Use trunk check to manage static analysis / security / secret scans in svix

.trunk/.gitignore

@@ -0,0 +1,8 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml

.trunk/configs/.hadolint.yaml

@@ -0,0 +1,4 @@
+# Following source doesn't work in most setups
+ignored:
+  - SC1090
+  - SC1091

.trunk/configs/.isort.cfg

@@ -0,0 +1,2 @@
+[settings]
+profile=black

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: false
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false

.trunk/configs/.rustfmt.toml

@@ -0,0 +1 @@
+edition = "2021"

.trunk/configs/.shellcheckrc

@@ -0,0 +1,7 @@
+enable=all
+source-path=SCRIPTDIR
+disable=SC2154
+
+# If you're having issues with shellcheck following source, disable the errors via:
+# disable=SC1090
+# disable=SC1091

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/configs/analyzers.yml

@@ -0,0 +1,91 @@
+#  Copyright 2021 Praetorian Security, Inc.
+
+#  Licensed under the Apache License, Version 2.0 (the License);
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an AS IS BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# GoKart analyzers configuration
+
+# Uncomment analyzers section below to create a new vulnerability type
+
+# analyzers:
+#   # Each entry specifies a vulnerability type.
+
+#   # Name of the vulnerability:
+#   Test Sink:
+#     # Description of this vulnerability
+#     doc: Writing data to Printf()
+#     # Message displayed when this vulnerability is found
+#     message: Test Sink reachable by user input
+#     # List of vulnerable functions used to identify this vulnerability
+#     vuln_calls:
+#       # Package name
+#       log:
+#         # Function name
+#         - Printf
+
+# Each entry specifies a source that should be considered untrusted
+# If the package already exists in the sources section, add the variable/function/type underneath
+# Each package can contain multiple vulnerable sources.
+sources:
+  # Sources that are defined in Go documentation as a variable go here (note: these variables will have an SSA type of Global).
+  variables:
+    os:
+      - Args
+  # Sources that are defined in Go documentation as a function go here.
+  functions:
+    flag:
+      - Arg
+      - Args
+    os:
+      - Environ
+      - File
+    crypto/tls:
+      - LoadX509KeyPair
+      - X509KeyPair
+    os/user:
+      - Lookup
+      - LookupId
+      - Current
+    crypto/x509:
+      - Subjects
+    io:
+      - ReadAtLeast
+      - ReadFull
+    database/sql:
+      - Query
+      - QueryRow
+    bytes:
+      - String
+      - ReadBytes
+      - ReadByte
+    bufio:
+      - Text
+      - Bytes
+      - ReadString
+      - ReadSlice
+      - ReadRune
+      - ReadLine
+      - ReadBytes
+      - ReadByte
+    archive/tar:
+      - Next
+      - FileInfo
+      - Header
+    net/url:
+      - ParseQuery
+      - ParseUriRequest
+      - Parse
+      - Query
+  # Sources that are defined in Go documentation as a type go here (note: adding types will consider all functions that use that type to be tainted).
+  types:
+    net/http:
+      - Request

.trunk/configs/ruff.toml

@@ -0,0 +1,5 @@
+# Generic, formatter-friendly config.
+select = ["B", "D3", "D4", "E", "F"]
+
+# Never enforce `E501` (line length violations). This should be handled by formatters.
+ignore = ["E501"]

.trunk/trunk.yaml

@@ -0,0 +1,59 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.16.0
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.2.3
+      uri: https://github.com/trunk-io/plugins
+runtimes:
+  enabled:
+    - go@1.21.0
+    - java@13.0.11
+    - node@18.12.1
+    - python@3.10.8
+    - rust@1.72.0
+lint:
+  enabled:
+    - actionlint@1.6.25
+    - bandit@1.7.5
+    - black@23.9.1
+    - checkov@2.4.9
+    - clippy@1.72.0
+    - dotenv-linter@3.3.0
+    - git-diff-check
+    - gofmt@1.20.4
+    - gokart@0.5.1
+    - golangci-lint@1.54.2
+    - hadolint@2.12.0
+    - isort@5.12.0
+    - ktlint@1.0.0
+    - markdownlint@0.37.0
+    - osv-scanner@1.4.0
+    - oxipng@8.0.0
+    - prettier@3.0.3
+    - ruff@0.0.290
+    - rustfmt@1.72.0
+    - shellcheck@0.9.0
+    - shfmt@3.6.0
+    - taplo@0.8.1
+    - terrascan@1.18.3
+    - trivy@0.45.1
+    - trufflehog@3.56.1
+    - yamllint@1.32.0
+  ignore:
+    - linters: [clippy, rustfmt]
+      paths:
+        # do not reun
+        - rust/src/lib.rs
+    - linters: [ALL]
+      paths:
+        - go/internal/openapi/**
+actions:
+  enabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+    - trunk-upgrade-available