| name: Security Scan |
| |
| on: |
| push: |
| branches: [main] |
| pull_request: |
| branches: |
| - 'main' |
| - '!oss-merge-main*' |
| |
| jobs: |
| scan: |
| runs-on: ['linux', 'large'] |
| if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-vault-core' }} |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| |
| - name: Set up Go |
| uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 |
| with: |
| cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 |
| go-version-file: .go-version |
| |
| - name: Set up Python |
| uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 |
| with: |
| python-version: 3.x |
| |
| - name: Clone Security Scanner repo |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| with: |
| repository: hashicorp/security-scanner |
| token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} |
| path: security-scanner |
| ref: 52d94588851f38a416f11c1e727131b3c8b0dd4d |
| |
| - name: Install dependencies |
| shell: bash |
| env: |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| run: | |
| mkdir "$HOME/.bin" |
| cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep" |
| go build -o scan-plugin-semgrep . |
| mv scan-plugin-semgrep "$HOME/.bin" |
| |
| cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql" |
| go build -o scan-plugin-codeql . |
| mv scan-plugin-codeql "$HOME/.bin" |
| |
| # Semgrep |
| python3 -m pip install semgrep |
| |
| # CodeQL |
| LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1) |
| gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST" |
| tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin" |
| |
| # Add to PATH |
| echo "$HOME/.bin" >> "$GITHUB_PATH" |
| echo "$HOME/.bin/codeql" >> "$GITHUB_PATH" |
| |
| - name: Scan |
| id: scan |
| uses: ./security-scanner |
| # env: |
| # Note: this _should_ work, but causes some issues with Semgrep. |
| # Instead, rely on filtering in the SARIF Output step. |
| #SEMGREP_BASELINE_REF: ${{ github.base_ref }} |
| with: |
| repository: "$PWD" |
| cache-build: true |
| cache-go-modules: false |
| |
| - name: SARIF Output |
| shell: bash |
| env: |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| run: | |
| cat results.sarif |
| |
| - name: Upload SARIF file |
| uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5 |
| with: |
| sarif_file: results.sarif |