feat(ci): Trigger security scanner from release pipeline

[Chickensoupwithrice]

Resolves REL-100 by calling the security scanner as part of the release pipeline, during the internal image creation time.

@willdollman kindly dropped me some notes on how to use this, notably in this PR I've removed dryRun=true given how this will only be run from the release process. I'm also using a tag with no images listed.

I've added the token will sent me to 1Password under image-scanner-webhook and added a check to ensure it exists when being called.

Will's Notes:

curl --location 'https://incoming.sgdev.org/new-image-scan?images=sourcegraph%2Fgitserver%2Csourcegraph%2Ffrontend&tag=5.3.0&scanType=release&dev=true&dryRun=true' \
--header 'X-Special-Header: <key-shared-in-1password>'

it’s not quite set up for releases yet, but you can play around - results are sent to elastic which you don’t have access to, and there’s no api to get the results

to scan everything at a specific tag, remove the images parameter and set tag to the image tag

dryRun=true will ensure it doesn’t actually run a scan, but will still return a json response - best to leave that enabled while you’re working on it otherwise you’ll trigger lots of scans 😛

Test plan

Ran sg release create --version=auto --pretend to ensure the script still works

Changelog

• Added security scanner to the release pipeline

[craigfurman]

🚀 Sweet!

Is --pretend enough to truly test this? It doesn't trigger the pipeline that will run this step, if I understand correctly?

Could we create an internal release to kick the tires on this before the next real release, or is that too heavyweight?

[jdpleiness]

🚀 Sweet!

Is --pretend enough to truly test this? It doesn't trigger the pipeline that will run this step, if I understand correctly?

Could we create an internal release to kick the tires on this before the next real release, or is that too heavyweight?

Kicking off an internal release to test this seems like a good idea to me 🚢

[Chickensoupwithrice]

I'll kick off an internal release too, y'all right!

I also just remembered this step runs on Buildkite, so I'm gonna need to put the secret into secrets manager and import it in https://github.com/sourcegraph/infrastructure

[Chickensoupwithrice]

Okay, infrastructure PR created

[willdollman]

👌

[Chickensoupwithrice]

Triggered a development build with security scanning enabled: https://buildkite.com/sourcegraph/sourcegraph/builds/279073
The security step passed which satisfies my appetite to ensure this won't break the process tomorrow :)