aminueza
diff --git a/‎.github/golangci.yml‎
Lines changed: 12 additions & 0 deletions b/‎.github/golangci.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.github/workflows/close-stale-issues-and-pull-requests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/close-stale-issues-and-pull-requests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/create-release-tag.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/create-release-tag.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/docs.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/go.yml‎
Lines changed: 23 additions & 7 deletions b/‎.github/workflows/go.yml‎
Lines changed: 23 additions & 7 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 47 additions & 16 deletions b/‎.github/workflows/security.yml‎
Lines changed: 47 additions & 16 deletions
@@ -27,6 +27,18 @@ linters:
       - path: import_.*\.go
         linters:
           - errcheck
+      # TODO: migrate aws-sdk-go v1 to v2
+      - text: "SA1019:.*aws-sdk-go.*is deprecated"
+        linters:
+          - staticcheck
+      # TODO: migrate SetPolicy to AttachPolicy/DetachPolicy
+      - text: "SA1019:.*SetPolicy is deprecated"
+        linters:
+          - staticcheck
+      # TODO: migrate InfoCannedPolicy to InfoCannedPolicyV2
+      - text: "SA1019:.*InfoCannedPolicy is deprecated"
+        linters:
+          - staticcheck
 
   settings:
     errcheck:
 
@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           days-before-issue-stale: 30
           stale-issue-message: "This issue has been automatically marked as stale due to inactivity. It will be closed in 7 days if no further activity occurs. Please comment or remove the stale label to keep it open."
 
@@ -29,7 +29,7 @@ jobs:
       tag: ${{ steps.version.outputs.new }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           fetch-depth: 0
 
 
@@ -19,7 +19,7 @@ jobs:
     if: github.event_name == 'pull_request'
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
 
       - name: Verify all resources and data sources have doc templates
         run: |
@@ -65,13 +65,13 @@ jobs:
       GOOS: linux
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           ref: ${{ github.head_ref || github.ref }}
           fetch-depth: 1
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
           cache: true
@@ -99,11 +99,11 @@ jobs:
       GOOS: linux
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           fetch-depth: 1
 
       - name: Markdown Link Validation
-        uses: tcort/github-action-markdown-link-check@v1
+        uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1
         with:
           config-file: "./.github/github-action-markdown-link-check-config.json"
@@ -23,7 +23,7 @@ jobs:
       security-events: write
     steps:
       - name: Check out the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
 
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
@@ -38,16 +38,32 @@ jobs:
           args: --config .github/golangci.yml
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
+        id: gosec
+        uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
+        continue-on-error: true
         with:
-          args: -fmt sarif -out gosec.sarif ./
+          args: -fmt sarif -out gosec.sarif -exclude-dir=vendor -tests=false -exclude=G101 ./
 
       - name: Upload security scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
-        if: always()
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        if: always() && hashFiles('gosec.sarif') != ''
         with:
           sarif_file: gosec.sarif
 
+      - name: Fail on Gosec findings
+        if: always() && steps.gosec.outcome == 'failure'
+        run: |
+          echo "## Gosec Security Scanner Found Issues" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f gosec.sarif ]; then
+            echo "| Rule | File | Line | Description |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|------|------|-------------|" >> $GITHUB_STEP_SUMMARY
+            jq -r '.runs[0].results[] | "| \(.ruleId) | \(.locations[0].physicalLocation.artifactLocation.uri) | \(.locations[0].physicalLocation.region.startLine) | \(.message.text) |"' gosec.sarif >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "See the **Security** tab for full details." >> $GITHUB_STEP_SUMMARY
+          exit 1
+
   test:
     name: Test
     runs-on: ubuntu-latest
@@ -58,7 +74,7 @@ jobs:
       GOOS: linux
     steps:
       - name: Check out the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
 
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
@@ -70,7 +86,7 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Cache Docker layers
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
 
@@ -31,26 +31,26 @@ jobs:
       RELEASE_TAG: ${{ inputs.tag || github.ref_name }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ env.RELEASE_TAG }}
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
           go-version-file: "go.mod"
           cache: true
 
       - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
         with:
           version: "~> v2"
           args: release --clean --config .github/goreleaser.yml
@@ -60,14 +60,14 @@ jobs:
           GORELEASER_TAG: ${{ env.RELEASE_TAG }}
 
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0
         with:
           path: ./dist
           format: spdx-json
           output-file: sbom.spdx.json
 
       - name: Upload SBOM to release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
           files: sbom.spdx.json
           tag_name: ${{ env.RELEASE_TAG }}
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           fetch-depth: 0
 
@@ -35,42 +35,73 @@ jobs:
           cache: true
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
+        id: gosec
+        uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
+        continue-on-error: true
         with:
-          args: "-fmt sarif -out gosec.sarif ./..."
-          config: .github/codeql/codeql-config.yml
+          args: "-fmt sarif -out gosec.sarif -exclude-dir=vendor -tests=false -exclude=G101 ./..."
 
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
-        if: always()
+      - name: Upload Gosec SARIF file
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        if: always() && hashFiles('gosec.sarif') != ''
         with:
           sarif_file: gosec.sarif
-          config-file: .github/codeql/codeql-config.yml
+
+      - name: Fail on Gosec findings
+        if: always() && steps.gosec.outcome == 'failure'
+        run: |
+          echo "## Gosec Security Scanner Found Issues" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f gosec.sarif ]; then
+            echo "| Rule | File | Line | Description |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|------|------|-------------|" >> $GITHUB_STEP_SUMMARY
+            jq -r '.runs[0].results[] | "| \(.ruleId) | \(.locations[0].physicalLocation.artifactLocation.uri) | \(.locations[0].physicalLocation.region.startLine) | \(.message.text) |"' gosec.sarif >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "See the **Security** tab for full details." >> $GITHUB_STEP_SUMMARY
+          exit 1
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
+        id: trivy
+        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+        continue-on-error: true
         with:
           scan-type: "fs"
           scan-ref: "."
+          version: "v0.69.2"
           format: "sarif"
           output: "trivy-results.sarif"
           ignore-unfixed: true
           severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
-        if: always()
+      - name: Upload Trivy SARIF file
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        if: always() && hashFiles('trivy-results.sarif') != ''
         with:
           sarif_file: "trivy-results.sarif"
 
+      - name: Fail on Trivy findings
+        if: always() && steps.trivy.outcome == 'failure'
+        run: |
+          echo "## Trivy Vulnerability Scanner Found Issues" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f trivy-results.sarif ]; then
+            echo "| Rule | File | Severity | Description |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|------|----------|-------------|" >> $GITHUB_STEP_SUMMARY
+            jq -r '.runs[0].results[]? | "| \(.ruleId) | \(.locations[0].physicalLocation.artifactLocation.uri) | \(.level) | \(.message.text[:100]) |"' trivy-results.sarif >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "See the **Security** tab for full details." >> $GITHUB_STEP_SUMMARY
+          exit 1
+
   dependency-check:
     name: Dependency Security Check
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
 
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
@@ -99,7 +130,7 @@ jobs:
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           fetch-depth: 0
 
@@ -130,7 +161,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.2
         with:
           persist-credentials: false
 
@@ -142,7 +173,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF results to GitHub
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
         with:
           sarif_file: results.sarif