Merge pull request #7 from ory/ci/security-scanning

ci: adding security scans

Author: Demonsthere

.deps/gitleaks.yaml

@@ -0,0 +1,10 @@
+# renovate: datasource=github-releases depName=gitleaks/gitleaks
+version: 8.21.2
+url: https://github.com/gitleaks/gitleaks/releases/download/v{{.Version}}/gitleaks_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: x64
+    arm64: arm64
+  os:
+    darwin: darwin
+    linux: linux

.deps/go-licenses.yaml

@@ -0,0 +1,3 @@
+# renovate: datasource=github-releases depName=google/go-licenses extractVersion=^v(?<version>.*)$
+version: v1.6.0
+url: "{{.Version}}"

.deps/golangci-lint.yaml

@@ -0,0 +1,3 @@
+# renovate: datasource=github-releases depName=golangci/golangci-lint
+version: v2.8.0
+url: "{{.Version}}"

.deps/gosec.yaml

@@ -0,0 +1,10 @@
+# renovate: datasource=github-releases depName=securego/gosec
+version: 2.22.0
+url: https://github.com/securego/gosec/releases/download/v{{.Version}}/gosec_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: amd64
+    arm64: arm64
+  os:
+    darwin: darwin
+    linux: linux

.deps/govulncheck.yaml

@@ -0,0 +1,3 @@
+# renovate: datasource=go depName=golang.org/x/vuln/cmd/govulncheck
+version: v1.1.4
+url: "{{.Version}}"

.deps/tfplugindocs.yaml

@@ -0,0 +1,10 @@
+# renovate: datasource=github-releases depName=hashicorp/terraform-plugin-docs
+version: 0.24.0
+url: https://github.com/hashicorp/terraform-plugin-docs/releases/download/v{{.Version}}/tfplugindocs_{{.Version}}_{{.Os}}_{{.Architecture}}.zip
+mappings:
+  architecture:
+    amd64: amd64
+    arm64: arm64
+  os:
+    darwin: darwin
+    linux: linux

.deps/trivy.yaml

@@ -0,0 +1,10 @@
+# renovate: datasource=github-releases depName=aquasecurity/trivy
+version: 0.58.0
+url: https://github.com/aquasecurity/trivy/releases/download/v{{.Version}}/trivy_{{.Version}}_{{.Os}}-{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: 64bit
+    arm64: ARM64
+  os:
+    darwin: macOS
+    linux: Linux

.github/workflows/security.yml

@@ -0,0 +1,100 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '26 21 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  # Static Application Security Testing (SAST) - gosec
+  gosec:
+    name: Go Security Check
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run gosec
+        run: make sec-gosec
+
+  # Software Composition Analysis (SCA) - Go vulnerability check
+  govulncheck:
+    name: Go Vulnerability Check
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run govulncheck
+        run: make sec-vuln
+
+  # Secret scanning - Gitleaks
+  gitleaks:
+    name: Secret Scanning
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run Gitleaks
+        run: make sec-gitleaks
+
+  # Binary artifact scanning - Trivy on built binary
+  trivy:
+    name: Binary Vulnerability Scan
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run Trivy
+        run: make sec-trivy
+
+  # Dependency license compliance
+  licenses:
+    name: License Check
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Check licenses
+        run: make licenses

.gitignore

@@ -5,7 +5,7 @@ terraform-provider-orynetwork
 *.so
 *.dylib
 
-# Tool binaries (installed by Makefile)
+# Local tool binaries (managed by Makefile)
 .bin/
 
 # Test binary

Makefile

@@ -11,9 +11,20 @@
 #   ORY_CONSOLE_API_URL   - Console API URL (default: https://api.console.ory.sh)
 #   ORY_PROJECT_API_URL   - Project API URL template (default: https://%s.projects.oryapis.com)
 
+SHELL := /bin/bash -o pipefail
 BINARY_NAME := terraform-provider-orynetwork
 INSTALL_DIR := ~/.terraform.d/plugins/registry.terraform.io/ory/orynetwork/0.0.1/$(shell go env GOOS)_$(shell go env GOARCH)
 
+# Platform detection for tool downloads
+OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
+ARCH := $(shell uname -m)
+ifeq ($(ARCH),x86_64)
+	ARCH := amd64
+endif
+ifeq ($(ARCH),aarch64)
+	ARCH := arm64
+endif
+
 .PHONY: help
 help: ## Show this help
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
@@ -34,6 +45,12 @@ deps-ci: ## Install dependencies for CI environment
 	@echo "Installing jq..."
 	@if command -v apt-get >/dev/null 2>&1; then sudo apt-get update && sudo apt-get install -y jq; fi
 
+# Ory CLI for dependency management
+.bin/ory:
+	@mkdir -p .bin
+	@curl --retry 7 --retry-connrefused -sSfL https://raw.githubusercontent.com/ory/meta/master/install.sh | bash -s -- -d -b .bin ory v0.3.4
+	@touch -a -m .bin/ory
+
 # ==============================================================================
 # BUILD
 # ==============================================================================
@@ -55,20 +72,51 @@ clean: ## Remove build artifacts
 # CODE QUALITY
 # ==============================================================================
 
