security: fine tune security-scanner to reduce false-positives (#20465)

Resolve scan job runner Resolve linting alerts adding EOF on files adding EOF on gitignore too add hclfmt and bump action versions update scan.hcl comments Co-authored-by: Tim Gross <tgross@hashicorp.com> fix typo move scan.hcl file and paths-ignore for scans change action runner use org secret to checkout typo change runner use hashicorp/setup-golang@v3 Co-authored-by: Tim Gross <tgross@hashicorp.com> pin the github action sha
2026-01-01 16:05:42 +03:00 · 2024-09-18 16:55:39 -04:00
parent ec81e7c57c
commit 52f0b40f4c
5 changed files with 148 additions and 5 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
 version: 2
 updates:
  - package-ecosystem: gomod
@@ -37,3 +40,13 @@ updates:
    labels:
      - "theme/dependencies"
      - "theme/website"
+  - package-ecosystem: github-actions
+    open-pull-requests-limit: 5
+    directory: /
+    labels:
+      - "theme/dependencies"
+      - "theme/ci"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "09:00"
--- a/.github/scan.hcl
+++ b/.github/scan.hcl
@@ -0,0 +1,55 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+# Configuration for security scanner.
+# Run on PRs and pushes to `main` and `release/**` branches.
+# See .github/workflows/security-scan.yml for CI config.
+
+# To run manually, install scanner and then run `scan repository .`
+
+# Scan results are triaged via the GitHub Security tab for this repo.
+# See `security-scanner` docs for more information on how to add `triage` config
+# for specific results or to exclude paths.
+
+# This file controls scanning the repository only, not release artifacts. See
+# .release/security-scan.hcl for the scanner config for release artifacts, which
+# will block releases.
+
+repository {
+  go_modules             = true
+  npm                    = true
+  osv                    = true
+  go_stdlib_version_file = ".go-version"
+
+  secrets {
+    all               = true
+    skip_path_strings = ["/website/content/"]
+  }
+
+  github_actions {
+    pinned_hashes = true
+  }
+
+  dependabot {
+    required     = true
+    check_config = true
+  }
+
+  dockerfile {
+    pinned_hashes = true
+    curl_bash     = true
+  }
+
+  # Triage items that are _safe_ to ignore here. Note that this list should be
+  # periodically cleaned up to remove items that are no longer found by the scanner.
+  triage {
+    suppress {
+      paths = [
+        "ui/tests/*",
+        "internal/testing/*",
+        "testutil/*",
+        "website/content/*",
+      ]
+    }
+  }
+}
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,67 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+      - release/**
+    paths-ignore:
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - '.changelog/**'
+      - '.tours/**'
+      - 'contributing/**'
+  pull_request:
+    branches:
+      - main
+      - release/**
+    paths-ignore:
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - '.changelog/**'
+      - '.tours/**'
+      - 'contributing/**'
+
+# cancel existing runs of the same workflow on the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }}
+    # The first check ensures this doesn't run on community-contributed PRs, who
+    # won't have the permissions to run this job.
+    if: ${{ (github.repository != 'hashicorp/nomad' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
+      && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-nomad-core') }}
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: hashicorp/setup-golang@36878950ae8f21c1bc25accaf67a4df88c29b01d # v3
+
+      - name: Clone Security Scanner repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          repository: hashicorp/security-scanner
+          token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
+          path: security-scanner
+          ref: main
+
+      - name: Scan
+        id: scan
+        uses: ./security-scanner
+        with:
+          repository: "$PWD"
+        env:
+          SECURITY_SCANNER_CONFIG_FILE: .github/scan.hcl
+          # See scan.hcl at repository .github location for config.
+
+      - name: SARIF Output
+        shell: bash
+        run: |
+          jq . < results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4
+        with:
+          sarif_file: results.sarif
--- a/.gitignore
+++ b/.gitignore
@@ -134,3 +134,6 @@ e2e/remotetasks/input/ecs.vars

 # Tools files
 tools/missing/missing
+
+# allow security scanner file
+!scan.hcl
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -2,20 +2,25 @@
 # SPDX-License-Identifier: BUSL-1.1

 container {
+  local_daemon = true
+
  secrets {
-    all = false
+    all               = true
+    skip_path_strings = ["/website/content/"]
  }

-  dependencies    = false
-  alpine_security = false
+  dependencies    = true
+  alpine_security = true
 }

 binary {
  go_modules = true
-  osv        = false
+  osv        = true
+  go_stdlib  = true
  nvd        = false

  secrets {
-    all = true
+    all               = true
+    skip_path_strings = ["/website/content/"]
  }
 }