name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches:
      - 'main'
    paths-ignore:
      - 'website/**'
      
jobs:
  scan:
    runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
    if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-boundary' }}
    steps:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Determine Go version
      id: get-go-version
      # We use .go-version as our source of truth for current Go
      # version, because "goenv" can react to it automatically.
      run: |
        echo "Building with Go $(cat .go-version)"
        echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"

    - name: Set up Go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version: "${{ steps.get-go-version.outputs.go-version }}"
        cache: false

    - name: Set up Python
      uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
      with:
        python-version: 3.x

    - name: Clone Security Scanner repo
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: hashicorp/security-scanner
        token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
        path: security-scanner
        ref: main

    - name: Install dependencies
      shell: bash
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        mkdir "$HOME/.bin"
        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
        go build -o scan-plugin-semgrep .
        mv scan-plugin-semgrep "$HOME/.bin"

        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
        go build -o scan-plugin-codeql .
        mv scan-plugin-codeql "$HOME/.bin"

        # Semgrep
        python3 -m pip install semgrep==1.45.0

        # CodeQL
        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
        gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
        tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"

        # Add to PATH
        echo "$HOME/.bin" >> "$GITHUB_PATH"
        echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"

    - name: Scan
      id: scan
      uses: ./security-scanner
      with:
        repository: "$PWD"

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # codeql-bundle-v2.18.1
      with:
        sarif_file: results.sarif