Skip to content

Fix race that can lead to panic during seal #12550

Fix race that can lead to panic during seal

Fix race that can lead to panic during seal #12550

Workflow file for this run

name: Security Scan
# cancel existing runs of the same workflow on the same ref
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
on:
push:
branches: [main]
pull_request:
branches:
- 'main'
- '!oss-merge-main*'
jobs:
scan:
runs-on: ${{ fromJSON(vars.RUNNER_XL) }}
# The first check ensures this doesn't run on community-contributed PRs, who
# won't have the permissions to run this job.
if: ${{ (github.repository != 'hashicorp/vault' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
&& (github.actor != 'dependabot[bot]') && ( github.actor != 'hc-github-team-secure-vault-core') }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Set up Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
go-version-file: .go-version
- name: Set up Python
uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
with:
python-version: 3.x
- name: Clone Security Scanner repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
repository: hashicorp/security-scanner
token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
path: security-scanner
ref: main
- name: Install dependencies
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir "$HOME/.bin"
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
go build -o scan-plugin-semgrep .
mv scan-plugin-semgrep "$HOME/.bin"
cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
go build -o scan-plugin-codeql .
mv scan-plugin-codeql "$HOME/.bin"
# Semgrep
python3 -m pip install semgrep==1.45.0
# CodeQL
LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"
# Add to PATH
echo "$HOME/.bin" >> "$GITHUB_PATH"
echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"
- name: Scan
id: scan
uses: ./security-scanner
# env:
# Note: this _should_ work, but causes some issues with Semgrep.
# Instead, rely on filtering in the SARIF Output step.
#SEMGREP_BASELINE_REF: ${{ github.base_ref }}
with:
repository: "$PWD"
cache-build: true
cache-go-modules: false
- name: SARIF Output
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@46a6823b81f2d7c67ddf123851eea88365bc8a67 # codeql-bundle-v2.13.5
with:
sarif_file: results.sarif