Merge branch 'main' into linting

.github/dependabot.yml

@@ -4,4 +4,14 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /vaultserver
+    schedule:
+      interval: daily

.github/workflows/codeql-analysis.yml

@@ -55,11 +55,11 @@ jobs:
           uploads.github.com:443
 
     - name: 'Checkout repository'
-      uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
 
     # Initializes the CodeQL tools for scanning.
     - name: 'Initialize CodeQL'
-      uses: github/codeql-action/init@0a3f985290ed05d660eccad9acadea7a461a4aa8
+      uses: github/codeql-action/init@579411fb6c2fa885902ffeb0238873661aa2dc29
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: 'Autobuild'
-      uses: github/codeql-action/autobuild@0a3f985290ed05d660eccad9acadea7a461a4aa8
+      uses: github/codeql-action/autobuild@579411fb6c2fa885902ffeb0238873661aa2dc29
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -84,4 +84,4 @@ jobs:
     #   make release
 
     - name: 'Perform CodeQL Analysis'
-      uses: github/codeql-action/analyze@0a3f985290ed05d660eccad9acadea7a461a4aa8
+      uses: github/codeql-action/analyze@579411fb6c2fa885902ffeb0238873661aa2dc29

.github/workflows/dependencies-review.yml

@@ -20,7 +20,7 @@ jobs:
             storage.googleapis.com:443
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730
+        uses: actions/dependency-review-action@a482eabd84caa0df204661f958b46f524e88cacc

.github/workflows/go.yml

@@ -25,12 +25,12 @@ jobs:
           storage.googleapis.com:443
 
     - name: 'Checkout Repository'
-      uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
       with:
         fetch-depth: 0
 
     - name: 'Set up Go'
-      uses: actions/setup-go@bb5ff97ab9c85a2085c8968c49b14f9f0530e2a8
+      uses: actions/setup-go@fa319ab135f5f244f88130e2874b6782750e9ef8
       with:
         go-version-file: './go.mod'
 

.github/workflows/golangci-lint.yml

@@ -27,19 +27,19 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
 
-      - uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@bb5ff97ab9c85a2085c8968c49b14f9f0530e2a8
+      - uses: actions/setup-go@fa319ab135f5f244f88130e2874b6782750e9ef8
         with:
           go-version-file: './go.mod'
 
       - name: 'Generate'
         run:  go generate vault4summon
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
           version: latest

.github/workflows/gosec.yml

@@ -34,7 +34,7 @@ jobs:
             artifactcache.actions.githubusercontent.com:443
 
       - name: 'Checkout Source'
-        uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
 
       - name: 'Run Gosec Security Scanner'
         uses: securego/gosec@f9a8bf0152af9f9bda93de373ddb3762f0d12f14
@@ -43,7 +43,7 @@ jobs:
           args: '-no-fail -fmt sarif -out gosec.sarif ./...'
 
       - name: 'Upload SARIF file'
-        uses: github/codeql-action/upload-sarif@0a3f985290ed05d660eccad9acadea7a461a4aa8
+        uses: github/codeql-action/upload-sarif@579411fb6c2fa885902ffeb0238873661aa2dc29
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: gosec.sarif

.github/workflows/govulncheck.yml

@@ -0,0 +1,40 @@
+name: govulncheck scan
+on: [push, pull_request]
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          disable-sudo: true
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          allowed-endpoints: >      
+              auth.docker.io:443
+              github.com:443
+              production.cloudflare.docker.com:443
+              proxy.golang.org:443
+              registry-1.docker.io:443
+              storage.googleapis.com:443
+              sum.golang.org:443
+              vuln.go.dev:443
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.2.0
+        with:
+          fetch-depth: 0
+
+      - name: "create version.txt needed for compilation"
+        run: echo "vuln-version">version.txt
+
+      - name: Scan for Vulnerabilities in Code
+        uses: Templum/govulncheck-action@f115ae331f94d0a83a9552234fc00f3d4516e6dc # v0.0.8
+        with:
+          skip-upload: false

.github/workflows/release.yml

@@ -22,20 +22,23 @@ jobs:
             github.com:443
 
       - name: 'Checkout'
-        uses: actions/checkout@3ba5ee6fac7e0e30e2ea884e236f282d3a775891
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
         with:
           fetch-depth: 0
 
       - name: 'Set up Go'
-        uses: actions/setup-go@bb5ff97ab9c85a2085c8968c49b14f9f0530e2a8
+        uses: actions/setup-go@fa319ab135f5f244f88130e2874b6782750e9ef8
         with:
           go-version-file: './go.mod'
 
+      - name: 'Go Version'
+        run:  go version
+
       - name: 'Generate'
         run:  go generate vault4summon
 
       - name: 'Run GoReleaser'
-        uses: goreleaser/goreleaser-action@13f1e21a502d76668f53fc8631dfef02a96ecac6
+        uses: goreleaser/goreleaser-action@a7c543ca7a866f4d914fa7a767ded0c3868d0821
         with:
           distribution: goreleaser
           version: latest

.github/workflows/scorecards-analysis.yml

@@ -44,12 +44,12 @@ jobs:
             storage.googleapis.com:443
 
       - name: "Checkout code"
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.2.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v2.1.0
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
         with:
           results_file: scorecards.sarif
           results_format: sarif
@@ -76,6 +76,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0a3f985290ed05d660eccad9acadea7a461a4aa8
+        uses: github/codeql-action/upload-sarif@579411fb6c2fa885902ffeb0238873661aa2dc29
         with:
           sarif_file: scorecards.sarif

.gitignore

@@ -17,3 +17,6 @@ initialization.json
 /vaultserver/volumes/DEV/logs/
 /version.txt
 !/vault4summon
+/vault4summon
+/gosec.sarif
+/gitlabGp.md