Skip to content

Commit

Permalink
Add Security Scanners
Browse files Browse the repository at this point in the history
  • Loading branch information
milkrage committed Jun 27, 2024
1 parent 2958ae3 commit 9335f49
Show file tree
Hide file tree
Showing 8 changed files with 114 additions and 53 deletions.
24 changes: 0 additions & 24 deletions .github/workflows/golangci-lint.yml

This file was deleted.

73 changes: 73 additions & 0 deletions .github/workflows/secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: Secure

on: push

jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
#
# CLI Reference:
# https://semgrep.dev/docs/cli-reference
semgrep:
runs-on: ubuntu-24.04
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
env:
SEMGREP_RULES: >-
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitleaks
p/golang
p/gosec
p/insecure-transport
p/owasp-top-ten
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/sql-injection
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
format: sarif
output: trivy.sarif
exit-code: 1
severity: MEDIUM,CRITICAL,HIGH
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/golang/govulncheck-action
govulncheck:
runs-on: ubuntu-24.04
steps:
- uses: golang/govulncheck-action@v1
with:
go-version-file: go.mod
24 changes: 0 additions & 24 deletions .github/workflows/unit-tests.yml

This file was deleted.

34 changes: 34 additions & 0 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Verify

on: push

jobs:
tests:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: make test

golangci-lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- uses: golangci/golangci-lint-action@v6
with:
version: v1.56.2

tidy:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: go mod tidy -v
- run: git diff --exit-code
1 change: 1 addition & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
website/
5 changes: 3 additions & 2 deletions selectel/dbaas.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"fmt"
"log"
"math"
"math/rand"
"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used Warning

Do not use math/rand. Use crypto/rand instead.
"sort"
"strconv"
"strings"
Expand Down Expand Up @@ -58,7 +58,8 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag.
}

func stringChecksum(s string) (string, error) {
h := md5.New() // #nosec
// #nosec G401
h := md5.New() // nosemgrep: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 Warning

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
_, err := h.Write([]byte(s))
if err != nil {
return "", err
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ func resourceSecretsManagerCertificateV1() *schema.Resource {
Required: true,
},
"private_key": {
Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----",
Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----", // trivy:ignore:private-key

Check failure

Code scanning / Trivy

Asymmetric Private Key High

Artifact: selectel/resourse_selectel_secretsmanager_certificate_v1.go
Type:
Secret Asymmetric Private Key
Severity: HIGH
Match: th -----BEGIN PRIVATE KEY-----**************-----END PRIVATE KEY
Type: schema.TypeString,
Required: true,
Sensitive: true,
Expand Down
4 changes: 2 additions & 2 deletions selectel/secretsmanager.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets

endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err))
}

endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err))
}

cl, err := secretsmanager.New(
Expand Down

0 comments on commit 9335f49

Please sign in to comment.