changelog 1.3.x #2168

Workflow file for this run

.github/workflows/security-scan.yml at 9f67eeb

	name: Security Scan

	on:
	push:
	branches:
	- main
	- release/**
	pull_request:
	branches:
	- main
	- release/**

	# cancel existing runs of the same workflow on the same ref
	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}
	cancel-in-progress: true

	jobs:
	get-go-version:
	uses: ./.github/workflows/reusable-get-go-version.yml

	scan:
	needs:
	- get-go-version
	runs-on: ubuntu-latest
	# The first check ensures this doesn't run on community-contributed PRs, who
	# won't have the permissions to run this job.
	if: ${{ (github.repository != 'hashicorp/consul-k8s' \|\| (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
	&& (github.actor != 'dependabot[bot]') && (github.actor != 'hc-github-team-consul-core') }}

	steps:
	- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

	- name: Set up Go
	uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version: ${{ needs.get-go-version.outputs.go-version }}

	- name: Clone Security Scanner repo
	uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
	with:
	repository: hashicorp/security-scanner
	#TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
	token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
	path: security-scanner
	ref: main

	- name: Scan
	id: scan
	uses: ./security-scanner
	with:
	repository: "$PWD"
	# See scan.hcl at repository root for config.

	- name: SARIF Output
	shell: bash
	run: \|
	cat results.sarif \| jq

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # codeql-bundle-v2.17.2
	with:
	sarif_file: results.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

changelog 1.3.x #2168

Workflow file

changelog 1.3.x #2168

Jobs

Run details

Workflow file for this run