Skip to content

test(e2e): add GCP dynamic host catalog e2e tests #3892

test(e2e): add GCP dynamic host catalog e2e tests

test(e2e): add GCP dynamic host catalog e2e tests #3892

Workflow file for this run

name: Security Scan
on:
push:
branches: [main]
pull_request:
branches:
- 'main'
paths-ignore:
- 'website/**'
jobs:
scan:
runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
if: |
! github.event.pull_request.head.repo.fork &&
github.actor != 'dependabot[bot]' &&
github.actor != 'hc-github-team-secure-boundary'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Determine Go version
id: get-go-version
# We use .go-version as our source of truth for current Go
# version, because "goenv" can react to it automatically.
run: |
echo "Building with Go $(cat .go-version)"
echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "${{ steps.get-go-version.outputs.go-version }}"
cache: false
- name: Set up Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.x
- name: Clone Security Scanner repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: hashicorp/security-scanner
token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
path: security-scanner
ref: main
- name: Install dependencies
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir "$HOME/.bin"
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
go build -o scan-plugin-semgrep .
mv scan-plugin-semgrep "$HOME/.bin"
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
go build -o scan-plugin-codeql .
mv scan-plugin-codeql "$HOME/.bin"
# Semgrep
python3 -m pip install semgrep==1.45.0
# CodeQL
LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | grep codeql-bundle- | sort --version-sort | tail -n1)
gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"
# Add to PATH
echo "$HOME/.bin" >> "$GITHUB_PATH"
echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"
- name: Scan
id: scan
uses: ./security-scanner
with:
repository: "$PWD"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0
with:
sarif_file: results.sarif