Refactor release security scan config (#30597) (#30742)

ryancragun · Kent Gruber · web-flow · commit 82bd7f4d4afb · 2025-05-23T17:54:43.000Z
Co-authored-by: Kent Gruber &lt;kent@hashicorp.com&gt;
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -2,22 +2,32 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 binary {
-  secrets    = false
-  go_modules = false
-  osv        = true
-  oss_index  = true
-  nvd        = false
+  go_stdlib  = true // Scan the Go standard library used to build the binary.
+  go_modules = true // Scan the Go modules included in the binary.
+  osv        = true // Use the OSV vulnerability database.
+  oss_index  = true // And use OSS Index vulnerability database.
+
+  triage {
+    suppress {
+      vulnerabilities = [
+        "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
+      ]
+    }
+  }
 }
 
 container {
-  dependencies    = true
-  alpine_security = true
-  secrets         = true
+  dependencies = true // Scan any installed packages for vulnerabilities.
+  osv          = true // Use the OSV vulnerability database.
+
+  secrets {
+    all = true
+  }
 
   triage {
     suppress {
       vulnerabilities = [
-        // We can't do anything about these two CVE's until a new Alpine container with busybox 1.38 is available.
+        // We can't do anything about these two CVEs until a new Alpine container with busybox 1.38 is available.
         "CVE-2025-46394",
         "CVE-2024-58251",
         "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
