feat(security): add missing endpoints to allowlist

[jfagoagas]

Description

Add missing endpoints to the Harden Runner allowlist.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[Copilot]

Pull request overview

This PR updates GitHub Actions workflows that use step-security/harden-runner to include additional outbound endpoints in the allowed-endpoints allowlist, aiming to prevent CI failures when egress is blocked by default.

Changes:

• Allow GitHub release asset downloads in UI/SDK/API CodeQL workflows by adding release-assets.githubusercontent.com:443.
• Expand the SDK tests workflow allowlist with additional third-party endpoints required during CI.
• Add Trivy installer endpoint get.trivy.dev:443 to container scan workflows and reorder/normalize allowlists in the API container build workflow.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/ui-codeql.yml	Adds GitHub release assets endpoint to the CodeQL job allowlist.
.github/workflows/sdk-tests.yml	Adds multiple endpoints to the SDK tests allowlist (notably AWS/GCP and other third parties).
.github/workflows/sdk-container-checks.yml	Adds get.trivy.dev:443 for Trivy-related steps during container checks.
.github/workflows/sdk-codeql.yml	Adds GitHub release assets endpoint to the CodeQL job allowlist.
.github/workflows/api-container-checks.yml	Adds get.trivy.dev:443 for Trivy-related steps during container checks.
.github/workflows/api-container-build-push.yml	Reorders and completes the allowlist used during API container build/push.
.github/workflows/api-codeql.yml	Adds GitHub release assets endpoint and normalizes ordering in the allowlist.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.