name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches:
      - 'main'
    paths-ignore:
      - 'website/**'
      
jobs:
  scan:
    runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
    if: |
      ! github.event.pull_request.head.repo.fork &&
      github.actor != 'dependabot[bot]' &&
      github.actor != 'hc-github-team-secure-boundary'
    steps:
    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

    - name: Determine Go version
      id: get-go-version
      # We use .go-version as our source of truth for current Go
      # version, because "goenv" can react to it automatically.
      run: |
        echo "Building with Go $(cat .go-version)"
        echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"

    - name: Set up Go
      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version: "${{ steps.get-go-version.outputs.go-version }}"
        cache: false

    - name: Set up Python
      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: 3.x

    - name: Clone Security Scanner repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        repository: hashicorp/security-scanner
        token: ${{ secrets.PRODSEC_SCANNER_READ_ONLY }}
        path: security-scanner
        ref: main

    - name: Install dependencies
      shell: bash
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        mkdir "$HOME/.bin"
        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
        go build -o scan-plugin-semgrep .
        mv scan-plugin-semgrep "$HOME/.bin"

        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
        go build -o scan-plugin-codeql .
        mv scan-plugin-codeql "$HOME/.bin"

        # Semgrep
        python3 -m pip install semgrep==1.45.0

        # CodeQL
        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | grep codeql-bundle- | sort --version-sort | tail -n1)
        gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
        tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"

        # Add to PATH
        echo "$HOME/.bin" >> "$GITHUB_PATH"
        echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"

    - name: Scan
      id: scan
      uses: ./security-scanner
      with:
        repository: "$PWD"

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@70df9def86d22bf0ea4e7f8b956e7b92e7c1ea22 # codeql-bundle-v2.20.7
      with:
        sarif_file: results.sarif