add security-scan for CRT (#13627)

* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive

.gitignore

@@ -51,6 +51,7 @@ Vagrantfile
 # Configs
 *.hcl
 !.release/ci.hcl
+!.release/security-scan.hcl
 !.release/linux/package/etc/vault.d/vault.hcl
 !command/agent/config/test-fixtures/*.hcl
 !command/server/test-fixtures/**/*.hcl

.release/ci.hcl

@@ -59,12 +59,27 @@ event "quality-tests" {
   }
 }
 
-event "security-scan" {
+event "security-scan-binaries" {
   depends = ["quality-tests"]
-  action "security-scan" {
+  action "security-scan-binaries" {
     organization = "hashicorp"
     repository = "crt-workflows-common"
-    workflow = "security-scan"
+    workflow = "security-scan-binaries"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "security-scan-containers" {
+  depends = ["security-scan-binaries"]
+  action "security-scan-containers" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-containers"
+    config = "security-scan.hcl"
   }
 
   notification {
@@ -73,7 +88,7 @@ event "security-scan" {
 }
 
 event "notarize-darwin-amd64" {
-  depends = ["security-scan"]
+  depends = ["security-scan-containers"]
   action "notarize-darwin-amd64" {
     organization = "hashicorp"
     repository = "crt-workflows-common"

.release/security-scan.hcl

@@ -0,0 +1,13 @@
+container {
+	dependencies = true
+	alpine_secdb = true
+	secrets      = true
+}
+
+binary {
+	secrets      = true
+	go_modules   = true
+	osv          = true
+	oss_index    = true
+	nvd          = true
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14 as default
+FROM alpine:3.15 as default
 
 ARG BIN_NAME
 # NAME and VERSION are the name of the software in releases.hashicorp.com