Refactor release security scan config (#30597)

2026-02-19 02:49:18 -05:00 · 2025-05-23 13:22:19 -04:00 · 2025-05-23 13:22:19 -04:00 · 0e4dfe8ba7
commit 0e4dfe8ba7
parent 83d05cefb6
1 changed files with 22 additions and 12 deletions
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@ -2,22 +2,32 @@
 # SPDX-License-Identifier: BUSL-1.1

 binary {
-  secrets    = false
-  go_modules = false
-  osv        = true
-  oss_index  = true
-  nvd        = false
-}
-
-container {
-  dependencies    = true
-  alpine_security = true
-  secrets         = true
+  go_stdlib  = true // Scan the Go standard library used to build the binary.
+  go_modules = true // Scan the Go modules included in the binary.
+  osv        = true // Use the OSV vulnerability database.
+  oss_index  = true // And use OSS Index vulnerability database.

  triage {
    suppress {
      vulnerabilities = [
-        // We can't do anything about these two CVE's until a new Alpine container with busybox 1.38 is available.
+        "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
+      ]
+    }
+  }
+}
+
+container {
+  dependencies = true // Scan any installed packages for vulnerabilities.
+  osv          = true // Use the OSV vulnerability database.
+
+  secrets {
+    all = true
+  }
+
+  triage {
+    suppress {
+      vulnerabilities = [
+        // We can't do anything about these two CVEs until a new Alpine container with busybox 1.38 is available.
        "CVE-2025-46394",
        "CVE-2024-58251",
        "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x