mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-26 10:11:47 +01:00
b239a71934
The genesis of this PR is updating our cache action due to older actions being shut down[0]. While not mentioned in the changelog, the migration guide does call out versions <3.4.0 or <4.2.0 as too old.[1] Since I was updating cache I went ahead and updated minor versions of all our actions. [0]: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down [1]: https://github.com/actions/cache/discussions/1510 Signed-off-by: Ryan Cragun <me@ryan.ec>
94 lines
3.2 KiB
YAML
94 lines
3.2 KiB
YAML
name: Security Scan
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
- '!oss-merge-main*'
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who won't have the
|
|
# permissions to run this job.
|
|
if: |
|
|
! github.event.pull_request.head.repo.fork &&
|
|
github.actor != 'dependabot[bot]' &&
|
|
github.actor != 'hc-github-team-secure-vault-core'
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
|
|
with:
|
|
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
|
|
go-version-file: .go-version
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Clone Security Scanner repo
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Install dependencies
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
mkdir "$HOME/.bin"
|
|
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
|
|
go build -o scan-plugin-semgrep .
|
|
mv scan-plugin-semgrep "$HOME/.bin"
|
|
|
|
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
|
|
go build -o scan-plugin-codeql .
|
|
mv scan-plugin-codeql "$HOME/.bin"
|
|
|
|
# Semgrep
|
|
python3 -m pip install semgrep==1.45.0
|
|
|
|
# CodeQL
|
|
LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | grep codeql-bundle- | sort --version-sort | tail -n1)
|
|
gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
|
|
tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"
|
|
|
|
# Add to PATH
|
|
echo "$HOME/.bin" >> "$GITHUB_PATH"
|
|
echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
# env:
|
|
# Note: this _should_ work, but causes some issues with Semgrep.
|
|
# Instead, rely on filtering in the SARIF Output step.
|
|
#SEMGREP_BASELINE_REF: ${{ github.base_ref }}
|
|
with:
|
|
repository: "$PWD"
|
|
cache-build: true
|
|
cache-go-modules: false
|
|
|
|
- name: SARIF Output
|
|
shell: bash
|
|
run: |
|
|
cat results.sarif
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # TSCCR: could not find entry for github/codeql-action/upload-sarif
|
|
with:
|
|
sarif_file: results.sarif
|