From 574f53d1763af70763fb44811a3e7ac8301f2a2a Mon Sep 17 00:00:00 2001 From: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> Date: Thu, 23 May 2024 13:40:59 -0400 Subject: [PATCH] security: enable go stdlib scans (#20905) * security: enable go stdlib scans * security: enable go stdlib binary scan * Fix formating --- .release/security-scan.hcl | 1 + scan.hcl | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 8401764bc4..88b2c88117 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -56,6 +56,7 @@ container { binary { go_modules = true osv = true + go_stdlib = true # We can't enable npm for binary targets today because we don't yet embed the relevant file # (yarn.lock) in the Consul binary. This is something we may investigate in the future. diff --git a/scan.hcl b/scan.hcl index 82888d3be8..b0a1b924b4 100644 --- a/scan.hcl +++ b/scan.hcl @@ -15,9 +15,10 @@ # unlike the scans configured here, will block releases in CRT. repository { - go_modules = true - npm = true - osv = true + go_modules = true + npm = true + osv = true + go_stdlib_version_file = ".go-version" secrets { all = true