diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f55b906d..22f256b8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -30,19 +30,19 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 with: token: ${{ secrets.PAT }} - - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v3 + - uses: actions/setup-node@v3 with: # needed for terraform-setup https://github.com/hashicorp/setup-terraform/issues/84 node-version: '16' - name: Install Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: 1.19 - name: Setup Terraform - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 + uses: hashicorp/setup-terraform@v2 with: terraform_version: 0.14.5 - name: Terraform Init @@ -57,11 +57,11 @@ jobs: go build -v && go test ./src/... -covermode=count -coverprofile=coverage.out go tool cover -func=coverage.out -o=coverage.out - name: Go Coverage Badge # Pass the `coverage.out` output to this action - uses: tj-actions/coverage-badge-go@7f447a2281e6c95d57526e53b2e800dfb3c07425 # v2 + uses: tj-actions/coverage-badge-go@v2 with: filename: coverage.out - name: Verify Changed files - uses: tj-actions/verify-changed-files@7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0 # v16 + uses: tj-actions/verify-changed-files@v16 id: verify-changed-files with: files: README.md @@ -86,9 +86,9 @@ jobs: pull-requests: write steps: - name: Check out code into the Go module directory - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + uses: actions/checkout@v3 - name: golangci-lint - uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2 + uses: reviewdog/action-golangci-lint@v2 with: tool_name: golangci-lint fail_on_error: true @@ -96,15 +96,15 @@ jobs: integration-tests: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 - name: Install Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: 1.19 - name: build run: go build - name: Clone Terragoat - vulnerable terraform - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + uses: actions/checkout@v3 with: repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/ fetch-depth: 0 @@ -130,11 +130,11 @@ jobs: steps: - name: Wait for coverage to update run: sleep 10s - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 with: ref: main - name: version - uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # v1 + uses: anothrNick/github-tag-action@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WITH_V: false @@ -142,13 +142,13 @@ jobs: DEFAULT_BUMP: patch id: version - name: Install Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: 1.19 - name: Git Fetch Repo run: | git fetch - - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4 + - uses: goreleaser/goreleaser-action@v4 name: goreleaser with: version: latest @@ -162,9 +162,9 @@ jobs: needs: - create-release steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@d0321869e187cfd3124343ea2b39b1db31f89685 # v5 + uses: elgohr/Publish-Docker-Github-Action@v5 with: name: bridgecrew/yor username: ${{ secrets.DOCKER_USERNAME }} @@ -172,7 +172,7 @@ jobs: buildoptions: "--no-cache" tags: "latest,${{ needs.create-release.outputs.version }}" - name: Update Docker Hub README - uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3 + uses: peter-evans/dockerhub-description@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 783c390a..98a03225 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,17 +34,17 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + uses: actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: '1.19' # To match codeql go version - name: Initialize CodeQL - uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v2 + uses: github/codeql-action/init@v2 with: languages: go config-file: ./.github/codeql-config.yml - name: Build run: go build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v2 + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 00000000..3d0f382b --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,63 @@ +name: govulncheck + +# Runs Go's official vulnerability scanner against the codebase + stdlib. +# Findings are uploaded as a SARIF artifact and surfaced under the GitHub +# "Security" tab. The job is intentionally non-blocking (`continue-on-error`) +# so that the pre-existing, intentionally-deferred dependency CVEs documented +# in SECURITY.md do not break CI. Stdlib regressions become visible the moment +# they are reported by the scanner. + +on: + pull_request: + branches: + - main + push: + branches: + - main + schedule: + # Re-scan weekly so newly-published CVEs against pinned versions are surfaced. + - cron: '0 6 * * 1' + +permissions: + contents: read + +jobs: + govulncheck: + name: govulncheck + runs-on: ubuntu-latest + continue-on-error: true + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install Go + uses: actions/setup-go@v5 + with: + # Must contain the patches we are validating against; keep in sync + # with .go-version and the rest of the CI matrix. + go-version-file: '.go-version' + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: Run govulncheck (text report) + run: govulncheck ./... || true + + - name: Run govulncheck (SARIF report) + run: | + govulncheck -format sarif ./... > govulncheck.sarif || true + + - name: Upload SARIF to GitHub code-scanning + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: govulncheck.sarif + category: govulncheck + + - name: Upload raw report as artifact + uses: actions/upload-artifact@v3 + if: always() + with: + name: govulncheck-report + path: govulncheck.sarif + retention-days: 30 diff --git a/.github/workflows/security-shared.yml b/.github/workflows/security-shared.yml index 503d8594..93c7845a 100644 --- a/.github/workflows/security-shared.yml +++ b/.github/workflows/security-shared.yml @@ -16,27 +16,27 @@ jobs: env: GO111MODULE: on steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Run Gosec Security Scanner - uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2 + uses: securego/gosec@v2 with: args: './...' trufflehog-secrets: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: detect secrets - uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9 + uses: edplato/trufflehog-actions-scan@v0 with: scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1" checkov-secrets: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Scan for secrets diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7060fb1c..906c9d0e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -15,9 +15,9 @@ jobs: go: [ 1.19 ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 - name: Install Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: ${{ matrix.go }} - name: Prepare external plugin tests @@ -36,9 +36,9 @@ jobs: steps: - name: print hostname run: hostname - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 - name: golangci-lint - uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2 + uses: reviewdog/action-golangci-lint@v2 with: tool_name: golangci-lint fail_on_error: true @@ -50,15 +50,15 @@ jobs: go: [ 1.19 ] runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/checkout@v3 - name: Install Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4 + uses: actions/setup-go@v5 with: go-version: ${{ matrix.go }} - name: build run: go build - name: Clone Terragoat - vulnerable terraform - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + uses: actions/checkout@v3 with: repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/ fetch-depth: 0