From b03d770dc3e0b71185d8d408a2d59a04a36a0ee8 Mon Sep 17 00:00:00 2001
From: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Date: Thu, 18 Jan 2024 23:00:54 -0500
Subject: [PATCH] security: disable Vault secret scans due to false positives
 (#20264)

This was recently shown to have issues with false positives that blocked
a preview release build, so disabling for now.
---
 .release/security-scan.hcl | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index ed081b372e..4230eca420 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -17,7 +17,19 @@ container {
 	alpine_secdb = true
 
 	secrets {
-		all = true
+		matchers = {
+			// Use default list, minus Vault (`hashicorp`), which has experienced false positives.
+			// See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2
+			known = [
+				// "hashicorp",
+				"aws",
+				"google",
+				"slack",
+				"github",
+				"azure",
+				"npm",
+			]
+		}
 	}
 
 	# Triage items that are _safe_ to ignore here. Note that this list should be
@@ -41,6 +53,16 @@ binary {
 	# (yarn.lock) in the Consul binary. This is something we may investigate in the future.
 	
 	secrets {
-		all = true
+		// Use most of default list, minus Vault (`hashicorp`), which has experienced false positives.
+		// See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2
+		known = [
+			// "hashicorp",
+			"aws",
+			"google",
+			"slack",
+			"github",
+			"azure",
+			"npm",
+		]
 	}
 }