name: Security Scan on: push: branches: [main] pull_request: branches: - 'main' - '!oss-merge-main*' jobs: scan: runs-on: ['linux', 'large'] if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-vault-core' }} steps: - uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v3 with: go-version: 1.18 - name: Set up Python uses: actions/setup-python@v4 with: python-version: 3.x - name: Clone Security Scanner repo uses: actions/checkout@v3 with: repository: hashicorp/security-scanner token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} path: security-scanner ref: 2526c196a28bb367b1ac6c997ff48e9ebf06834f - name: Install dependencies shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | mkdir "$HOME/.bin" cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep" go build -o scan-plugin-semgrep . mv scan-plugin-semgrep "$HOME/.bin" cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql" go build -o scan-plugin-codeql . mv scan-plugin-codeql "$HOME/.bin" # Semgrep python3 -m pip install semgrep # CodeQL LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1) gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST" tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin" # Add to PATH echo "$HOME/.bin" >> "$GITHUB_PATH" echo "$HOME/.bin/codeql" >> "$GITHUB_PATH" - name: Scan id: scan uses: ./security-scanner # env: # Note: this _should_ work, but causes some issues with Semgrep. # Instead, rely on filtering in the SARIF Output step. #SEMGREP_BASELINE_REF: ${{ github.base_ref }} with: repository: "$PWD" - name: SARIF Output shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | cat results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif