From 20ee3373029638a89bcbbac3dac56f70c8852cfe Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Thu, 18 Jan 2024 17:05:27 -0500 Subject: [PATCH] security: disable Vault secret scans due to false positives This was recently shown to have issues with false positives that blocked a preview release build, so disabling for now. --- .release/security-scan.hcl | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index ed081b372e..4230eca420 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -17,7 +17,19 @@ container { alpine_secdb = true secrets { - all = true + matchers = { + // Use default list, minus Vault (`hashicorp`), which has experienced false positives. + // See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2 + known = [ + // "hashicorp", + "aws", + "google", + "slack", + "github", + "azure", + "npm", + ] + } } # Triage items that are _safe_ to ignore here. Note that this list should be @@ -41,6 +53,16 @@ binary { # (yarn.lock) in the Consul binary. This is something we may investigate in the future. secrets { - all = true + // Use most of default list, minus Vault (`hashicorp`), which has experienced false positives. + // See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2 + known = [ + // "hashicorp", + "aws", + "google", + "slack", + "github", + "azure", + "npm", + ] } }