[pull] master from accurics:master

.github/CODEOWNERS

@@ -0,0 +1,14 @@
+# .github/CODEOWNERS
+# This file designates required PR reviewers for this repository
+# https://help.github.com/articles/about-codeowners/
+
+*       @tenable/terrascan-maintainers @bkizer-tenable
+
+*.rego  @tenable/terrascan-policy-maintainers
+
+*.go    @tenable/terrascan-maintainers
+
+/pkg/   @tenable/terrascan-maintainers
+
+/pkg/policies/opa/rego/ @tenable/terrascan-policy-maintainers
+/sonar-project.properties @tenable/infosec

.github/SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the `Terrascan`
+project.
+
+  * [Contributing](../CONTRIBUTING.md)
+
+## Reporting an Issue
+
+The `Terrascan` team and community take all security issues in `Terrascan` seriously.
+Thank you for improving the security of `Terrascan`. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the team at vulnreport@tenable.com.
+
+The team will acknowledge your email within 48 hours, and will send a
+more detailed response within 48 hours after acknowledgement indicating the next steps in handling your report. After the initial reply to your report, the security team will
+keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible to npm.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

.github/dependabot.yml

@@ -15,3 +15,8 @@ updates:
     directory: "/build"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: daily

.github/workflows/gobuild.yml

@@ -11,64 +11,75 @@ jobs:
       GO111MODULE: on
       GOPATH: /home/runner/work/terrascan
       GOBIN: /home/runner/work/terrascan/bin
-      GO_VERSION: 1.16
+      GO_VERSION: 1.21
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_TEST }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST }}
       AWS_REGION: ${{ secrets.AWS_REGION_TEST }}
-      AZURE_AUTH_TEST_SECRET:  ${{ secrets.AZURE_AUTH_TEST_KEY }}
-      GOOGLE_APPLICATION_CREDENTIALS_TEST_SECRET:  ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_TEST_KEY }}
+      AZURE_AUTH_TEST_SECRET: ${{ secrets.AZURE_AUTH_TEST_KEY }}
+      GOOGLE_APPLICATION_CREDENTIALS_TEST_SECRET: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_TEST_KEY }}
     steps:
-    - name: Checkout Terrascan
-      uses: actions/checkout@v2
-
-    - name: Setup Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: ${{ env.GO_VERSION }}
+      - name: Checkout Terrascan
+        uses: actions/checkout@v3
 
-    - name: Install golint
-      run: go get -u golang.org/x/lint/golint
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
 
-    - name: Go validations
-      run: make validate
+      - name: Install golint
+        run: go install golang.org/x/lint/golint@latest
 
-    - name: Build Terrascan
-      run: make build
+      - name: Build Terrascan docker image
+        run: make docker-build
 
-    - name: Run unit tests
-      run: make unit-tests
-
-    - name: install kind
-      run: make install-kind
+      - name: Go validations
+        run: make validate
 
-    - name: Run e2e tests
-      run: make e2e-tests
+      - name: Build Terrascan
+        run: make build
 
-    - name: Run e2e vulnerability tests
-      if: ${{ github.event_name == 'push'|| github.event_name == 'schedule' }}
-      run: make e2e-vulnerability-tests
+      - name: Run unit tests
+        run: make unit-tests
 
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v1
+      - name: install kind
+        run: make install-kind
+
+      - name: Run e2e tests
+        run: make e2e-tests
+
+      - name: Run e2e vulnerability tests
+        if: ${{  (github.event_name == 'push'|| github.event_name == 'schedule') && github.actor != 'dependabot[bot]' }}
+        run: make e2e-vulnerability-tests
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v1
 
   # push image to Docker Hub
   push:
     # Ensure "validate" job passes before pushing image.
     needs: validate
 
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
 
     steps:
-    - name: Checkout Terrascan
-      uses: actions/checkout@v2
+      - name: Checkout Terrascan
+        uses: actions/checkout@v3
+
+      - uses: docker/setup-qemu-action@v2
+
+      - name: Login to Artifactory
+        run: docker login --username svc_terrascan --password ${{ secrets.ARTIFACTORY_API_TOKEN }}  https://docker-terrascan-local.artifactory.eng.tenable.com
 
-    - name: Build Terrascan docker image
-      run: make docker-build
+      - name: Build latest docker image
+        run: make docker-build-push-latest
+        env:
+          MULTIPLATFORM: true
 
-    - name: Login to docker hub
-      run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u accurics --password-stdin
+      - name: Pull Image
+        run:  docker pull docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest
 