+# Code quality tool binaries
+.bin/golangci-lint: .deps/golangci-lint.yaml .bin/ory
+	@VERSION=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/golangci-lint.yaml); \
+	echo "Installing golangci-lint $${VERSION}..."; \
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b .bin $${VERSION}
+
+.bin/tfplugindocs: .deps/tfplugindocs.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/tfplugindocs.yaml); \
+	echo "Downloading tfplugindocs from $${URL}..."; \
+	curl -sSfL "$${URL}" -o /tmp/tfplugindocs.zip; \
+	unzip -q -o /tmp/tfplugindocs.zip -d .bin tfplugindocs; \
+	rm /tmp/tfplugindocs.zip; \
+	chmod +x .bin/tfplugindocs
+
+.bin/go-licenses: .deps/go-licenses.yaml .bin/ory
+	@VERSION=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/go-licenses.yaml); \
+	echo "Installing go-licenses $${VERSION}..."; \
+	GOBIN=$(PWD)/.bin go install github.com/google/go-licenses@$${VERSION}
+
 .PHONY: format
-format: ## Format all code (Go, Terraform, modules, docs, lint fixes)
+format: .bin/tfplugindocs .bin/golangci-lint ## Format all code (Go, Terraform, modules, docs, lint fixes)
 	go fmt ./...
 	gofmt -s -w .
 	terraform fmt -recursive examples/
 	go mod tidy
-	@command -v tfplugindocs >/dev/null 2>&1 || { echo "Installing tfplugindocs..."; go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest; }
-	tfplugindocs generate --provider-name ory
-	@command -v golangci-lint >/dev/null 2>&1 || { echo "Installing golangci-lint v2..."; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest; }
-	golangci-lint run --fix ./...
+	.bin/tfplugindocs generate --provider-name ory
+	.bin/golangci-lint run --fix ./...
 
 .PHONY: lint
-lint: ## Run Go linter (without fixes)
-	golangci-lint run ./...
+lint: .bin/golangci-lint ## Run Go linter (without fixes)
+	.bin/golangci-lint run ./...
+
+.PHONY: licenses
+licenses: .bin/go-licenses ## Check dependency licenses
+	@# go-licenses has known issues with Go 1.25+ stdlib packages (github.com/google/go-licenses/issues/128)
+	@# Suppress stderr noise about stdlib, but fail if disallowed licenses are found (exit code 3)
+	@.bin/go-licenses check ./... --disallowed_types=forbidden,restricted 2>/dev/null; \
+	EXIT_CODE=$$?; \
+	if [ $$EXIT_CODE -eq 3 ]; then \
+		echo "ERROR: Disallowed licenses found!"; \
+		.bin/go-licenses check ./... --disallowed_types=forbidden,restricted; \
+		exit 1; \
+	fi; \
+	echo "License check passed"
 
 # ==============================================================================
 # TESTING
@@ -106,6 +154,56 @@ test-acc-all: env-check ## Run all acceptance tests including optional ones
 		ORY_SCHEMA_TESTS_ENABLED=true \
 		./scripts/run-acceptance-tests.sh -p 1 -v -timeout 30m ./...
 
+# ==============================================================================
+# SECURITY SCANNING
+# ==============================================================================
+
+.PHONY: sec
+sec: sec-vuln sec-gosec sec-gitleaks ## Run all security scans
+
+# Security tool binaries
+.bin/govulncheck: .deps/govulncheck.yaml .bin/ory
+	@VERSION=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/govulncheck.yaml); \
+	echo "Installing govulncheck $${VERSION}..."; \
+	GOBIN=$(PWD)/.bin go install golang.org/x/vuln/cmd/govulncheck@$${VERSION}
+
+.bin/gosec: .deps/gosec.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/gosec.yaml); \
+	echo "Downloading gosec from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin gosec; \
+	chmod +x .bin/gosec
+
+.bin/gitleaks: .deps/gitleaks.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/gitleaks.yaml); \
+	echo "Downloading gitleaks from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin gitleaks; \
+	chmod +x .bin/gitleaks
+
+.bin/trivy: .deps/trivy.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/trivy.yaml); \
+	echo "Downloading trivy from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin trivy; \
+	chmod +x .bin/trivy
+
+.PHONY: sec-vuln
+sec-vuln: .bin/govulncheck ## Run govulncheck for Go vulnerability scanning
+	.bin/govulncheck ./...
+
+.PHONY: sec-gosec
+sec-gosec: .bin/gosec ## Run gosec for Go security analysis
+	.bin/gosec ./...
+
+.PHONY: sec-gitleaks
+sec-gitleaks: .bin/gitleaks ## Run gitleaks for secret detection
+	.bin/gitleaks detect --source . --verbose
+
+.PHONY: sec-trivy
+sec-trivy: .bin/trivy build ## Run trivy vulnerability scan on built binary
+	.bin/trivy fs --scanners vuln,secret,misconfig --severity CRITICAL,HIGH .
+
 # ==============================================================================
 # ENVIRONMENT HELPERS
 # ==============================================================================