Skip to content

Commit

Permalink
Backport of [NET-2420] security: re-enable security scan release bloc…
Browse files Browse the repository at this point in the history
…k into release/1.1.x (#3648)

* security: re-enable security scan release block

This was previously disabled due to an unresolved false-positive CVE.
Re-enabling both secrets and OSV + Go Modules scanning, which per our
current scan results should not be a blocker to future releases.

Also add security scans on PR and merge to protected branches to allow
proactive triage going forward.

See hashicorp/consul#19978 for similar change in that repo, adapted
here.

* security: add scan triage for CVE-2024-25620 (helm/v3)

Triage this scan result as `consul-k8s` should not be directly
impacted and it is medium severity. Follow-up ticket filed for
remediation.

Also improve formatting of scan config since this change will be
backported.

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
  • Loading branch information
hc-github-team-consul-core and zalimeni authored Feb 21, 2024
1 parent 1157afe commit 5c8c20f
Show file tree
Hide file tree
Showing 6 changed files with 168 additions and 36 deletions.
14 changes: 1 addition & 13 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,7 @@ env:

jobs:
get-go-version:
name: "Determine Go toolchain version"
runs-on: ubuntu-latest
outputs:
go-version: ${{ steps.get-go-version.outputs.go-version }}
steps:
- uses: actions/checkout@v3
- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go
# version, because "goenv" can react to it automatically.
run: |
echo "Building with Go $(cat .go-version)"
echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
uses: ./.github/workflows/reusable-get-go-version.yml

get-product-version:
runs-on: ubuntu-latest
Expand Down
15 changes: 1 addition & 14 deletions .github/workflows/lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,7 @@ on:

jobs:
get-go-version:
runs-on: ubuntu-latest
outputs:
go-version: ${{ steps.get-go-version.outputs.go-version }}
steps:
- name: Checkout code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go
# version, because "goenv" can react to it automatically.
run: |
echo "Building with Go $(cat .go-version)"
echo "go-version=$(cat .go-version)" >> "${GITHUB_OUTPUT}"
uses: ./.github/workflows/reusable-get-go-version.yml

linting:
name: golangci-lint
Expand Down
30 changes: 30 additions & 0 deletions .github/workflows/reusable-get-go-version.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: get-go-version

on:
workflow_call:
outputs:
go-version:
description: "The Go version detected by this workflow"
value: ${{ jobs.get-go-version.outputs.go-version }}

jobs:
get-go-version:
name: "Determine Go toolchain version"
runs-on: ubuntu-latest
outputs:
go-version: ${{ steps.get-go-version.outputs.go-version }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go
# version, because "goenv" can react to it automatically.
#
# In the future, we can transition from .go-version and goenv to
# Go 1.21 `toolchain` directives by updating this workflow rather
# than individually setting `go-version-file` in each `setup-go`
# job (as of 2024-01-03, `setup-go` does not support `toolchain`).
run: |
GO_VERSION=$(head -n 1 .go-version)
echo "Building with Go ${GO_VERSION}"
echo "go-version=${GO_VERSION}" >> $GITHUB_OUTPUT
63 changes: 63 additions & 0 deletions .github/workflows/security-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Security Scan

on:
push:
branches:
- main
- release/**
pull_request:
branches:
- main
- release/**

# cancel existing runs of the same workflow on the same ref
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true

jobs:
get-go-version:
uses: ./.github/workflows/reusable-get-go-version.yml

scan:
needs:
- get-go-version
runs-on: ubuntu-latest
# The first check ensures this doesn't run on community-contributed PRs, who
# won't have the permissions to run this job.
if: ${{ (github.repository != 'hashicorp/consul-k8s' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}

steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

- name: Set up Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: ${{ needs.get-go-version.outputs.go-version }}

- name: Clone Security Scanner repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
repository: hashicorp/security-scanner
#TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
path: security-scanner
ref: main

- name: Scan
id: scan
uses: ./security-scanner
with:
repository: "$PWD"
# See scan.hcl at repository root for config.

- name: SARIF Output
shell: bash
run: |
cat results.sarif | jq
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
with:
sarif_file: results.sarif
42 changes: 33 additions & 9 deletions .release/security-scan.hcl
Original file line number Diff line number Diff line change
@@ -1,16 +1,40 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# These scan results are run as part of CRT workflows.

# Un-triaged results will block release. See `security-scanner` docs for more
# information on how to add `triage` config to unblock releases for specific results.
# In most cases, we should not need to disable the entire scanner to unblock a release.

# To run manually, install scanner and then from the repository root run
# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...`
# To scan a local container, add `local_daemon = true` to the `container` block below.
# See `security-scanner` docs or run with `--help` for scan target syntax.

container {
dependencies = true
alpine_secdb = true
secrets = true
dependencies = true
alpine_secdb = true

secrets {
all = true
}
}

binary {
secrets = true
go_modules = false
osv = true
oss_index = false
nvd = false
}
go_modules = true
osv = true

secrets {
all = true
}

triage {
suppress {
vulnerabilites = [
# NET-8174 (2024-02-20): Chart YAML path traversal (not impacted)
"GHSA-v53g-5gjp-272r", # alias CVE-2024-25620
]
}
}
}
40 changes: 40 additions & 0 deletions scan.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# Configuration for security scanner.
# Run on PRs and pushes to `main` and `release/**` branches.
# See .github/workflows/security-scan.yml for CI config.

# To run manually, install scanner and then run `scan repository .`

# Scan results are triaged via the GitHub Security tab for this repo.
# See `security-scanner` docs for more information on how to add `triage` config
# for specific results or to exclude paths.

# .release/security-scan.hcl controls scanner config for release artifacts, which
# unlike the scans configured here, will block releases in CRT.

repository {
go_modules = true
npm = true
osv = true

secrets {
all = true
}

triage {
suppress {
paths = [
# Ignore test and local tool modules, which are not included in published
# artifacts.
"acceptance/*",
"hack/*",
]
vulnerabilites = [
# NET-8174 (2024-02-20): Chart YAML path traversal (not impacted)
"GHSA-v53g-5gjp-272r", # alias CVE-2024-25620
]
}
}
}

0 comments on commit 5c8c20f

Please sign in to comment.