mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-03 20:40:45 -05:00
e745f92bc5
- actions/cache -> v5.0.2: A bugfix around not retrying cache entries on 429s. - actions/setup-go -> v6.2.0: NodeJS bump and internal actions/cache bump. We don't use the caching in setup-go so this ought to have no impact for us. - actions/setup-node -> v6.2.0: internal bump of actions/cache. - pnpm/action-setup -> v4.2.0: Adds support for .npmrc file. Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: Security Scan
|
|
|
|
# cancel existing runs of the same workflow on the same ref
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches:
|
|
- 'main'
|
|
- 'release/**'
|
|
- 'ce/**'
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
|
|
# The first check ensures this doesn't run on community-contributed PRs, who won't have the
|
|
# permissions to run this job.
|
|
if: |
|
|
! github.event.pull_request.head.repo.fork &&
|
|
github.actor != 'dependabot[bot]' &&
|
|
github.actor != 'hc-github-team-secure-vault-core'
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
|
with:
|
|
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
|
|
go-version: 'stable'
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
|
|
with:
|
|
python-version: 3.x
|
|
|
|
- name: Set up Security Scanner
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
repository: hashicorp/security-scanner
|
|
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
|
|
path: security-scanner
|
|
ref: main
|
|
|
|
- name: Install Security Scanner Semgrep Plugin Dependency
|
|
shell: bash
|
|
run: |
|
|
python3 -m pip install semgrep==1.45.0
|
|
|
|
- name: Scan
|
|
id: scan
|
|
uses: ./security-scanner
|
|
with:
|
|
repository: "$PWD"
|
|
plugins: "codeql semgrep"
|
|
|
|
- name: Read SARIF
|
|
shell: bash
|
|
run: |
|
|
cat ${{ steps.scan.outputs.sarif-file-path }}
|
|
|
|
- name: Upload SARIF
|
|
uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # TSCCR: could not find entry for github/codeql-action/upload-sarif
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif-file-path }}
|