Skip to content

Commit

Permalink
Add Security Scanners
Browse files Browse the repository at this point in the history
  • Loading branch information
milkrage committed Jun 27, 2024
1 parent 2958ae3 commit c25d999
Show file tree
Hide file tree
Showing 9 changed files with 119 additions and 53 deletions.
24 changes: 0 additions & 24 deletions .github/workflows/golangci-lint.yml

This file was deleted.

73 changes: 73 additions & 0 deletions .github/workflows/secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: Secure

on: push

jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
#
# CLI Reference:
# https://semgrep.dev/docs/cli-reference
semgrep:
runs-on: ubuntu-24.04
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
env:
SEMGREP_RULES: >-
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitleaks
p/golang
p/gosec
p/insecure-transport
p/owasp-top-ten
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/sql-injection
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
format: sarif
output: trivy.sarif
exit-code: 1
severity: MEDIUM,CRITICAL,HIGH
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/golang/govulncheck-action
govulncheck:
runs-on: ubuntu-24.04
steps:
- uses: golang/govulncheck-action@v1
with:
go-version-file: go.mod
24 changes: 0 additions & 24 deletions .github/workflows/unit-tests.yml

This file was deleted.

34 changes: 34 additions & 0 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Verify

on: push

jobs:
tests:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: make test

golangci-lint:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- uses: golangci/golangci-lint-action@v6
with:
version: v1.56.2

tidy:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- run: go mod tidy -v
- run: git diff --exit-code
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
*.terraform.lock.hcl
*.log
*.json
*.yaml
.terraform/
terraform-provider-selectel
.idea
Expand Down
1 change: 1 addition & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
website/
6 changes: 6 additions & 0 deletions .trivyignore.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
secrets:
- id: private-key
path:
- selectel/resourse_selectel_secretsmanager_certificate_v1.go
statement: false positive trigger in field of description

5 changes: 3 additions & 2 deletions selectel/dbaas.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"fmt"
"log"
"math"
"math/rand"
"math/rand" // nosemgrep: go.lang.security.audit.crypto.math_random.math-random-used
"sort"
"strconv"
"strings"
Expand Down Expand Up @@ -58,7 +58,8 @@ func getDBaaSClient(d *schema.ResourceData, meta interface{}) (*dbaas.API, diag.
}

func stringChecksum(s string) (string, error) {
h := md5.New() // #nosec
// #nosec G401
h := md5.New() // nosemgrep: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5
_, err := h.Write([]byte(s))
if err != nil {
return "", err
Expand Down
4 changes: 2 additions & 2 deletions selectel/secretsmanager.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ func getSecretsManagerClient(d *schema.ResourceData, meta interface{}) (*secrets

endpointSM, err := selvpcClient.Catalog.GetEndpoint(SecretsManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", SecretsManager, err, endpointSM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", SecretsManager, err))
}

endpointCM, err := selvpcClient.Catalog.GetEndpoint(CertificateManager, config.AuthRegion)
if err != nil {
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w, got %s", CertificateManager, err, endpointCM.URL))
return nil, diag.FromErr(fmt.Errorf("can't get %s endpoint to init secretsmanager client: %w", CertificateManager, err))
}

cl, err := secretsmanager.New(
Expand Down

0 comments on commit c25d999

Please sign in to comment.