From b14b3265f44bfe5b8eb2f806e070a519f64a29fe Mon Sep 17 00:00:00 2001
From: milkrage <hello@milkrage.ru>
Date: Thu, 27 Jun 2024 18:11:31 +0300
Subject: [PATCH] Add Security Scanners

---
 .github/workflows/golangci-lint.yml | 24 ---------
 .github/workflows/secure.yml        | 75 +++++++++++++++++++++++++++++
 .github/workflows/unit-tests.yml    | 24 ---------
 .github/workflows/verify.yml        | 34 +++++++++++++
 .semgrepignore                      |  1 +
 .trivyignore.yml                    |  5 ++
 selectel/dbaas.go                   |  5 +-
 selectel/secretsmanager.go          |  4 +-
 8 files changed, 120 insertions(+), 52 deletions(-)
 delete mode 100644 .github/workflows/golangci-lint.yml
 create mode 100644 .github/workflows/secure.yml
 delete mode 100644 .github/workflows/unit-tests.yml
 create mode 100644 .github/workflows/verify.yml
 create mode 100644 .semgrepignore
 create mode 100644 .trivyignore.yml

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
deleted file mode 100644
index 4ff26a4a..00000000
--- a/.github/workflows/golangci-lint.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Golangci-lint
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-
-jobs:
-  golangci-lint:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '1.21'
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.56.2
diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml
new file mode 100644
index 00000000..30a4ef7e
--- /dev/null
+++ b/.github/workflows/secure.yml
@@ -0,0 +1,75 @@
+name: Secure
+
+on: push
+
+jobs:
+  # Sample GitHub Actions:
+  # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
+  #
+  # CLI Reference:
+  # https://semgrep.dev/docs/cli-reference
+  semgrep:
+    runs-on: ubuntu-24.04
+    container:
+      image: semgrep/semgrep
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
+        env:
+          SEMGREP_RULES: >-
+            p/command-injection
+            p/comment
+            p/cwe-top-25
+            p/default
+            p/gitlab
+            p/gitleaks
+            p/golang
+            p/gosec
+            p/insecure-transport
+            p/owasp-top-ten
+            p/r2c-best-practices
+            p/r2c-bug-scan
+            p/r2c-security-audit
+            p/secrets
+            p/security-audit
+            p/sql-injection
+            p/xss
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/aquasecurity/trivy-action
+  trivy:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy.sarif
+          exit-code: 1
+          severity: MEDIUM,CRITICAL,HIGH
+          ignore-unfixed: true
+          trivyignores: .trivyignore.yml
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/golang/govulncheck-action
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
deleted file mode 100644
index 7079236b..00000000
--- a/.github/workflows/unit-tests.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Unit Tests
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-
-jobs:
-  unit-test:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '1.21'
-
-      - name: Run test
-        run: make test
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
new file mode 100644
index 00000000..97da0b9d
--- /dev/null
+++ b/.github/workflows/verify.yml
@@ -0,0 +1,34 @@
+name: Verify
+
+on: push
+
+jobs:
+  tests:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: make test
+
+  golangci-lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.56.2
+
+  tidy:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: go mod tidy -v
+      - run: git diff --exit-code
diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 00000000..0fbb4489
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1 @@
+website/
diff --git a/.trivyignore.yml b/.trivyignore.yml
new file mode 100644
index 00000000..e5c770d3
--- /dev/null
+++ b/.trivyignore.yml
@@ -0,0 +1,5 @@
+secrets:
+  - id: private-key
+    statement: false-positive in description field
+    paths:
+      - selectel/resourse_selectel_secretsmanager_certificate_v1.go
diff --git a/selectel/dbaas.go b/selectel/dbaas.go
index cdd6f14b..57814b38 100644
--- a/selectel/dbaas.go
+++ b/selectel/dbaas.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"log"
 	"math"
-	"math/rand"
+	"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used
 	"sort"
 	"strconv"
 	"strings"
@@ -58,7 +58,8 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag.
 }
 
 func stringChecksum(s string) (string, error) {
-	h := md5.New() // #nosec
+	// #nosec G401
+	h := md5.New() // nosemgrep: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
 	_, err := h.Write([]byte(s))
 	if err != nil {
 		return "", err
diff --git a/selectel/secretsmanager.go b/selectel/secretsmanager.go
index ef38793a..6caa4642 100644
--- a/selectel/secretsmanager.go
+++ b/selectel/secretsmanager.go
@@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets
 
 	endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion)
 	if err != nil {
-		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL))
+		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err))
 	}
 
 	endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion)
 	if err != nil {
-		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL))
+		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err))
 	}
 
 	cl, err := secretsmanager.New(