updated to add .deps

Author: KT-Doan

.deps/gitleaks.yaml

@@ -0,0 +1,9 @@
+version: 8.21.2
+url: https://github.com/gitleaks/gitleaks/releases/download/v{{.Version}}/gitleaks_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: x64
+    arm64: arm64
+  os:
+    darwin: darwin
+    linux: linux

.deps/gosec.yaml

@@ -0,0 +1,9 @@
+version: 2.22.0
+url: https://github.com/securego/gosec/releases/download/v{{.Version}}/gosec_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: amd64
+    arm64: arm64
+  os:
+    darwin: darwin
+    linux: linux

.deps/govulncheck.yaml

@@ -0,0 +1,3 @@
+version: v1.1.4
+# govulncheck is installed via go install
+url: "{{.Version}}"

.deps/trivy.yaml

@@ -0,0 +1,9 @@
+version: 0.58.0
+url: https://github.com/aquasecurity/trivy/releases/download/v{{.Version}}/trivy_{{.Version}}_{{.Os}}-{{.Architecture}}.tar.gz
+mappings:
+  architecture:
+    amd64: 64bit
+    arm64: ARM64
+  os:
+    darwin: macOS
+    linux: Linux

.github/workflows/security.yml

@@ -26,11 +26,8 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
-      - name: Install gosec
-        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
-
       - name: Run gosec
-        run: gosec ./...
+        run: make sec-gosec
 
   # Software Composition Analysis (SCA) - Go vulnerability check
   govulncheck:
@@ -46,11 +43,8 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
-      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-
       - name: Run govulncheck
-        run: govulncheck ./...
+        run: make sec-vuln
 
   # Secret scanning - Gitleaks
   gitleaks:
@@ -62,14 +56,8 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install gitleaks
-        run: |
-          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
-          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz
-          sudo mv gitleaks /usr/local/bin/
-
       - name: Run Gitleaks
-        run: gitleaks detect --source . --verbose
+        run: make sec-gitleaks
 
   # Binary artifact scanning - Trivy on built binary
   trivy:
@@ -85,22 +73,8 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
-      - name: Build binary
-        run: go build -o terraform-provider-orynetwork .
-
-      - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH'
-          scanners: 'vuln,secret,misconfig'
-          ignore-unfixed: true
-        env:
-          TRIVY_SKIP_JAVA_DB_UPDATE: 'true'
-          TRIVY_DISABLE_VEX_NOTICE: 'true'
+      - name: Run Trivy
+        run: make sec-trivy
 
   # Dependency license compliance
   licenses:

.gitignore

@@ -5,6 +5,9 @@ terraform-provider-orynetwork
 *.so
 *.dylib
 
+# Local tool binaries (managed by Makefile)
+.bin/
+
 # Test binary
 *.test
 

Makefile

@@ -14,6 +14,16 @@
 BINARY_NAME := terraform-provider-orynetwork
 INSTALL_DIR := ~/.terraform.d/plugins/registry.terraform.io/ory/orynetwork/0.0.1/$(shell go env GOOS)_$(shell go env GOARCH)
 
+# Platform detection for tool downloads
+OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
+ARCH := $(shell uname -m)
+ifeq ($(ARCH),x86_64)
+	ARCH := amd64
+endif
+ifeq ($(ARCH),aarch64)
+	ARCH := arm64
+endif
+
 .PHONY: help
 help: ## Show this help
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
@@ -34,6 +44,12 @@ deps-ci: ## Install dependencies for CI environment
 	@echo "Installing jq..."
 	@if command -v apt-get >/dev/null 2>&1; then sudo apt-get update && sudo apt-get install -y jq; fi
 
+# Ory CLI for dependency management
+.bin/ory:
+	@mkdir -p .bin
+	@bash <(curl --retry 7 --retry-connrefused https://raw.githubusercontent.com/ory/meta/master/install.sh) -d -b .bin ory v0.3.4
+	@touch -a -m .bin/ory
+
 # ==============================================================================
 # BUILD
 # ==============================================================================
@@ -113,25 +129,48 @@ test-acc-all: env-check ## Run all acceptance tests including optional ones
 .PHONY: sec
 sec: sec-vuln sec-gosec sec-gitleaks ## Run all security scans
 
+# Security tool binaries
+.bin/govulncheck: .deps/govulncheck.yaml .bin/ory
+	@VERSION=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/govulncheck.yaml); \
+	echo "Installing govulncheck $${VERSION}..."; \
+	GOBIN=$(PWD)/.bin go install golang.org/x/vuln/cmd/govulncheck@$${VERSION}
+
+.bin/gosec: .deps/gosec.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/gosec.yaml); \
+	echo "Downloading gosec from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin gosec; \
+	chmod +x .bin/gosec
+
+.bin/gitleaks: .deps/gitleaks.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/gitleaks.yaml); \
+	echo "Downloading gitleaks from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin gitleaks; \
+	chmod +x .bin/gitleaks
+
+.bin/trivy: .deps/trivy.yaml .bin/ory
+	@mkdir -p .bin
+	@URL=$$(.bin/ory dev ci deps url -o $(OS) -a $(ARCH) -c .deps/trivy.yaml); \
+	echo "Downloading trivy from $${URL}..."; \
+	curl -sSfL "$${URL}" | tar -xz -C .bin trivy; \
+	chmod +x .bin/trivy
+
 .PHONY: sec-vuln
-sec-vuln: ## Run govulncheck for Go vulnerability scanning
-	@command -v govulncheck >/dev/null 2>&1 || { echo "Installing govulncheck..."; go install golang.org/x/vuln/cmd/govulncheck@latest; }
-	govulncheck ./...
+sec-vuln: .bin/govulncheck ## Run govulncheck for Go vulnerability scanning
+	.bin/govulncheck ./...
 
 .PHONY: sec-gosec
-sec-gosec: ## Run gosec for Go security analysis
-	@command -v gosec >/dev/null 2>&1 || { echo "Installing gosec..."; go install github.com/securego/gosec/v2/cmd/gosec@latest; }
-	gosec ./...
+sec-gosec: .bin/gosec ## Run gosec for Go security analysis
+	.bin/gosec ./...
 
 .PHONY: sec-gitleaks
-sec-gitleaks: ## Run gitleaks for secret detection
-	@command -v gitleaks >/dev/null 2>&1 || { echo "gitleaks not found. Install: brew install gitleaks (macOS) or download from https://github.com/gitleaks/gitleaks/releases"; exit 1; }
-	gitleaks detect --source . --verbose
+sec-gitleaks: .bin/gitleaks ## Run gitleaks for secret detection
+	.bin/gitleaks detect --source . --verbose
 
 .PHONY: sec-trivy
-sec-trivy: build ## Run trivy vulnerability scan on built binary
-	@command -v trivy >/dev/null 2>&1 || { echo "trivy not found. Install: brew install trivy (macOS) or see https://aquasecurity.github.io/trivy/"; exit 1; }
-	trivy fs --scanners vuln,secret,misconfig --severity CRITICAL,HIGH .
+sec-trivy: .bin/trivy build ## Run trivy vulnerability scan on built binary
+	.bin/trivy fs --scanners vuln,secret,misconfig --severity CRITICAL,HIGH .
 
 # ==============================================================================
 # ENVIRONMENT HELPERS