name: Security Scan

# cancel existing runs of the same workflow on the same ref
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

on:
  push:
    branches: [main]
  pull_request:
    branches:
      - 'main'
      - '!oss-merge-main*'

jobs:
  scan:
    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
    # The first check ensures this doesn't run on community-contributed PRs, who won't have the
    # permissions to run this job.
    if: |
      ! github.event.pull_request.head.repo.fork &&
      github.actor != 'dependabot[bot]' &&
      github.actor != 'hc-github-team-secure-vault-core'
    steps:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Set up Go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
        go-version-file: .go-version

    - name: Set up Python
      uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
      with:
        python-version: 3.x

    - name: Clone Security Scanner repo
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: hashicorp/security-scanner
        token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
        path: security-scanner
        ref: main

    - name: Install dependencies
      shell: bash
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        mkdir "$HOME/.bin"
        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
        go build -o scan-plugin-semgrep .
        mv scan-plugin-semgrep "$HOME/.bin"

        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
        go build -o scan-plugin-codeql .
        mv scan-plugin-codeql "$HOME/.bin"

        # Semgrep
        python3 -m pip install semgrep==1.45.0

        # CodeQL
        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | grep codeql-bundle- | sort --version-sort | tail -n1)
        gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
        tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"

        # Add to PATH
        echo "$HOME/.bin" >> "$GITHUB_PATH"
        echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"

    - name: Scan
      id: scan
      uses: ./security-scanner
      # env:
        # Note: this _should_ work, but causes some issues with Semgrep.
        # Instead, rely on filtering in the SARIF Output step.
        #SEMGREP_BASELINE_REF: ${{ github.base_ref }}
      with:
        repository: "$PWD"
        cache-build: true
        cache-go-modules: false

    - name: SARIF Output
      shell: bash
      run: |
        cat results.sarif

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1
      with:
        sarif_file: results.sarif