[NET-2420] security: re-enable security scan release block (#3628)

* security: upgrade helm/v3 to 3.13.3

Addresses multiple CVEs:
- CVE-2023-25165
- CVE-2022-23524
- CVE-2022-23526
- CVE-2022-23525

* chore: upgrade k8s dependencies to match controller-runtime

* security: upgrade containerd to latest

Addresses GHSA-7ww5-4wqc-m92c (GO-2023-2412)

* security: upgrade docker/docker to latest

Addresses GHSA-jq35-85cj-fj4p

* security: upgrade docker/distribution to latest

Addresses CVE-2023-2253

* security: upgrade filepath-securejoin to latest patch

Addresses GHSA-6xv5-86q9-7xr8 (GO-2023-2048)

* chore: upgrade oras-go to fix docker incompatibility

* Add changelog

* security: re-enable security scan release block

This was previously disabled due to an unresolved false-positive CVE.
Re-enabling both secrets and OSV + Go Modules scanning, which per our
current scan results should not be a blocker to future releases.

Also add security scans on PR and merge to protected branches to allow
proactive triage going forward.

See hashicorp/consul#19978 for similar change in that repo, adapted
here.

.github/workflows/build.yml

@@ -18,19 +18,7 @@ env:
 
 jobs:
   get-go-version:
-    name: "Determine Go toolchain version"
-    runs-on: ubuntu-latest
-    outputs:
-      go-version: ${{ steps.get-go-version.outputs.go-version }}
-    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Determine Go version
-        id: get-go-version
-        # We use .go-version as our source of truth for current Go
-        # version, because "goenv" can react to it automatically.
-        run: |
-          echo "Building with Go $(cat .go-version)"
-          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+    uses: ./.github/workflows/reusable-get-go-version.yml
 
   get-product-version:
     runs-on: ubuntu-latest

.github/workflows/lint.yaml

@@ -5,20 +5,7 @@ on:
 
 jobs:
     get-go-version:
-      runs-on: ubuntu-latest
-      outputs:
-        go-version: ${{ steps.get-go-version.outputs.go-version }}
-      steps:
-        - name: Checkout code
-          uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-
-        - name: Determine Go version
-          id: get-go-version
-          # We use .go-version as our source of truth for current Go
-          # version, because "goenv" can react to it automatically.
-          run: |
-            echo "Building with Go $(cat .go-version)"
-            echo "go-version=$(cat .go-version)" >> "${GITHUB_OUTPUT}"
+      uses: ./.github/workflows/reusable-get-go-version.yml
 
     linting:
       name: golangci-lint

.github/workflows/reusable-get-go-version.yml

@@ -0,0 +1,30 @@
+name: get-go-version
+
+on:
+  workflow_call:
+    outputs:
+      go-version:
+        description: "The Go version detected by this workflow"
+        value: ${{ jobs.get-go-version.outputs.go-version }}
+
+jobs:
+  get-go-version:
+    name: "Determine Go toolchain version"
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.get-go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Determine Go version
+        id: get-go-version
+        # We use .go-version as our source of truth for current Go
+        # version, because "goenv" can react to it automatically.
+        #
+        # In the future, we can transition from .go-version and goenv to
+        # Go 1.21 `toolchain` directives by updating this workflow rather
+        # than individually setting `go-version-file` in each `setup-go`
+        # job (as of 2024-01-03, `setup-go` does not support `toolchain`).
+        run: |
+          GO_VERSION=$(head -n 1 .go-version)
+          echo "Building with Go ${GO_VERSION}"
+          echo "go-version=${GO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/security-scan.yml

@@ -0,0 +1,63 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+      - release/**
+  pull_request:
+    branches:
+      - main
+      - release/**
+
+# cancel existing runs of the same workflow on the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  get-go-version:
+    uses: ./.github/workflows/reusable-get-go-version.yml
+
+  scan:
+    needs:
+      - get-go-version
+    runs-on: ubuntu-latest
+    # The first check ensures this doesn't run on community-contributed PRs, who
+    # won't have the permissions to run this job.
+    if: ${{ (github.repository != 'hashicorp/consul-k8s' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
+      && (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Set up Go
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        with:
+          go-version: ${{ needs.get-go-version.outputs.go-version }}
+
+      - name: Clone Security Scanner repo
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          repository: hashicorp/security-scanner
+          #TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
+          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+          path: security-scanner
+          ref: main
+
+      - name: Scan
+        id: scan
+        uses: ./security-scanner
+        with:
+          repository: "$PWD"
+          # See scan.hcl at repository root for config.
+
+      - name: SARIF Output
+        shell: bash
+        run: |
+          cat results.sarif | jq
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
+        with:
+          sarif_file: results.sarif

.release/security-scan.hcl

@@ -1,16 +1,31 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+# These scan results are run as part of CRT workflows.
+
+# Un-triaged results will block release. See `security-scanner` docs for more
+# information on how to add `triage` config to unblock releases for specific results.
+# In most cases, we should not need to disable the entire scanner to unblock a release.
+
+# To run manually, install scanner and then from the repository root run
+# `SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan ...`
+# To scan a local container, add `local_daemon = true` to the `container` block below.
+# See `security-scanner` docs or run with `--help` for scan target syntax.
+
 container {
 	dependencies = true
 	alpine_secdb = true
-	secrets      = true
+
+	secrets {
+		all = true
+	}
 }
 
 binary {
-	secrets      = true
-	go_modules   = false
+	go_modules   = true
 	osv          = true
-	oss_index    = false
-	nvd          = false
+
+	secrets {
+		all = true
+	}
 }

scan.hcl

@@ -0,0 +1,36 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# Configuration for security scanner.
+# Run on PRs and pushes to `main` and `release/**` branches.
+# See .github/workflows/security-scan.yml for CI config.
+
+# To run manually, install scanner and then run `scan repository .`
+
+# Scan results are triaged via the GitHub Security tab for this repo.
+# See `security-scanner` docs for more information on how to add `triage` config
+# for specific results or to exclude paths.
+
+# .release/security-scan.hcl controls scanner config for release artifacts, which
+# unlike the scans configured here, will block releases in CRT.
+
+repository {
+  go_modules   = true
+  npm          = true
+  osv          = true
+
+  secrets {
+    all = true
+  }
+
+  triage {
+    suppress {
+      paths = [
+        # Ignore test and local tool modules, which are not included in published
+        # artifacts.
+        "acceptance/*",
+        "hack/*",
+      ]
+    }
+  }
+}