name: Security Scan on: push: branches: - main - release/** pull_request: branches: - main - release/** # cancel existing runs of the same workflow on the same ref concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: conditional-skip: runs-on: ubuntu-latest name: Get files changed and conditionally skip CI outputs: skip-ci: ${{ steps.read-files.outputs.skip-ci }} steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: Get changed files id: read-files run: ./.github/scripts/filter_changed_files_go_test.sh setup: needs: [conditional-skip] name: Setup if: needs.conditional-skip.outputs.skip-ci != 'true' runs-on: ubuntu-latest outputs: compute-small: ${{ steps.setup-outputs.outputs.compute-small }} compute-medium: ${{ steps.setup-outputs.outputs.compute-medium }} compute-large: ${{ steps.setup-outputs.outputs.compute-large }} compute-xl: ${{ steps.setup-outputs.outputs.compute-xl }} steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - id: setup-outputs name: Setup outputs run: ./.github/scripts/get_runner_classes.sh scan: needs: [setup] runs-on: ${{ fromJSON(needs.setup.outputs.compute-xl) }} # The first check ensures this doesn't run on community-contributed PRs, who # won't have the permissions to run this job. if: ${{ (github.repository != 'hashicorp/consul' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }} steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Go uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: cache: true go-version: 1.20.12 #TODO move CI build config and this to .go-version or .go-mod - name: Clone Security Scanner repo uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: repository: hashicorp/security-scanner token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }} path: security-scanner ref: main - name: Scan id: scan uses: ./security-scanner with: repository: "$PWD" # See scan.hcl at repository root for config. - name: SARIF Output shell: bash run: | cat results.sarif | jq - name: Upload SARIF file uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5 with: sarif_file: results.sarif