90 lines
2.9 KiB
YAML
90 lines
2.9 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on:
|
|
labels: custom-linux-xl
|
|
if: ${{ github.actor != 'dependabot[bot]' }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: 1.18
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Clone Security Scanner repo
|
|
uses: actions/checkout@v3
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
|
|
path: security-scanner
|
|
ref: 2526c196a28bb367b1ac6c997ff48e9ebf06834f
|
|
|
|
- name: Install dependencies
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
mkdir $HOME/.bin
|
|
cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep
|
|
go build -o scan-plugin-semgrep .
|
|
mv scan-plugin-semgrep $HOME/.bin
|
|
|
|
cd $GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql
|
|
go build -o scan-plugin-codeql .
|
|
mv scan-plugin-codeql $HOME/.bin
|
|
|
|
# Semgrep
|
|
python3 -m pip install semgrep
|
|
|
|
# CodeQL
|
|
LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
|
|
gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
|
|
tar xf codeql-bundle-linux64.tar.gz -C $HOME/.bin
|
|
|
|
# Add to PATH
|
|
echo "$HOME/.bin" >> $GITHUB_PATH
|
|
echo "$HOME/.bin/codeql" >> $GITHUB_PATH
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
# env:
|
|
# Note: this _should_ work, but causes some issues with Semgrep.
|
|
# Instead, rely on filtering in the SARIF Output step.
|
|
#SEMGREP_BASELINE_REF: ${{ github.base_ref }}
|
|
with:
|
|
repository: "$PWD"
|
|
|
|
- name: SARIF Output
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
git fetch
|
|
CHANGED_FILES_JSON="$(git diff origin/${{ github.base_ref }} --name-only | jq -R '[.]' | jq -nc '[inputs|.[]] | flatten')"
|
|
cat results.sarif | \
|
|
jq 'del(.runs[]?.results[]?
|
|
| select([.locations[]?.physicalLocation?.artifactLocation?.uri?]
|
|
| inside('$CHANGED_FILES_JSON')
|
|
| not))
|
|
' > file-filtered.sarif
|
|
cat file-filtered.sarif | jq 'del(.runs[]?.results[]? | select(has("suppressions")))' > suppression-filtered.sarif
|
|
cat suppression-filtered.sarif | jq '(.runs[]?.results? | select(. | length == 0)) = []' > results.sarif
|
|
cat results.sarif
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: results.sarif
|