mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-27 01:50:31 -04:00
d9853a8f33
actions: explicitly set permissions on callable worklows Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
72 lines
2.2 KiB
YAML
72 lines
2.2 KiB
YAML
name: Security Scan
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
- 'release/**'
|
|
- 'ce/**'
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64","xlarge"]') }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who won't have the
|
|
# permissions to run this job.
|
|
if: |
|
|
! github.event.pull_request.head.repo.fork &&
|
|
github.actor != 'dependabot[bot]' &&
|
|
github.actor != 'hc-github-team-secure-vault-core'
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
|
|
go-version: 'stable'
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Set up Security Scanner
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Install Security Scanner Semgrep Plugin Dependency
|
|
shell: bash
|
|
run: |
|
|
python3 -m pip install semgrep==1.45.0
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
plugins: "codeql semgrep"
|
|
|
|
- name: Read SARIF
|
|
shell: bash
|
|
run: |
|
|
cat ${{ steps.scan.outputs.sarif-file-path }}
|
|
|
|
- name: Upload SARIF
|
|
uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # TSCCR: could not find entry for github/codeql-action/upload-sarif
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif-file-path }}
|