Skip to content

Commit

Permalink
Add Security Scanners
Browse files Browse the repository at this point in the history
  • Loading branch information
milkrage committed Jun 27, 2024
1 parent 2958ae3 commit 367040a
Show file tree
Hide file tree
Showing 8 changed files with 117 additions and 52 deletions.
24 changes: 0 additions & 24 deletions .github/workflows/golangci-lint.yml

This file was deleted.

72 changes: 72 additions & 0 deletions .github/workflows/secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Secure

on: push

jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
#
# CLI Reference:
# https://semgrep.dev/docs/cli-reference
semgrep:
runs-on: ubuntu-24.04
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
env:
SEMGREP_RULES: >-
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitleaks
p/golang
p/gosec
p/insecure-transport
p/owasp-top-ten
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/sql-injection
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-24.04
container:
image: aquasec/trivy
volumes:
- /home/runner/work/terraform-provider-selectel/:/github/workspace
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: cd /github/workspace
- run: trivy fs --format sarif -o trivy.sarif --exit-code 1 --severity MEDIUM,HIGH --ignorefile .trivyignore.yml .
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/golang/govulncheck-action
govulncheck:
runs-on: ubuntu-24.04
steps:
- uses: golang/govulncheck-action@v1
with:
go-version-file: go.mod
24 changes: 0 additions & 24 deletions .github/workflows/unit-tests.yml

This file was deleted.

34 changes: 34 additions & 0 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Verify

on: push

jobs:
tests:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: make test

golangci-lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- uses: golangci/golangci-lint-action@v6
with:
version: v1.56.2

tidy:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: go mod tidy -v
- run: git diff --exit-code
1 change: 1 addition & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
website/
5 changes: 5 additions & 0 deletions .trivyignore.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
secrets:
- id: private-key
statement: false-positive in description field
paths:
- selectel/resourse_selectel_secretsmanager_certificate_v1.go
5 changes: 3 additions & 2 deletions selectel/dbaas.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"fmt"
"log"
"math"
"math/rand"
"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used
"sort"
"strconv"
"strings"
Expand Down Expand Up @@ -58,7 +58,8 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag.
}

func stringChecksum(s string) (string, error) {
h := md5.New() // #nosec
// #nosec G401
h := md5.New() // nosemgrep: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
_, err := h.Write([]byte(s))
if err != nil {
return "", err
Expand Down
4 changes: 2 additions & 2 deletions selectel/secretsmanager.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets

endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err))
}

endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err))
}

cl, err := secretsmanager.New(
Expand Down

0 comments on commit 367040a

Please sign in to comment.