PSP-256 - Add security-scanner tool (#17988)

Add security-scanner tool and github workflow

.github/workflows/security-scan.yml

@@ -0,0 +1,88 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on:
+      labels: custom-linux-xl
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+
+    - name: Clone Security Scanner repo
+      uses: actions/checkout@v3
+      with:
+        repository: hashicorp/security-scanner
+        token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
+        path: security-scanner
+
+    - name: Install dependencies
+      shell: bash
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        mkdir $HOME/.bin
+        cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep
+        go build -o scan-plugin-semgrep .
+        mv scan-plugin-semgrep $HOME/.bin
+        
+        cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql
+        go build -o scan-plugin-codeql .
+        mv scan-plugin-codeql $HOME/.bin
+        
+        # Semgrep
+        python3 -m pip install semgrep
+        
+        # CodeQL
+        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
+        gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
+        tar xf codeql-bundle-linux64.tar.gz -C $HOME/.bin
+        
+        # Add to PATH
+        echo "$HOME/.bin" >> $GITHUB_PATH
+        echo "$HOME/.bin/codeql" >> $GITHUB_PATH
+
+    - name: Scan
+      id: scan
+      uses: ./security-scanner
+      # env:
+        # Note: this _should_ work, but causes some issues with Semgrep.
+        # Instead, rely on filtering in the SARIF Output step.
+        #SEMGREP_BASELINE_REF: ${{ github.base_ref }}
+      with:
+        repository: "$PWD"
+
+    - name: SARIF Output
+      shell: bash
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        git fetch
+        CHANGED_FILES_JSON="$(git diff origin/${{ github.base_ref }} --name-only | jq -R '[.]' | jq -nc '[inputs|.[]] | flatten')"
+        cat results.sarif | \
+          jq 'del(.runs[]?.results[]?
+                  | select([.locations[]?.physicalLocation?.artifactLocation?.uri?]
+                           | inside('$CHANGED_FILES_JSON')
+                           | not))
+              ' > file-filtered.sarif
+        cat file-filtered.sarif | jq 'del(.runs[]?.results[]? | select(has("suppressions")))' > suppression-filtered.sarif
+        cat suppression-filtered.sarif | jq '(.runs[]?.results? | select(. | length == 0)) = []' > results.sarif
+        cat results.sarif
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif

scan.hcl

@@ -0,0 +1,21 @@
+repository {
+  go_modules = true
+  osv = true
+  secrets {
+    all = true
+  } 
+  dependabot {
+    required = true
+    check_config = true
+  }
+  
+  plugin "semgrep" {
+    use_git_ignore = true
+    exclude = ["vendor"]
+    config = ["tools/semgrep/ci", "p/r2c-security-audit"]
+  }
+  
+  plugin "codeql" {
+    languages = ["go"]
+  }
+}

tools/semgrep/ci/no-nil-check.yml

@@ -62,7 +62,7 @@ rules:
     severity: ERROR
 
 # NamespaceByID 
-  - id: nil-check-physical-storage
+  - id: nil-check-physical-storage-by-nsid
     patterns:
       - pattern-either:
           - pattern: |

tools/semgrep/ci/return-nil.yml

@@ -1,5 +1,5 @@
 rules:
-  - id: return-nil
+  - id: hc-return-nil
     patterns:
       - pattern-either:
           - pattern: |