From 61eca6513b4cfecb22439385adb5f809ddb2c3b6 Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Thu, 16 Dec 2021 11:49:22 -0500 Subject: [PATCH 1/8] enabling security scan for CRT --- .github/workflows/build.yml | 4 +++- .release/ci.hcl | 38 ++++++++++++++++++++++++++++++------- .release/security-scan.hcl | 13 +++++++++++++ 3 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 .release/security-scan.hcl diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 754a8fcaab..8a5eeb0354 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,7 +3,9 @@ name: build on: push: # Sequence of patterns matched against refs/heads - branches: [ main ] + branches: + - enable-security-scan + # [ main ] env: PKG_NAME: consul diff --git a/.release/ci.hcl b/.release/ci.hcl index b248590b83..cb3ba08d5a 100644 --- a/.release/ci.hcl +++ b/.release/ci.hcl @@ -4,17 +4,13 @@ project "consul" { team = "consul core" slack { # feed-consul-ci - notification_channel = "C9KPKPKRN" + notification_channel = "C01A3A54G0L" } github { organization = "hashicorp" repository = "consul" release_branches = [ - "main", - "release/1.8.x", - "release/1.9.x", - "release/1.10.x", - "release/1.11.x" + "enable-security-scan" ] } } @@ -42,8 +38,36 @@ event "upload-dev" { } } -event "notarize-darwin-amd64" { +event "security-scan-binaries" { depends = ["upload-dev"] + action "security-scan-binaries" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-binaries" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "security-scan-containers" { + depends = ["security-scan-binaries"] + action "security-scan-containers" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-containers" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "notarize-darwin-amd64" { + depends = ["security-scan-containers"] action "notarize-darwin-amd64" { organization = "hashicorp" repository = "crt-workflows-common" diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl new file mode 100644 index 0000000000..3fd4ef388e --- /dev/null +++ b/.release/security-scan.hcl @@ -0,0 +1,13 @@ +container { + dependencies = true + alpine_secdb = true + secrets = true +} + +binary { + secrets = true + go_modules = true + osv = true + oss_index = true + nvd = true +} From 1e9b621b00efa1d8032a3b1f216b0417d7ce7852 Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Fri, 17 Dec 2021 10:20:52 -0500 Subject: [PATCH 2/8] testing out turining go modules false --- .release/security-scan.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 3fd4ef388e..eeb188891c 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -6,7 +6,7 @@ container { binary { secrets = true - go_modules = true + go_modules = false osv = true oss_index = true nvd = true From 4b0d34693211f982d4e3e5f5d48d288167b1944a Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Fri, 17 Dec 2021 10:41:04 -0500 Subject: [PATCH 3/8] updating the alpine version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8d5931e91c..1c9e4f6986 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # This Dockerfile creates a production release image for the project using crt release flow. -FROM alpine:3.13 as default +FROM alpine:3 as default ARG VERSION ARG BIN_NAME From d66f4da7f0bf3f0d24fa61f43e4932404f626783 Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Thu, 6 Jan 2022 09:43:35 -0500 Subject: [PATCH 4/8] clean up after testing --- .github/workflows/build.yml | 3 +-- .release/ci.hcl | 8 ++++++-- .release/security-scan.hcl | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a5eeb0354..46a5896d97 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,8 +4,7 @@ on: push: # Sequence of patterns matched against refs/heads branches: - - enable-security-scan - # [ main ] + [ main ] env: PKG_NAME: consul diff --git a/.release/ci.hcl b/.release/ci.hcl index cb3ba08d5a..bf4a2144f3 100644 --- a/.release/ci.hcl +++ b/.release/ci.hcl @@ -4,13 +4,17 @@ project "consul" { team = "consul core" slack { # feed-consul-ci - notification_channel = "C01A3A54G0L" + notification_channel = "C9KPKPKRN" } github { organization = "hashicorp" repository = "consul" release_branches = [ - "enable-security-scan" + "main", + "release/1.8.x", + "release/1.9.x", + "release/1.10.x", + "release/1.11.x" ] } } diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index eeb188891c..3fd4ef388e 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -6,7 +6,7 @@ container { binary { secrets = true - go_modules = false + go_modules = true osv = true oss_index = true nvd = true From 0b3dfcb195413298b9970267d37d72a201b7987c Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Thu, 6 Jan 2022 09:45:54 -0500 Subject: [PATCH 5/8] fixing build error --- .github/workflows/build.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 46a5896d97..4349492875 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,8 +3,9 @@ name: build on: push: # Sequence of patterns matched against refs/heads - branches: - [ main ] + branches: [ + "main" + ] env: PKG_NAME: consul From 2ddba9e3a8031216cac2a3b2774d01d8a756ea3b Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Thu, 6 Jan 2022 14:32:35 -0500 Subject: [PATCH 6/8] fix branch event convention --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4349492875..95b505cd30 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,9 +3,9 @@ name: build on: push: # Sequence of patterns matched against refs/heads - branches: [ - "main" - ] + branches: + # Push events on the main branch + - main env: PKG_NAME: consul From d12e0ceddf2fe417edae64643b6ce474def47eaa Mon Sep 17 00:00:00 2001 From: Evan Culver Date: Wed, 2 Feb 2022 17:31:08 -0800 Subject: [PATCH 7/8] Add changelog entry --- .changelog/11956.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/11956.txt diff --git a/.changelog/11956.txt b/.changelog/11956.txt new file mode 100644 index 0000000000..716a6f1ae6 --- /dev/null +++ b/.changelog/11956.txt @@ -0,0 +1,3 @@ +```release-note:improvement +ci: Enable security scanning for CRT +``` From b62c3b4fbc6a4b77a79ad706ef12c7157b432bbb Mon Sep 17 00:00:00 2001 From: Claire Labry Date: Fri, 4 Feb 2022 10:22:37 -0500 Subject: [PATCH 8/8] updating the binary and container blocks in security-scan file --- .release/security-scan.hcl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 3fd4ef388e..6a2a57b8b8 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -1,13 +1,19 @@ container { dependencies = true alpine_secdb = true - secrets = true + + secrets { + all = true + } } binary { - secrets = true go_modules = true osv = true oss_index = true nvd = true + + secrets { + all = true + } }