From 3414b76fceeed45b2d9b4cd56d0040357b126390 Mon Sep 17 00:00:00 2001
From: Claire Labry <claire@hashicorp.com>
Date: Thu, 16 Dec 2021 11:49:22 -0500
Subject: [PATCH] enabling security scan for CRT

---
 .github/workflows/build.yml |  4 +++-
 .release/ci.hcl             | 38 ++++++++++++++++++++++++++++++-------
 .release/security-scan.hcl  | 13 +++++++++++++
 3 files changed, 47 insertions(+), 8 deletions(-)
 create mode 100644 .release/security-scan.hcl

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 754a8fcaa..8a5eeb035 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,7 +3,9 @@ name: build
 on:
   push:
     # Sequence of patterns matched against refs/heads
-    branches: [ main ]
+    branches: 
+      - enable-security-scan
+    # [ main ]
 
 env:
   PKG_NAME: consul
diff --git a/.release/ci.hcl b/.release/ci.hcl
index b248590b8..cb3ba08d5 100644
--- a/.release/ci.hcl
+++ b/.release/ci.hcl
@@ -4,17 +4,13 @@ project "consul" {
   team = "consul core"
   slack {
     # feed-consul-ci
-    notification_channel = "C9KPKPKRN"
+    notification_channel = "C01A3A54G0L"
   }
   github {
     organization = "hashicorp"
     repository = "consul"
     release_branches = [
-      "main",
-      "release/1.8.x",
-      "release/1.9.x",
-      "release/1.10.x",
-      "release/1.11.x"
+        "enable-security-scan"
     ]
   }
 }
@@ -42,8 +38,36 @@ event "upload-dev" {
   }
 }
 
-event "notarize-darwin-amd64" {
+event "security-scan-binaries" {
   depends = ["upload-dev"]
+  action "security-scan-binaries" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-binaries"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "security-scan-containers" {
+  depends = ["security-scan-binaries"]
+  action "security-scan-containers" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-containers"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "notarize-darwin-amd64" {
+  depends = ["security-scan-containers"]
   action "notarize-darwin-amd64" {
     organization = "hashicorp"
     repository = "crt-workflows-common"
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
new file mode 100644
index 000000000..3fd4ef388
--- /dev/null
+++ b/.release/security-scan.hcl
@@ -0,0 +1,13 @@
+container {
+	dependencies = true
+	alpine_secdb = true
+	secrets      = true
+}
+
+binary {
+	secrets      = true
+	go_modules   = true
+	osv          = true
+	oss_index    = true
+	nvd          = true
+}