-    - name: Push Terrascan latest docker image
-      if: ${{ github.ref == 'refs/heads/master' }}
-      run: make docker-push-latest
+      - name: Run scan
+        run: |
+          image_tag=$(<dockerhub-image-label.txt)
+          docker run -e JKN_USERNAME=${{ secrets.JKN_USERNAME }} -e JKN_PASSWORD=${{ secrets.JKN_PASSWORD }} -t docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest jobs execute-job  --credential-mode env -n teams-deleng-terraform -p deleng-terraform/dockerhub-publish -d "{\"APPID\":\"2054\", \"IMAGE\":\"docker-terrascan-local.artifactory.eng.tenable.com/terrascan:${image_tag}\", \"TARGETS\": \"tenable/terrascan:latest\", \"MULTIARCH\":\"true\"}" --cloudflare-access-secret ${{ secrets.CF_ACCESS_TOKEN }}:${{ secrets.CF_SECRET }}

.github/workflows/release.yml

@@ -3,31 +3,28 @@ name: release
 on:
   push:
     tags:
-      - '*'
+      - "*"
 
 jobs:
   release:
     runs-on: ubuntu-latest
     env:
       GO111MODULE: on
-      GO_VERSION: 1.16
+      GO_VERSION: 1.21
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -36,20 +33,31 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout Terrascan
-      uses: actions/checkout@v2
+      - name: Checkout Terrascan
+        uses: actions/checkout@v3
 
-    - name: Build Terrascan docker image
-      run: make docker-build
+      - uses: docker/setup-qemu-action@v2
 
-    - name: Login to docker hub
-      run: echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u accurics --password-stdin
+      - name: Login to Artifactory
+        run: docker login --username svc_terrascan --password ${{ secrets.ARTIFACTORY_API_TOKEN }}  https://docker-terrascan-local.artifactory.eng.tenable.com
 
-    - name: Push Terrascan latest tag docker image
-      run: make docker-push-latest-tag
+      - name: Build Terrascan latest tag docker image
+        run: make docker-build-push-latest-tag
+        env:
+          MULTIPLATFORM: true
+
+      - name: Pull latest Image
+        run:  docker pull docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest
+
+      - name: Run scan on terrascan image
+        run: |
+          image_tag=$(<dockerhub-image-label.txt)
+          docker run -e JKN_USERNAME=${{ secrets.JKN_USERNAME }} -e JKN_PASSWORD=${{ secrets.JKN_PASSWORD }} -t docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest jobs execute-job  --credential-mode env -n teams-deleng-terraform -p deleng-terraform/dockerhub-publish -d "{\"APPID\":\"2054\", \"IMAGE\":\"docker-terrascan-local.artifactory.eng.tenable.com/terrascan:${image_tag}\", \"TARGETS\": \"tenable/terrascan:${image_tag},tenable/terrascan:latest\", \"MULTIARCH\":\"true\"}" --cloudflare-access-secret ${{ secrets.CF_ACCESS_TOKEN }}:${{ secrets.CF_SECRET }}
 
-    - name: Build terrascan_atlantis docker image
-      run: make atlantis-docker-build
+      - name: Build terrascan_atlantis docker image
+        run: make atlantis-docker-build
 
-    - name: Push terrascan_atlantis latest tag docker image
-      run: make atlantis-docker-push-latest-tag
+      - name: Run scan on terrascan_atlantis image 
+        run: |
+          image_tag=$(<dockerhub-image-label.txt)
+          docker run -e JKN_USERNAME=${{ secrets.JKN_USERNAME }} -e JKN_PASSWORD=${{ secrets.JKN_PASSWORD }} -t docker-terrascan-local.artifactory.eng.tenable.com/tenb-cb:latest jobs execute-job  --credential-mode env -n teams-deleng-terraform -p deleng-terraform/dockerhub-publish -d "{\"APPID\":\"test\", \"IMAGE\":\"docker-terrascan-local.artifactory.eng.tenable.com/terrascan_atlantis:${image_tag}\", \"TARGETS\": \"tenable/terrascan_atlantis:${image_tag}\", \"MULTIARCH\":\"true\"}" --cloudflare-access-secret ${{ secrets.CF_ACCESS_TOKEN }}:${{ secrets.CF_SECRET }}

.goreleaser.yml

@@ -14,13 +14,32 @@ builds:
       - windows
       - darwin
     main: ./cmd/terrascan/main.go
+    ldflags:
+      - -s -w -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=ignore
+    ignore:
+      - goos: windows
+        goarch: arm64
 archives:
-  - replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+  - id: format_all_build_names
+    name_template: >-
+      {{ .Binary }}_
+      {{- trimprefix .Version  "." }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }} 
+  # for windows it is good to have zip along with tar.gz    
+  - id: win_zip
+    name_template: >-
+      {{ .Binary }}_
+      {{- trimprefix .Version  "." }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+    format_overrides:
+      - goos: windows
+        format: zip
 checksum:
   name_template: 'checksums.txt'
 snapshot: