name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches:
      - 'main'
    paths-ignore:
      - 'website/**'
      
jobs:
  scan:
    runs-on: ${{ fromJSON(vars.RUNNER_LARGE) }}
    if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'hc-github-team-secure-boundary' }}
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

    - name: Determine Go version
      id: get-go-version
      # We use .go-version as our source of truth for current Go
      # version, because "goenv" can react to it automatically.
      run: |
        echo "Building with Go $(cat .go-version)"
        echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"

    - name: Set up Go
      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: "${{ steps.get-go-version.outputs.go-version }}"
        cache: false

    - name: Set up Python
      uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
      with:
        python-version: 3.x

    - name: Clone Security Scanner repo
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      with:
        repository: hashicorp/security-scanner
        token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
        path: security-scanner
        ref: main

    - name: Install dependencies
      shell: bash
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        mkdir "$HOME/.bin"
        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-semgrep"
        go build -o scan-plugin-semgrep .
        mv scan-plugin-semgrep "$HOME/.bin"

        cd "$GITHUB_WORKSPACE/security-scanner/pkg/sdk/examples/scan-plugin-codeql"
        go build -o scan-plugin-codeql .
        mv scan-plugin-codeql "$HOME/.bin"

        # Semgrep
        python3 -m pip install semgrep==1.45.0

        # CodeQL
        LATEST=$(gh release list --repo https://github.com/github/codeql-action | cut -f 3 | sort --version-sort | tail -n1)
        gh release download --repo https://github.com/github/codeql-action --pattern codeql-bundle-linux64.tar.gz "$LATEST"
        tar xf codeql-bundle-linux64.tar.gz -C "$HOME/.bin"

        # Add to PATH
        echo "$HOME/.bin" >> "$GITHUB_PATH"
        echo "$HOME/.bin/codeql" >> "$GITHUB_PATH"

    - name: Scan
      id: scan
      uses: ./security-scanner
      with:
        repository: "$PWD"

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 # codeql-bundle-v2.15.3
      with:
        sarif_file: results.sarif