Merge pull request #11956 from hashicorp/enable-security-scan

Enable Security Scan for CRT

.changelog/11956.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ci: Enable security scanning for CRT
+```

.github/workflows/build.yml

@@ -3,9 +3,9 @@ name: build
 on:
   push:
     # Sequence of patterns matched against refs/heads
-    branches: [
+    branches:
-      "main"
+      # Push events on the main branch
-    ]
+      - main
 
 env:
   PKG_NAME: consul

.release/ci.hcl

@@ -42,8 +42,36 @@ event "upload-dev" {
   }
 }
 
-event "notarize-darwin-amd64" {
+event "security-scan-binaries" {
   depends = ["upload-dev"]
+  action "security-scan-binaries" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-binaries"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "security-scan-containers" {
+  depends = ["security-scan-binaries"]
+  action "security-scan-containers" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-containers"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "notarize-darwin-amd64" {
+  depends = ["security-scan-containers"]
   action "notarize-darwin-amd64" {
     organization = "hashicorp"
     repository = "crt-workflows-common"

.release/security-scan.hcl

@@ -0,0 +1,19 @@
+container {
+	dependencies = true
+	alpine_secdb = true
+	
+	secrets {
+		all = true
+	}
+}
+
+binary {
+	go_modules   = true
+	osv          = true
+	oss_index    = true
+	nvd          = true
+
+	secrets {
+		all = true
+	}
+}

Dockerfile

@@ -1,5 +1,5 @@
 # This Dockerfile creates a production release image for the project using crt release flow.
-FROM alpine:3.13 as  default
+FROM alpine:3 as  default
 
 ARG VERSION
 ARG BIN_NAME