Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-6969] security: Re-enable Go Module + secrets security scans for release branches into release/1.17.x #20021

Merged
merged 2 commits into from
Dec 21, 2023
Merged

Backport of [NET-6969] security: Re-enable Go Module + secrets security scans for release branches into release/1.17.x #20021

merged 2 commits into from
Dec 21, 2023

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #19978 to be assessed for backporting due to the inclusion of the label backport/1.17.

The below text is copied from the body of the original PR.

Description

  • Re-enable binary Go Modules + secrets security scans to block releases automatically in CRT on failure
  • Introduce PR and merge scans of the repository on main and release/** branches
    • The goal here is to increase visibility of un-triaged scan results before they block a release; doing so requires scanning more than our nightly run on main.
    • Note that this will result in a one-time increase of new items to triage for the scanned release branches, where scanning was not already done manually. Once we triage the initial set, we just need to maintain it going forward.

Reviewer Notes

  • Security folks: I'd love your input on anything here that seems missing or non-standard. My goal isn't to flip every bit on, so much as to keep up with our expected baseline that was previously disabled, and ensure we're catching things early pre-release. If there are better ways to do that, or specific flags that should be added beyond what's being re-enabled, all ears.
  • Consul eng: any concerns or Q&A about this change are welcome. Beyond that, this PR should be pretty straightforward to review.

Testing & Reproduction steps

❯ go version $(which consul)
/Users/michael.zalimeni/go/bin/consul: go1.20.12

❯ SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan container hashicorp/consul-enterprise:local
✓ Scanned docker:{owner:"hashicorp" name:"consul-enterprise"} tag:"local" localDaemon:true in 1m4.3s - no results found

❯ consul version | grep Consul
Consul v1.18.0-dev+ent
❯ SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan binary $(which consul)
✓ Scanned file:{path:"/Users/michael.zalimeni/go/bin/consul"} in 10.5s - no results found

❯ consul version | grep Consul
Consul v1.17.2-dev+ent
❯ SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan binary $(which consul)
✓ Scanned file:{path:"/Users/michael.zalimeni/go/bin/consul"} in 10.3s - no results found

❯ consul version | grep Consul
Consul v1.16.5-dev+ent
❯ SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan binary $(which consul)
✓ Scanned file:{path:"/Users/michael.zalimeni/go/bin/consul"} in 13.1s - no results found

❯ consul version | grep Consul
Consul v1.15.9-dev+ent
❯ SECURITY_SCANNER_CONFIG_FILE=.release/security-scan.hcl scan binary $(which consul)
✓ Scanned file:{path:"/Users/michael.zalimeni/go/bin/consul"} in 11.6s - no results found

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern 🔒
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/enable-security-scans-release/mainly-cuddly-bull branch from 59604d1 to 41b41b7 Compare December 21, 2023 15:11
@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team December 21, 2023 15:11
@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team as a code owner December 21, 2023 15:11
@hc-github-team-consul-core hc-github-team-consul-core requested review from claire-labry, jeanneryan and zalimeni and removed request for a team December 21, 2023 15:11
@github-actions github-actions bot added type/ci Relating to continuous integration (CI) tooling for testing or releases theme/contributing Additions and enhancements to community contributing materials labels Dec 21, 2023
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Dec 21, 2023
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@zalimeni zalimeni enabled auto-merge (squash) December 21, 2023 15:21
@zalimeni zalimeni merged commit e2a07a8 into release/1.17.x Dec 21, 2023
93 checks passed
@zalimeni zalimeni deleted the backport/zalimeni/enable-security-scans-release/mainly-cuddly-bull branch December 21, 2023 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@claire-labry claire-labry Awaiting requested review from claire-labry

@jeanneryan jeanneryan Awaiting requested review from jeanneryan

@zalimeni zalimeni Awaiting requested review from zalimeni

Assignees

@zalimeni zalimeni

Labels
theme/contributing Additions and enhancements to community contributing materials type/ci Relating to continuous integration (CI) tooling for testing or releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-consul-core @github-team-consul-core-pr-approver @zalimeni