secrets.KICS_BOT_PAT }}
+        github-token: ${{ steps.kics-bot-token.outputs.token }}
     - name: Workflow failed
       if: env.CHECK_FAILED == 'true'
       run: exit 1
diff --git a/.github/workflows/go-generate-antlr-parser.yaml b/.github/workflows/go-generate-antlr-parser.yaml
@@ -25,11 +25,17 @@ jobs:
       - name: Generate Parser
         run: |
           docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser/jsonfilter:/work -it antlr4-generator:dev
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "chore(parser): updating AWS jsonfilter ANTLR generated parser"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "chore(parser): updating AWS jsonfilter ANTLR generated parser"
           delete-branch: true
           branch: feature/kicsbot-update-jsonfilter-parser

diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -14,10 +14,17 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        if: always()
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_KICS_CLIENT_ID }}
+          private-key: ${{ secrets.GH_KICS_APPLICATION_KEY }}
       - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2
         if: always()
         with:
-          github-token: ${{ secrets.KICS_BOT_PAT }}
+          github-token: ${{ steps.kics-bot-token.outputs.token }}
           webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }}
           card-layout-start: cozy
           card-layout-exit: complete

diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml
@@ -26,11 +26,17 @@ jobs:
           sed -E -i "s/<h4>Version \d+(\.\d+)*<\/h4>/<h4>Version ${{ github.event.inputs.version }}<\/h4>/" docs/index.md
           sed -E -i "s/(<p.*>)[0-9]{4}\.[0-9]{2}\.[0-9]{2}<p>/\1${{ steps.cdate.outputs.date }}<p>/" docs/index.md
           sed -E -i "s/(<a.*href=\"https:\/\/github.com\/Checkmarx\/kics\/releases\/download\/).*(\/kics_).*(_[a-z]+_.*>)/\1v${{ github.event.inputs.version }}\2${{ github.event.inputs.version }}\3/g" docs/index.md
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create pull request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "docs(kicsbot): preparing for release ${{ github.event.inputs.version }}"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "docs(kicsbot): preparing for release ${{ github.event.inputs.version }}"
           delete-branch: true
           branch: feature/kicsbot-update-docs-index

diff --git a/.github/workflows/release-dkr-image.yml b/.github/workflows/release-dkr-image.yml
@@ -21,10 +21,17 @@ jobs:
         id: get-version
         run: |
           echo "::set-output name=version::$(git describe --match='v*' --tags --abbrev=0)"
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        if: always()
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2
         if: always()
         with:
-          github-token: ${{ secrets.KICS_BOT_PAT }}
+          github-token: ${{ steps.kics-bot-token.outputs.token }}
           webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }}
           card-layout-start: cozy
           card-layout-exit: complete

diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml
@@ -69,11 +69,17 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "docs(kicsbot): update images digest"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "docs(kicsbot): update github-action image digest"
           delete-branch: true
           branch: feature/kicsbot-update-gh-actions-digest

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -31,10 +31,17 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        if: always()
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2
         if: always()
         with:
-          github-token: ${{ secrets.KICS_BOT_PAT }}
+          github-token: ${{ steps.kics-bot-token.outputs.token }}
           webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }}
           card-layout-start: cozy
           card-layout-exit: complete
@@ -129,10 +136,17 @@ jobs:
     steps:
       - name: Check out the repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        if: always()
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - uses: toko-bifrost/ms-teams-deploy-card@dcc94e4ce4088b1e6b6de5c9a3cda4ddcbe97d2e # 3.1.2
         if: always()
         with:
-          github-token: ${{ secrets.KICS_BOT_PAT }}
+          github-token: ${{ steps.kics-bot-token.outputs.token }}
           webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }}
           card-layout-start: cozy
           card-layout-exit: complete
@@ -236,7 +250,7 @@ jobs:
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "docs(kicsbot): update images digest"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "docs(kicsbot): update images digest"
           delete-branch: true
           branch: feature/kicsbot-update-queries-docs

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,10 +13,17 @@
 #         uses: actions/checkout@v2.3.4
 #         with:
 #           fetch-depth: 0
+#       - name: Generate KICS Bot token
+#        id: kics-bot-token
+#        if: always()
+#        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+#        with:
+#          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+#          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
 #       - uses: toko-bifrost/ms-teams-deploy-card@master
 #         if: always()
 #         with:
-#           github-token: ${{ secrets.KICS_BOT_PAT }}
+#           github-token: ${{ steps.kics-bot-token.outputs.token }}
 #           webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }}
 #           card-layout-start: cozy
 #           card-layout-exit: complete
@@ -38,6 +45,6 @@
 #           args: release --rm-dist --timeout 120m
 #         env:
 #           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#           KICS_BOT_PAT: ${{ secrets.KICS_BOT_PAT }}
+#           KICS_BOT_TOKEN: ${{ steps.kics-bot-token.outputs.token }}
 #           SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
 #           DESCRIPTIONS_URL: ${{ secrets.DESCRIPTIONS_URL }}
diff --git a/.github/workflows/update-docs-queries.yaml b/.github/workflows/update-docs-queries.yaml
@@ -38,11 +38,17 @@ jobs:
             -f md \
             --t .github/scripts/docs-generator/query-page-generator/templates/query-page-template.md \
             --df
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "docs(queries): update queries catalog"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "docs(queries): update queries catalog"
           delete-branch: true
           branch: feature/kicsbot-update-queries-docs

