mirror of
https://github.com/hashicorp/vault.git
synced 2026-04-01 03:42:34 +02:00
3d420fec98
Bump our action version pins to the latest versions. - actions/checkout v6.0.1 => v6.0.2 Tag handling improvements - actions/download-artifact v7.0.0 => v8.0.0 Supports automatic detection of unzipping based on Content-Type Enforces digest checking Uses ES modules - actions/setup-go v6.2.0 => v6.3.0 Uses go.mod for default module caching (which we don't use) Fixes to download URL - actions/upload-artifact v6.0.0 => v7.0.0 Supports disabling automatic archiving Uses ES modules - aws-actions/configure-aws-credentials v5.1.1 => v6.0.0 Uses Node 24 - browser-actions/setup-chrome v2.1.0 => v2.1.1 Bug fix for Node runtime version - docker/build-push-action v6.18.0 => v6.19.2 Internal dep updates and auth support for different Github servers. - hashicorp/setup-terraform v3.1.2 => v4.0.0 Uses Node 24 Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
69 lines
2.2 KiB
YAML
69 lines
2.2 KiB
YAML
name: Security Scan
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
- 'release/**'
|
|
- 'ce/**'
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge;c6a.2xlarge;m8a.4xlarge;c6a.8xlarge"]') }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who won't have the
|
|
# permissions to run this job.
|
|
if: |
|
|
! github.event.pull_request.head.repo.fork &&
|
|
github.actor != 'dependabot[bot]' &&
|
|
github.actor != 'hc-github-team-secure-vault-core'
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
|
|
go-version: 'stable'
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Set up Security Scanner
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Install Security Scanner Semgrep Plugin Dependency
|
|
shell: bash
|
|
run: |
|
|
python3 -m pip install semgrep==1.45.0
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
plugins: "codeql semgrep"
|
|
|
|
- name: Read SARIF
|
|
shell: bash
|
|
run: |
|
|
cat ${{ steps.scan.outputs.sarif-file-path }}
|
|
|
|
- name: Upload SARIF
|
|
uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # TSCCR: could not find entry for github/codeql-action/upload-sarif
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif-file-path }}
|