mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-10 10:21:27 +01:00
bbb95b62e0
Update our pins to the latest version. Essentially all of these are related actions needing to run on Node 24. Both our self-hosted and the Github hosted runners that we use are all on a new enough version of actions/runner that it shouldn't be a problem. Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: Security Scan
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
- '!oss-merge-main*'
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who won't have the
|
|
# permissions to run this job.
|
|
if: |
|
|
! github.event.pull_request.head.repo.fork &&
|
|
github.actor != 'dependabot[bot]' &&
|
|
github.actor != 'hc-github-team-secure-vault-core'
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
|
|
with:
|
|
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
|
|
go-version-file: .go-version
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Set up Security Scanner
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Install Security Scanner Semgrep Plugin Dependency
|
|
shell: bash
|
|
run: |
|
|
python3 -m pip install semgrep==1.45.0
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
plugins: "codeql semgrep"
|
|
|
|
- name: Read SARIF
|
|
shell: bash
|
|
run: |
|
|
cat ${{ steps.scan.outputs.sarif-file-path }}
|
|
|
|
- name: Upload SARIF
|
|
uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # TSCCR: could not find entry for github/codeql-action/upload-sarif
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif-file-path }}
|