From 7b75d8a257f73f45ca605e30d8771124bbf41e2c Mon Sep 17 00:00:00 2001 From: milkrage Date: Thu, 27 Jun 2024 18:11:31 +0300 Subject: [PATCH] Add Security Scanners --- .github/workflows/golangci-lint.yml | 24 ------ .github/workflows/secure.yml | 73 +++++++++++++++++++ .github/workflows/unit-tests.yml | 24 ------ .github/workflows/verify.yml | 34 +++++++++ .semgrepignore | 1 + selectel/dbaas.go | 2 + ..._selectel_secretsmanager_certificate_v1.go | 1 + selectel/secretsmanager.go | 4 +- 8 files changed, 113 insertions(+), 50 deletions(-) delete mode 100644 .github/workflows/golangci-lint.yml create mode 100644 .github/workflows/secure.yml delete mode 100644 .github/workflows/unit-tests.yml create mode 100644 .github/workflows/verify.yml create mode 100644 .semgrepignore diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml deleted file mode 100644 index 4ff26a4a..00000000 --- a/.github/workflows/golangci-lint.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Golangci-lint -on: - push: - branches: - - master - pull_request: - -jobs: - golangci-lint: - name: lint - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - with: - version: v1.56.2 diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml new file mode 100644 index 00000000..93059887 --- /dev/null +++ b/.github/workflows/secure.yml @@ -0,0 +1,73 @@ +name: Secure + +on: push + +jobs: + # Sample GitHub Actions: + # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file + # + # CLI Reference: + # https://semgrep.dev/docs/cli-reference + semgrep: + runs-on: ubuntu-24.04 + container: + image: semgrep/semgrep + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING + env: + SEMGREP_RULES: >- + p/command-injection + p/comment + p/cwe-top-25 + p/default + p/gitlab + p/gitleaks + p/golang + p/gosec + p/insecure-transport + p/owasp-top-ten + p/r2c-best-practices + p/r2c-bug-scan + p/r2c-security-audit + p/secrets + p/security-audit + p/sql-injection + p/xss + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() + + # Samples GitHub Actions: + # https://github.com/aquasecurity/trivy-action + trivy: + runs-on: ubuntu-24.04 + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy.sarif + exit-code: 1 + severity: MEDIUM,CRITICAL,HIGH + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy.sarif + if: always() + + # Samples GitHub Actions: + # https://github.com/golang/govulncheck-action + govulncheck: + runs-on: ubuntu-24.04 + steps: + - uses: golang/govulncheck-action@v1 + with: + go-version-file: go.mod diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml deleted file mode 100644 index 7079236b..00000000 --- a/.github/workflows/unit-tests.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Unit Tests -on: - push: - branches: - - master - pull_request: - -jobs: - unit-test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - - name: Run test - run: make test diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 00000000..97da0b9d --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,34 @@ +name: Verify + +on: push + +jobs: + tests: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - run: make test + + golangci-lint: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - uses: golangci/golangci-lint-action@v6 + with: + version: v1.56.2 + + tidy: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - run: go mod tidy -v + - run: git diff --exit-code diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 00000000..0fbb4489 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +website/ diff --git a/selectel/dbaas.go b/selectel/dbaas.go index cdd6f14b..76eaeb49 100644 --- a/selectel/dbaas.go +++ b/selectel/dbaas.go @@ -58,6 +58,7 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag. } func stringChecksum(s string) (string, error) { + // nosemgrep-next-line: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 h := md5.New() // #nosec _, err := h.Write([]byte(s)) if err != nil { @@ -96,6 +97,7 @@ func convertFieldToStringByType(field interface{}) string { } func RandomWithPrefix(name string) string { + // nosemgrep-next-line: go.lang.security.audit.crypto.math_random.math-random-used return fmt.Sprintf("%s_%d", name, rand.New(rand.NewSource(time.Now().UnixNano())).Int()) } diff --git a/selectel/resourse_selectel_secretsmanager_certificate_v1.go b/selectel/resourse_selectel_secretsmanager_certificate_v1.go index ccd45e03..f7f4f92a 100644 --- a/selectel/resourse_selectel_secretsmanager_certificate_v1.go +++ b/selectel/resourse_selectel_secretsmanager_certificate_v1.go @@ -38,6 +38,7 @@ func resourceSecretsManagerCertificateV1() *schema.Resource { Required: true, }, "private_key": { + // trivy:ignore:private-key Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----", Type: schema.TypeString, Required: true, diff --git a/selectel/secretsmanager.go b/selectel/secretsmanager.go index ef38793a..6caa4642 100644 --- a/selectel/secretsmanager.go +++ b/selectel/secretsmanager.go @@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion) if err != nil { - return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL)) + return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err)) } endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion) if err != nil { - return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL)) + return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err)) } cl, err := secretsmanager.New(