Backport of security: fix syntax for release scan config into release/1.17.x (#20287)

backport of commit fd527e7efd Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
10 months ago · fff06157b2
parent cd8bf36876
commit fff06157b2
1 changed files with 15 additions and 13 deletions
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@ -17,8 +17,8 @@ container {
 	alpine_secdb = true

 	secrets {
-		matchers = {
-			// Use default list, minus Vault (`hashicorp`), which has experienced false positives.
+		matchers {
+			// Use most of default list, minus Vault (`hashicorp`), which has experienced false positives.
 			// See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2
 			known = [
 				// "hashicorp",
@ -53,6 +53,7 @@ binary {
 	# (yarn.lock) in the Consul binary. This is something we may investigate in the future.
 	
 	secrets {
+		matchers {
 			// Use most of default list, minus Vault (`hashicorp`), which has experienced false positives.
 			// See https://github.com/hashicorp/security-scanner/blob/v0.0.2/pkg/scanner/secrets.go#L130C2-L130C2
 			known = [
@ -65,4 +66,5 @@ binary {
 				"npm",
 			]
 		}
+	}
 }