From 90ba526cbe34dd5ccad5ab2a58f999aa02434efa Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@doppler.com>
Date: Mon, 16 Oct 2023 10:27:45 -0700
Subject: [PATCH 1/4] chore: scan latest container image for vulnz on schedule

---
 .github/workflows/binary-scanner.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/binary-scanner.yaml

diff --git a/.github/workflows/binary-scanner.yaml b/.github/workflows/binary-scanner.yaml
new file mode 100644
index 00000000..03585add
--- /dev/null
+++ b/.github/workflows/binary-scanner.yaml
@@ -0,0 +1,23 @@
+name: Binary Scanner
+
+on:
+  schedule:
+    - cron: '28 1 * * *'
+
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Pull image
+        run: |
+          docker pull dopplerhq/cli:latest
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/dopplerhq/cli:latest'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: vuln

From ca3473021441db12dc06ac370c544ee021ecb7d1 Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@doppler.com>
Date: Mon, 16 Oct 2023 12:57:22 -0700
Subject: [PATCH 2/4] chore: run vuln check on schedule

---
 .github/workflows/vulncheck.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
index eeca4180..23feb8e5 100644
--- a/.github/workflows/vulncheck.yml
+++ b/.github/workflows/vulncheck.yml
@@ -1,6 +1,10 @@
 name: Vulncheck
 
-on: [pull_request, push]
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: '28 1 * * *'
 
 permissions:
   contents: read # to fetch code (actions/checkout)

From 9e7b85a9604710b72694a4b294553e4e0599a26d Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@doppler.com>
Date: Mon, 16 Oct 2023 12:57:36 -0700
Subject: [PATCH 3/4] chore: lock to Go minor version

---
 .github/workflows/vulncheck.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
index 23feb8e5..9562f081 100644
--- a/.github/workflows/vulncheck.yml
+++ b/.github/workflows/vulncheck.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.21.0
+          go-version: '1.21'
           check-latest: true
       - name: Get official govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

From 9a85c533b75b2656f574d3659b62785b31b0d99a Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@doppler.com>
Date: Mon, 16 Oct 2023 12:59:20 -0700
Subject: [PATCH 4/4] chore: fix semgrep error

We verify that `response` isn't nil before using it.
---
 pkg/http/http.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/http/http.go b/pkg/http/http.go
index 85a6a6d5..5337dcb9 100644
--- a/pkg/http/http.go
+++ b/pkg/http/http.go
@@ -272,6 +272,7 @@ func request(req *http.Request, verifyTLS bool, allowTimeout bool) (*http.Respon
 }
 
 func performSSERequest(req *http.Request, verifyTLS bool, handler func([]byte)) (int, http.Header, error) {
+	// nosemgrep: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable
 	response, requestErr := request(req, verifyTLS, false)
 	if requestErr != nil {
 		statusCode := 0