From 52f0b40f4c3a670ffa00bc8f87ad5a15c82c02e8 Mon Sep 17 00:00:00 2001 From: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> Date: Wed, 18 Sep 2024 16:55:39 -0400 Subject: [PATCH] security: fine tune security-scanner to reduce false-positives (#20465) Resolve scan job runner Resolve linting alerts adding EOF on files adding EOF on gitignore too add hclfmt and bump action versions update scan.hcl comments Co-authored-by: Tim Gross fix typo move scan.hcl file and paths-ignore for scans change action runner use org secret to checkout typo change runner use hashicorp/setup-golang@v3 Co-authored-by: Tim Gross pin the github action sha --- .github/dependabot.yml | 13 ++++++ .github/scan.hcl | 55 +++++++++++++++++++++++ .github/workflows/security-scan.yml | 67 +++++++++++++++++++++++++++++ .gitignore | 3 ++ .release/security-scan.hcl | 15 ++++--- 5 files changed, 148 insertions(+), 5 deletions(-) create mode 100644 .github/scan.hcl create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 97f8c1337536..834d834e66e3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + version: 2 updates: - package-ecosystem: gomod @@ -37,3 +40,13 @@ updates: labels: - "theme/dependencies" - "theme/website" + - package-ecosystem: github-actions + open-pull-requests-limit: 5 + directory: / + labels: + - "theme/dependencies" + - "theme/ci" + schedule: + interval: "weekly" + day: "sunday" + time: "09:00" diff --git a/.github/scan.hcl b/.github/scan.hcl new file mode 100644 index 000000000000..436c9d205923 --- /dev/null +++ b/.github/scan.hcl @@ -0,0 +1,55 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +# Configuration for security scanner. +# Run on PRs and pushes to `main` and `release/**` branches. +# See .github/workflows/security-scan.yml for CI config. + +# To run manually, install scanner and then run `scan repository .` + +# Scan results are triaged via the GitHub Security tab for this repo. +# See `security-scanner` docs for more information on how to add `triage` config +# for specific results or to exclude paths. + +# This file controls scanning the repository only, not release artifacts. See +# .release/security-scan.hcl for the scanner config for release artifacts, which +# will block releases. + +repository { + go_modules = true + npm = true + osv = true + go_stdlib_version_file = ".go-version" + + secrets { + all = true + skip_path_strings = ["/website/content/"] + } + + github_actions { + pinned_hashes = true + } + + dependabot { + required = true + check_config = true + } + + dockerfile { + pinned_hashes = true + curl_bash = true + } + + # Triage items that are _safe_ to ignore here. Note that this list should be + # periodically cleaned up to remove items that are no longer found by the scanner. + triage { + suppress { + paths = [ + "ui/tests/*", + "internal/testing/*", + "testutil/*", + "website/content/*", + ] + } + } +} diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000000..6e5e95da1572 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,67 @@ +name: Security Scan + +on: + push: + branches: + - main + - release/** + paths-ignore: + - 'README.md' + - 'CHANGELOG.md' + - '.changelog/**' + - '.tours/**' + - 'contributing/**' + pull_request: + branches: + - main + - release/** + paths-ignore: + - 'README.md' + - 'CHANGELOG.md' + - '.changelog/**' + - '.tours/**' + - 'contributing/**' + +# cancel existing runs of the same workflow on the same ref +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + scan: + runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }} + # The first check ensures this doesn't run on community-contributed PRs, who + # won't have the permissions to run this job. + if: ${{ (github.repository != 'hashicorp/nomad' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) + && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-nomad-core') }} + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: hashicorp/setup-golang@36878950ae8f21c1bc25accaf67a4df88c29b01d # v3 + + - name: Clone Security Scanner repo + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + repository: hashicorp/security-scanner + token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }} + path: security-scanner + ref: main + + - name: Scan + id: scan + uses: ./security-scanner + with: + repository: "$PWD" + env: + SECURITY_SCANNER_CONFIG_FILE: .github/scan.hcl + # See scan.hcl at repository .github location for config. + + - name: SARIF Output + shell: bash + run: | + jq . < results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@8fd294e26a0e458834582b0fe4988d79966c7c0a # codeql-bundle-v2.18.4 + with: + sarif_file: results.sarif diff --git a/.gitignore b/.gitignore index 89b202277a2e..995fa494afcc 100644 --- a/.gitignore +++ b/.gitignore @@ -134,3 +134,6 @@ e2e/remotetasks/input/ecs.vars # Tools files tools/missing/missing + +# allow security scanner file +!scan.hcl diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 97a0b4a78ae5..0e192490d808 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -2,20 +2,25 @@ # SPDX-License-Identifier: BUSL-1.1 container { + local_daemon = true + secrets { - all = false + all = true + skip_path_strings = ["/website/content/"] } - dependencies = false - alpine_security = false + dependencies = true + alpine_security = true } binary { go_modules = true - osv = false + osv = true + go_stdlib = true nvd = false secrets { - all = true + all = true + skip_path_strings = ["/website/content/"] } }