From d2c2a27307c0bce69f4e95dfd4337b826981e614 Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Wed, 14 Feb 2024 12:26:15 -0500 Subject: [PATCH 1/2] security: re-enable security scan release block This was previously disabled due to an unresolved false-positive CVE. Re-enabling both secrets and OSV + Go Modules scanning, which per our current scan results should not be a blocker to future releases. Also add security scans on PR and merge to protected branches to allow proactive triage going forward. See hashicorp/consul#19978 for similar change in that repo, adapted here. --- .github/workflows/build.yml | 14 +---- .github/workflows/lint.yaml | 15 +---- .github/workflows/reusable-get-go-version.yml | 30 +++++++++ .github/workflows/security-scan.yml | 63 +++++++++++++++++++ .release/security-scan.hcl | 25 ++++++-- scan.hcl | 36 +++++++++++ 6 files changed, 151 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/reusable-get-go-version.yml create mode 100644 .github/workflows/security-scan.yml create mode 100644 scan.hcl diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 72566dff65..fc09fcf5f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,19 +16,7 @@ env: jobs: get-go-version: - name: "Determine Go toolchain version" - runs-on: ubuntu-latest - outputs: - go-version: ${{ steps.get-go-version.outputs.go-version }} - steps: - - uses: actions/checkout@v3 - - name: Determine Go version - id: get-go-version - # We use .go-version as our source of truth for current Go - # version, because "goenv" can react to it automatically. - run: | - echo "Building with Go $(cat .go-version)" - echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT + uses: ./.github/workflows/reusable-get-go-version.yml get-product-version: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index fa8d685de2..0ee97a3d75 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -5,20 +5,7 @@ on: jobs: get-go-version: - runs-on: ubuntu-latest - outputs: - go-version: ${{ steps.get-go-version.outputs.go-version }} - steps: - - name: Checkout code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Determine Go version - id: get-go-version - # We use .go-version as our source of truth for current Go - # version, because "goenv" can react to it automatically. - run: | - echo "Building with Go $(cat .go-version)" - echo "go-version=$(cat .go-version)" >> "${GITHUB_OUTPUT}" + uses: ./.github/workflows/reusable-get-go-version.yml linting: name: golangci-lint diff --git a/.github/workflows/reusable-get-go-version.yml b/.github/workflows/reusable-get-go-version.yml new file mode 100644 index 0000000000..e2de0afd18 --- /dev/null +++ b/.github/workflows/reusable-get-go-version.yml @@ -0,0 +1,30 @@ +name: get-go-version + +on: + workflow_call: + outputs: + go-version: + description: "The Go version detected by this workflow" + value: ${{ jobs.get-go-version.outputs.go-version }} + +jobs: + get-go-version: + name: "Determine Go toolchain version" + runs-on: ubuntu-latest + outputs: + go-version: ${{ steps.get-go-version.outputs.go-version }} + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Determine Go version + id: get-go-version + # We use .go-version as our source of truth for current Go + # version, because "goenv" can react to it automatically. + # + # In the future, we can transition from .go-version and goenv to + # Go 1.21 `toolchain` directives by updating this workflow rather + # than individually setting `go-version-file` in each `setup-go` + # job (as of 2024-01-03, `setup-go` does not support `toolchain`). + run: | + GO_VERSION=$(head -n 1 .go-version) + echo "Building with Go ${GO_VERSION}" + echo "go-version=${GO_VERSION}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000000..2ce2e88d85 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,63 @@ +name: Security Scan + +on: + push: + branches: + - main + - release/** + pull_request: + branches: + - main + - release/** + +# cancel existing runs of the same workflow on the same ref +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + get-go-version: + uses: ./.github/workflows/reusable-get-go-version.yml + + scan: + needs: + - get-go-version + runs-on: ubuntu-latest + # The first check ensures this doesn't run on community-contributed PRs, who + # won't have the permissions to run this job. + if: ${{ (github.repository != 'hashicorp/consul-k8s' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) + && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} + + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Set up Go + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: ${{ needs.get-go-version.outputs.go-version }} + + - name: Clone Security Scanner repo + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + repository: hashicorp/security-scanner + #TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned + token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + path: security-scanner + ref: main + + - name: Scan + id: scan + uses: ./security-scanner + with: + repository: "$PWD" + # See scan.hcl at repository root for config. + + - name: SARIF Output + shell: bash + run: | + cat results.sarif | jq + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 692fea1578..518aaa6156 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -1,16 +1,31 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 +# These scan results are run as part of CRT workflows. + +# Un-triaged results will block release. See `security-scanner` docs for more +# information on how to add `triage` config to unblock releases for specific results. +# In most cases, we should not need to disable the entire scanner to unblock a release. + +# To run manually, install scanner and then from the repository root run +# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...` +# To scan a local container, add `local_daemon = true` to the `container` block below. +# See `security-scanner` docs or run with `--help` for scan target syntax. + container { dependencies = true alpine_secdb = true - secrets = true + + secrets { + all = true + } } binary { - secrets = true - go_modules = false + go_modules = true osv = true - oss_index = false - nvd = false + + secrets { + all = true + } } \ No newline at end of file diff --git a/scan.hcl b/scan.hcl new file mode 100644 index 0000000000..5716c1ce2e --- /dev/null +++ b/scan.hcl @@ -0,0 +1,36 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Configuration for security scanner. +# Run on PRs and pushes to `main` and `release/**` branches. +# See .github/workflows/security-scan.yml for CI config. + +# To run manually, install scanner and then run `scan repository .` + +# Scan results are triaged via the GitHub Security tab for this repo. +# See `security-scanner` docs for more information on how to add `triage` config +# for specific results or to exclude paths. + +# .release/security-scan.hcl controls scanner config for release artifacts, which +# unlike the scans configured here, will block releases in CRT. + +repository { + go_modules = true + npm = true + osv = true + + secrets { + all = true + } + + triage { + suppress { + paths = [ + # Ignore test and local tool modules, which are not included in published + # artifacts. + "acceptance/*", + "hack/*", + ] + } + } +} From 451771766251a23f8d8b8a3ee341b5c5e8abb4dc Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Tue, 20 Feb 2024 13:10:47 -0500 Subject: [PATCH 2/2] security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --- .release/security-scan.hcl | 31 ++++++++++++++++++++----------- scan.hcl | 4 ++++ 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 518aaa6156..52877c1805 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -13,19 +13,28 @@ # See `security-scanner` docs or run with `--help` for scan target syntax. container { - dependencies = true - alpine_secdb = true + dependencies = true + alpine_secdb = true - secrets { - all = true - } + secrets { + all = true + } } binary { - go_modules = true - osv = true + go_modules = true + osv = true - secrets { - all = true - } -} \ No newline at end of file + secrets { + all = true + } + + triage { + suppress { + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] + } + } +} diff --git a/scan.hcl b/scan.hcl index 5716c1ce2e..3d5baf68db 100644 --- a/scan.hcl +++ b/scan.hcl @@ -31,6 +31,10 @@ repository { "acceptance/*", "hack/*", ] + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] } } }