diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000..67caa6277 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,88 @@ +name: Security Scan + +on: + pull_request: + branches: [main] + +jobs: + scan: + runs-on: + labels: custom-linux-xl + if: ${{ github.actor != 'dependabot[bot]' }} + steps: + - uses: actions/checkout@v3 + + - name: Set up Go + uses: actions/setup-go@v3 + with: + go-version: 1.18 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.x + + - name: Clone Security Scanner repo + uses: actions/checkout@v3 + with: + repository: hashicorp/security-scanner + token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} + path: security-scanner + + - name: Install dependencies + shell: bash + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + mkdir $HOME/.bin + cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep + go build -o scan-plugin-semgrep . + mv scan-plugin-semgrep $HOME/.bin + + cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql + go build -o scan-plugin-codeql . + mv scan-plugin-codeql $HOME/.bin + + # Semgrep + python3 -m pip install semgrep + + # CodeQL + LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1) + gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST" + tar xf codeql-bundle-linux64.tar.gz -C $HOME/.bin + + # Add to PATH + echo "$HOME/.bin" >> $GITHUB_PATH + echo "$HOME/.bin/codeql" >> $GITHUB_PATH + + - name: Scan + id: scan + uses: ./security-scanner + # env: + # Note: this _should_ work, but causes some issues with Semgrep. + # Instead, rely on filtering in the SARIF Output step. + #SEMGREP_BASELINE_REF: ${{ github.base_ref }} + with: + repository: "$PWD" + + - name: SARIF Output + shell: bash + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git fetch + CHANGED_FILES_JSON="$(git diff origin/${{ github.base_ref }} --name-only | jq -R '[.]' | jq -nc '[inputs|.[]] | flatten')" + cat results.sarif | \ + jq 'del(.runs[]?.results[]? + | select([.locations[]?.physicalLocation?.artifactLocation?.uri?] + | inside('$CHANGED_FILES_JSON') + | not)) + ' > file-filtered.sarif + cat file-filtered.sarif | jq 'del(.runs[]?.results[]? | select(has("suppressions")))' > suppression-filtered.sarif + cat suppression-filtered.sarif | jq '(.runs[]?.results? | select(. | length == 0)) = []' > results.sarif + cat results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/scan.hcl b/scan.hcl new file mode 100644 index 000000000..720f02c40 --- /dev/null +++ b/scan.hcl @@ -0,0 +1,21 @@ +repository { + go_modules = true + osv = true + secrets { + all = true + } + dependabot { + required = true + check_config = true + } + + plugin "semgrep" { + use_git_ignore = true + exclude = ["vendor"] + config = ["tools/semgrep/ci", "p/r2c-security-audit"] + } + + plugin "codeql" { + languages = ["go"] + } +} \ No newline at end of file diff --git a/tools/semgrep/ci/no-nil-check.yml b/tools/semgrep/ci/no-nil-check.yml index 8697c08ce..c39bbb542 100644 --- a/tools/semgrep/ci/no-nil-check.yml +++ b/tools/semgrep/ci/no-nil-check.yml @@ -62,7 +62,7 @@ rules: severity: ERROR # NamespaceByID - - id: nil-check-physical-storage + - id: nil-check-physical-storage-by-nsid patterns: - pattern-either: - pattern: | diff --git a/tools/semgrep/ci/return-nil.yml b/tools/semgrep/ci/return-nil.yml index aa3975647..18910c4a5 100644 --- a/tools/semgrep/ci/return-nil.yml +++ b/tools/semgrep/ci/return-nil.yml @@ -1,5 +1,5 @@ rules: - - id: return-nil + - id: hc-return-nil patterns: - pattern-either: - pattern: |