Add Security Scanners

selectel · Jun 27, 2024 · bbfc408 · bbfc408
1 parent 2958ae3
commit bbfc408
Show file tree

Hide file tree

Showing 8 changed files with 114 additions and 52 deletions.
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml
@@ -0,0 +1,73 @@
+name: Secure
+
+on: push
+
+jobs:
+  # Sample GitHub Actions:
+  # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
+  #
+  # CLI Reference:
+  # https://semgrep.dev/docs/cli-reference
+  semgrep:
+    runs-on: ubuntu-24.04
+    container:
+      image: semgrep/semgrep
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
+        env:
+          SEMGREP_RULES: >-
+            p/command-injection
+            p/comment
+            p/cwe-top-25
+            p/default
+            p/gitlab
+            p/gitleaks
+            p/golang
+            p/gosec
+            p/insecure-transport
+            p/owasp-top-ten
+            p/r2c-best-practices
+            p/r2c-bug-scan
+            p/r2c-security-audit
+            p/secrets
+            p/security-audit
+            p/sql-injection
+            p/xss
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/aquasecurity/trivy-action
+  trivy:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy.sarif
+          exit-code: 1
+          severity: MEDIUM,CRITICAL,HIGH
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/golang/govulncheck-action
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -0,0 +1,34 @@
+name: Verify
+
+on: push
+
+jobs:
+  tests:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: make test
+
+  golangci-lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.56.2
+
+  tidy:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - run: go mod tidy -v
+      - run: git diff --exit-code
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1 @@
+website/
diff --git a/selectel/dbaas.go b/selectel/dbaas.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"log"
 	"math"
-	"math/rand"
+	"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used
 	"sort"
 	"strconv"
 	"strings"
@@ -58,7 +58,8 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag.
 }
 
 func stringChecksum(s string) (string, error) {
-	h := md5.New() // #nosec
+	// #nosec G401
+	h := md5.New() // nosemgrep: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
 	_, err := h.Write([]byte(s))
 	if err != nil {
 		return "", err

diff --git a/selectel/resourse_selectel_secretsmanager_certificate_v1.go b/selectel/resourse_selectel_secretsmanager_certificate_v1.go
@@ -38,6 +38,7 @@ func resourceSecretsManagerCertificateV1() *schema.Resource {
 				Required: true,
 			},
 			"private_key": {
+				// trivy:ignore:private-key
 				Description: "that should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----",
 				Type:        schema.TypeString,
 				Required:    true,

diff --git a/selectel/secretsmanager.go b/selectel/secretsmanager.go
@@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets
 
 	endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion)
 	if err != nil {
-		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL))
+		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err))
 	}
 
 	endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion)
 	if err != nil {
-		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL))
+		return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err))
 	}
 
 	cl, err := secretsmanager.New(