feat: add security quality gates

.circleci/config.yml

@@ -3,7 +3,7 @@ version: 2.1
 orbs:
   snyk: snyk/[email protected]
   node: circleci/[email protected]
-  prodsec: snyk/prodsec-orb@1.0.2
+  prodsec: snyk/prodsec-orb@1
 
 defaults: &defaults
   working_directory: ~/snyk-iac-rules
@@ -90,28 +90,17 @@ jobs:
       - run:
           name: Run Golang tests
           command: go test ./...
-  security-oss:
+  security-scans:
     <<: *docker_go_image
+    resource_class: small
     steps:
       - checkout
-      - snyk/scan:
-          severity-threshold: medium 
-          monitor-on-build: false
-          project: ${CIRCLE_PROJECT_REPONAME}
-          organization: cloud-cloud
-  security-code:
-    <<: *docker_go_image
-    steps:
-      - checkout
-      - snyk/scan:
-          command: code test
-          severity-threshold: medium 
-          monitor-on-build: false
-          project: ${CIRCLE_PROJECT_REPONAME}
-          organization: cloud-cloud
+      - prodsec/security_scans:
+          mode: auto
+          iac-scan: disabled
   lint_commit_message:
     docker:
-      - image: cimg/node:14.19
+      - image: cimg/node:18.19.1
     steps:
       - checkout
       - attach_workspace:
@@ -161,7 +150,7 @@ jobs:
           command: echo $DOCKER_PASSWORD  | docker login -u $DOCKER_USERNAME --password-stdin
       - node/install:
           install-yarn: false
-          node-version: '12'
+          node-version: '18'
       - run:
           name: Release binaries to GitHub
           command: ./scripts/release-github.sh
@@ -186,6 +175,10 @@ workflows:
           context:
             - snyk-bot-slack
           channel: group-infrastructure-as-code-alerts
+      - security-scans:
+          name: Security Scans
+          context:
+            - analysis-iac
       - lint_commit_message:
           name: Lint commit message
           <<: *only_feature_branch
@@ -194,20 +187,6 @@ workflows:
           requires:
             -  Lint commit message
           <<: *only_feature_branch
-      - security-oss:
-          name: Snyk oss
-          context:
-            - snyk-cloud-dev-ex
-          requires:
-            - Lint & formatting
-          <<: *only_feature_branch
-      - security-code:
-          name: Snyk code
-          context:
-            - snyk-cloud-dev-ex
-          requires:
-            - Lint & formatting
-          <<: *only_feature_branch
       - regression-test:
           name: Regression Test
           requires:

.github/actions/setup_shellspec/action.yml

@@ -5,7 +5,7 @@ runs:
   steps:
     - uses: actions/setup-node@v1
       with:
-        node-version: 15
+        node-version: 18
 
     - name: Install Snyk with npm
       shell: bash
@@ -17,7 +17,7 @@ runs:
 
     - uses: actions/setup-go@v2
       with:
-        go-version: '1.19'
+        go-version: '1.22'
 
     - name: Build custom rules SDK
       shell: bash

.github/workflows/contract.yml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-node@v1
         with:
-          node-version: 15
+          node-version: 18
 
       - name: Install Snyk with npm
         run: |
@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.19'
+          go-version: '1.22'
 
       - name: Build Golang CLI
         run: go build -o snyk-iac-rules .

.github/workflows/main.yml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.19'
+          go-version: '1.22'
 
       - name: Build Golang CLI
         run: go build -o snyk-iac-rules .
@@ -95,7 +95,7 @@ jobs:
 
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.19'
+          go-version: '1.22'
 
       - name: Install NPM package - non-Windows
         if: ${{ matrix.os != 'windows' }}
@@ -141,7 +141,7 @@ jobs:
       - name: Build binaries
         uses: goreleaser/goreleaser-action@v2
         with:
-          args: --snapshot --rm-dist
+          args: --snapshot --clean
 
