Release candidate (#135)

* [StepSecurity] Apply security best practices (#133) Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
fatihtokus · Dec 13, 2024 · f57f611 · f57f611
1 parent 26eb8c0
commit f57f611
Show file tree

Hide file tree

Showing 11 changed files with 141 additions and 34 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -25,3 +25,8 @@ updates:
     directory: /test/docker
     schedule:
       interval: daily
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/check-release-candidate-version.yml b/.github/workflows/check-release-candidate-version.yml
@@ -0,0 +1,28 @@
+name: Check version
+
+on:
+  workflow_call:
+    outputs:
+      next-version:
+        description: Next version
+        value: ${{ jobs.check-version.outputs.next_version }}
+
+permissions:
+  contents: read
+
+jobs:
+  check-version:
+    name: 'Check release candidate version'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      next_version: ${{ steps.next-version.outputs.next_version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+      - name: Get new version
+        id: next-version
+        run: echo "next_version=$(git diff HEAD^ HEAD --diff-filter=ACMRT -- release-candidate/plugin.yaml -- -U0 | awk '/^\+\s*version:/ {print $2}' | grep -Po '\d+\.\d+\.\d+(-[a-zA-Z0-9.]+)?')" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/check-version.yml b/.github/workflows/check-version.yml
@@ -7,6 +7,9 @@ on:
         description: Next version
         value: ${{ jobs.check-version.outputs.next_version }}
 
+permissions:
+  contents: read
+
 jobs:
   check-version:
     name: 'Check version'
@@ -16,8 +19,13 @@ jobs:
     outputs:
       next_version: ${{ steps.next-version.outputs.next_version }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 2
       - name: Get new version

diff --git a/.github/workflows/check_frontend.yml b/.github/workflows/check_frontend.yml
@@ -9,6 +9,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 

diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
@@ -3,7 +3,7 @@ name: Release-Candidate
 on:
   push:
     branches:
-      - main
+      - release-candidate
     paths:
       - "release-candidate/plugin.yaml"
 
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   check-version:
-    uses: fatihtokus/scan2html/.github/workflows/check-version.yml@main
+    uses: fatihtokus/scan2html/.github/workflows/check-release-candidate-version.yml@release-candidate
   build-front-end:
     name: "Build front-end application"
     runs-on: ubuntu-latest
@@ -62,7 +62,7 @@ jobs:
           cat "$reportTemplate"
 
       - name: Upload report_template.html
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
         with:
           name: report-template
           path: ${{ env.reportTemplate }}

diff --git a/.github/workflows/release-go.yml b/.github/workflows/release-go.yml
@@ -8,19 +8,29 @@ on:
         description: Next version
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   release-go:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     name: Release go
     runs-on: ubuntu-latest
     if: ${{ inputs.next-version != '' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
 
       - name: Download report_template.html
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: report-template
 
@@ -30,7 +40,7 @@ jobs:
           cat report_template.html
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: go.mod
 
@@ -47,7 +57,7 @@ jobs:
           echo "$GPG_KEY" > gpg.key
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           version: latest
           # this doesn't work

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -65,7 +65,7 @@ jobs:
           cat "$reportTemplate"
 
       - name: Upload report_template.html
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
         with:
           name: report-template
           path: ${{ env.reportTemplate }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,22 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.52.2
+  hooks:
+  - id: golangci-lint
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/mirrors-eslint
+  rev: v8.38.0
+  hooks:
+  - id: eslint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
diff --git a/internal/report/generator.go b/internal/report/generator.go
@@ -119,7 +119,36 @@ func replaceTextByText(inputFile, searchText, replaceContent string) error {
 		return fmt.Errorf("error writing to temp file: %v", err)
 	}
 
-	return os.Rename(tempFile.Name(), inputFile)
+
+	return copyAndRemove(tempFile.Name(), inputFile)
+}
+
+func copyAndRemove(src, dst string) error {
+    // Open the source file
+    sourceFile, err := os.Open(src)
+    if err != nil {
+        return err
+    }
+    defer sourceFile.Close()
+
+    // Create the destination file
+    destFile, err := os.Create(dst)
+    if err != nil {
+        return err
+    }
+    defer destFile.Close()
+
+    // Copy the contents
+    if _, err := io.Copy(destFile, sourceFile); err != nil {
+        return err
+    }
+
+    // Close files before removal
+    sourceFile.Close()
+    destFile.Close()
+
+    // Remove the source file
+    return os.Remove(src)
 }
 
 // replaceTextByFile replaces occurrences of search_text in the input file with content from replace_file.

diff --git a/plugin.yaml b/plugin.yaml
@@ -1,5 +1,5 @@
 name: "scan2html"
-version: "0.3.10"
+version: "0.3.11"
 maintainer: fatihtokus
 repository: github.com/fatihtokus/scan2html
 summary: A Trivy plugin that scans and outputs the results to a single page app.
@@ -11,58 +11,58 @@ platforms:
   - selector:
       os: linux
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-amd64.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: arm
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-arm.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-arm.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: arm64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-arm64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-arm64.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: s390x
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-s390x.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-s390x.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: ppc64le
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-ppc64le.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-ppc64le.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: 386
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_linux-386.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_linux-386.tar.gz
     bin: ./scan2html
 
   - selector:
       os: darwin
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_darwin-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_darwin-amd64.tar.gz
     bin: ./scan2html
   - selector:
       os: darwin
       arch: arm64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_darwin-arm64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_darwin-arm64.tar.gz
     bin: ./scan2html
 
   - selector:
       os: freebsd
       arch: 386
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_freebsd-386.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_freebsd-386.tar.gz
     bin: ./scan2html
   - selector:
       os: freebsd
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_freebsd-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_freebsd-amd64.tar.gz
     bin: ./scan2html
 
   - selector:
       os: windows
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.10/scan2html_0.3.10_windows-amd64.zip
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.11/scan2html_0.3.11_windows-amd64.zip
     bin: ./scan2html
diff --git a/release-candidate/plugin.yaml b/release-candidate/plugin.yaml
@@ -1,5 +1,5 @@
 name: "scan2html"
-version: "0.3.9-rc.40"
+version: "0.3.9-rc.43"
 maintainer: fatihtokus
 repository: github.com/fatihtokus/scan2html
 summary: A Trivy plugin that scans and outputs the results to a single page app.
@@ -12,58 +12,58 @@ platforms:
   - selector:
       os: linux
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-amd64.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: arm
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-arm.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-arm.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: arm64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-arm64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-arm64.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: s390x
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-s390x.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-s390x.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: ppc64le
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-ppc64le.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-ppc64le.tar.gz
     bin: ./scan2html
   - selector:
       os: linux
       arch: 386
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_linux-386.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_linux-386.tar.gz
     bin: ./scan2html
 
   - selector:
       os: darwin
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_darwin-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_darwin-amd64.tar.gz
     bin: ./scan2html
   - selector:
       os: darwin
       arch: arm64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_darwin-arm64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_darwin-arm64.tar.gz
     bin: ./scan2html
 
   - selector:
       os: freebsd
       arch: 386
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_freebsd-386.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_freebsd-386.tar.gz
     bin: ./scan2html
   - selector:
       os: freebsd
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_freebsd-amd64.tar.gz
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_freebsd-amd64.tar.gz
     bin: ./scan2html
 
   - selector:
       os: windows
       arch: amd64
-    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.40/scan2html_0.3.9-rc.40_windows-amd64.zip
+    uri: https://github.com/fatihtokus/scan2html/releases/download/v0.3.9-rc.43/scan2html_0.3.9-rc.43_windows-amd64.zip
     bin: ./scan2html