diff --git a/.github/workflows/update-infra-version.yaml b/.github/workflows/update-infra-version.yaml
@@ -15,15 +15,21 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Update Terraform Cloud Integration
         uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
         with:
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           repository: ${{ secrets.TFC_REPO_PATH }}
           event-type: new-release
       - name: Update Infra
         uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
         with:
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           repository: ${{ secrets.INFRA_REPO }}
           event-type: new-release
diff --git a/.github/workflows/update-install-script.yaml b/.github/workflows/update-install-script.yaml
@@ -49,11 +49,17 @@ jobs:
         shell: python3 {0}
       - name: Update install.sh
         run: ./.bin/godownloader --repo Checkmarx/kics <(echo ${{ steps.outputs.filter.goreleaser }}) > install.sh
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "chore(install): update install script"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           delete-branch: true
           commit-message: "chore(install): update install script"
           branch: feature/kicsbot-update-install-script

diff --git a/.github/workflows/update_software_versions.yml b/.github/workflows/update_software_versions.yml
@@ -23,12 +23,18 @@ jobs:
         with:
           files: |
              *.json
+      - name: Generate KICS Bot token
+        id: kics-bot-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        with:
+          client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
       - name: Create pull request
         if: steps.verify-changed-files.outputs.files_changed == 'true'
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v6
         with:
           title: "build(deps): updating software versions"
-          token: ${{ secrets.KICS_BOT_PAT }}
+          token: ${{ steps.kics-bot-token.outputs.token }}
           commit-message: "build(deps): updating software versions to new release"
           delete-branch: true
           branch: feature/kicsbot-software-versions

diff --git a/.github/workflows/validate-issues.yaml b/.github/workflows/validate-issues.yaml
@@ -29,11 +29,17 @@ jobs:
       run: |
         regex=$(python3 .github/scripts/pr-issue-info/get_title_types.py)
         echo "Title regex: $regex"
-        echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV)
+        echo "$TITLE" | grep -Pq "$regex" || (echo "$ERROR_MSG" && echo "TITLE_CHECK_FAILED=true" >> $GITHUB_ENV)    
+    - name: Generate KICS Bot token
+      id: kics-bot-token
+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+      with:
+        client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+        private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
     - name: Check for comment tag
       if: env.TITLE_CHECK_FAILED != 'true'
       run: |
-        comments=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" \
+        comments=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" \
             -X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments")
         if echo "$comments" | grep -q "title_check"; then
           echo "TAG_EXISTS=true" >> $GITHUB_ENV
@@ -48,7 +54,7 @@ jobs:
           Deleting comment, please refresh the page...
         comment-tag: title_check
         mode: delete
-        github-token: ${{ secrets.KICS_BOT_PAT }}
+        github-token: ${{ steps.kics-bot-token.outputs.token }}
     - name: Add comment if title fails
       if: env.TITLE_CHECK_FAILED == 'true'
       uses: thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa
@@ -57,7 +63,7 @@ jobs:
         comment-tag: title_check
         mode: recreate
         create-if-not-exists: true
-        github-token: ${{ secrets.KICS_BOT_PAT }}
+        github-token: ${{ steps.kics-bot-token.outputs.token }}
     - name: Workflow failed
       if: env.TITLE_CHECK_FAILED == 'true'
       run: exit 1
@@ -79,9 +85,15 @@ jobs:
       run: sudo apt-get install jq
     - name: Get username
       run: echo "USERNAME=${{ github.event.issue.user.login }}" >> $GITHUB_ENV
+    - name: Generate KICS Bot token
+      id: kics-bot-token
+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+      with:
+        client-id: ${{ vars.GH_APP_KICSAPP_CLIENT_ID }}
+        private-key: ${{ secrets.GH_APP_KICSAPP_PRIVATE_KEY }}
     - name: Check user username
       run: |
-        response=$(curl -s -H "Authorization: token ${{ secrets.KICS_BOT_PAT }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members")
+        response=$(curl -s -H "Authorization: token ${{ steps.kics-bot-token.outputs.token }}" "https://api.github.com/orgs/Checkmarx/teams/kics/members")
         team_members=$(echo "$response" | jq -r '.[].login')
         if echo "${team_members[@]}" | grep -Pq "^$USERNAME$"; then
           echo "Contributor belongs to Checkmarx organization"