       - name: Test Dockerfile
         run: |

.goreleaser.yml

@@ -1,3 +1,7 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=jcroql
+version: 2
+
 project_name: snyk-iac-rules
 
 before:
@@ -27,13 +31,16 @@ archives:
   - id: default
     files:
       - none*
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+    name_template: >-
+      {{- .ProjectName }}_
+      {{- .Version }}_
+      {{- if eq .Os "darwin" }}Darwin_
+      {{- else if eq .Os "linux" }}Linux_
+      {{- else if eq .Os "windows" }}Windows_
+      {{- else }}{{ .Os }}_{{ end }}
+      {{- if eq .Arch "386" }}i386
+      {{- else if eq .Arch "amd64" }}x86_64
+      {{- else }}{{ .Arch }}{{ end }}
     format: tar.gz
     format_overrides:
     - goos: windows
@@ -83,37 +90,38 @@ brews:
     # Default is false.
     skip_upload: false
     # GitHub repository to push the formula to
-    tap:
+    repository:
       owner: snyk
       name: homebrew-tap
       token: "{{ .Env.SNYK_ACCESS_TOKEN }}"
 
-    folder: Formula
+    directory: Formula
     commit_author:
       name: snyk
       email: [email protected]
     homepage: "https://snyk.io/"
     license: Apache-2.0
     description: "Write, debug, test, and bundle custom rules for Snyk Infrastructure as Code."
 
-scoop:
-  # If set to auto, the release will not be uploaded to the scoop bucket
-  # in case there is an indicator for prerelease in the tag e.g. v1.0.0-rc1
-  # Default is false.
-  skip_upload: false
-
-  # Repository to push the app manifest to.
-  bucket:
-    owner: snyk
-    name: scoop-snyk
-    token: "{{ .Env.SNYK_ACCESS_TOKEN }}"
-
-  commit_author:
-    name: snyk
-    email: [email protected]
-  homepage: "https://snyk.io/"
-  license: Apache-2.0
-  description: "Write, debug, test, and bundle custom rules for Snyk Infrastructure as Code."
+scoops:
+  -
+    # If set to auto, the release will not be uploaded to the scoop bucket
+    # in case there is an indicator for prerelease in the tag e.g. v1.0.0-rc1
+    # Default is false.
+    skip_upload: false
+
+    # Repository to push the app manifest to.
+    repository:
+      owner: snyk
+      name: scoop-snyk
+      token: "{{ .Env.SNYK_ACCESS_TOKEN }}"
+
+    commit_author:
+      name: snyk
+      email: [email protected]
+    homepage: "https://snyk.io/"
+    license: Apache-2.0
+    description: "Write, debug, test, and bundle custom rules for Snyk Infrastructure as Code."
 
 # Publishes the deb and rpm files to the GitHub releases page.
 nfpms:

packaging/npm/passthrough.js

@@ -18,6 +18,7 @@ switch (process.platform) {
 var arch = ''
 switch (process.arch) {
   case 'arm' :
+  case 'arm64':
     arch = 'arm64';
     break;
   case 'x64':

scripts/release-github.sh

@@ -3,14 +3,14 @@
 set -eo pipefail
 
 if ! which goreleaser >/dev/null ; then
-    go install github.com/goreleaser/goreleaser@v1.9.2
+    go install github.com/goreleaser/goreleaser/v2@latest
 fi
 
 # Check configuration
 goreleaser check
 
 FLAGS=""
-FLAGS+="--rm-dist "
+FLAGS+="--clean "
 
 # Only CI system should publish artifacts
 if [ "$CI" != true ]; then

scripts/release-npm.sh

@@ -20,7 +20,7 @@ for i in "$@"; do
 done
 
 if ! which goreleaser >/dev/null ; then
-    go install github.com/goreleaser/goreleaser@v1.9.2
+    go install github.com/goreleaser/goreleaser/v2@latest
 fi
 
 # Check configuration
@@ -29,7 +29,7 @@ goreleaser check
 # Override tag for GoReleaser so it uses the one provided in the flag
 export GORELEASER_CURRENT_TAG="${TAG}"
 
-CMD="goreleaser build --snapshot --rm-dist"
+CMD="goreleaser build --snapshot --clean"
 
 echo "+ Using goreleaser"
 echo "+ CMD=${CMD}"