Hacks4snacks/deconflictupstream (#12)

* test: improve integration tests (#2500)

* test: improve integration tests

* chore: improve env variables check

* chore: prepare and load images for tests

* chore(ci): add logining to docker registry

* chore: remove docker auth

* chore: emits more output including GinkgoWriter contents.

* chore: use WP 6.1 instead of 5

* chore: use WP 6.7

* build(deps): bump github.com/containerd/containerd/v2 (#2499)

* chore(deps): bump golang.org/x/oauth2 to 0.27.0 to resolve CVE-2025-22868 (#2480)

* chore(deps): Bump `trivy-*` deps (#2507)

* chore(deps): Bump trivy-* deps

* fix signature

* update checks

* cleanup returns

* docs: change docs about ttl for scanned reports (#2503)

* docs: change docs about ttl for scanned reports

Signed-off-by: Dmitry Ponomaryov <me@halje.ru>

* fix operator.scannerReportTTL

Signed-off-by: Dmitry Ponomaryov <me@halje.ru>

---------

Signed-off-by: Dmitry Ponomaryov <me@halje.ru>

* build(deps): bump the k8s group across 1 directory with 2 updates (#2512)

Bumps the k8s group with 2 updates in the / directory: [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) and [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime).


Updates `k8s.io/apiextensions-apiserver` from 0.32.2 to 0.32.3
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.32.2...v0.32.3)

Updates `sigs.k8s.io/controller-runtime` from 0.20.2 to 0.20.4
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/controller-runtime@v0.20.2...v0.20.4)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-version: 0.20.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump the common group across 1 directory with 6 updates (#2513)

Bumps the common group with 4 updates in the / directory: [github.com/aquasecurity/trivy-kubernetes](https://github.com/aquasecurity/trivy-kubernetes), [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo), [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) and [golang.org/x/net](https://github.com/golang/net).


Updates `github.com/aquasecurity/trivy-kubernetes` from 0.8.0 to 0.8.1
- [Release notes](https://github.com/aquasecurity/trivy-kubernetes/releases)
- [Changelog](https://github.com/aquasecurity/trivy-kubernetes/blob/main/.goreleaser.yaml)
- [Commits](aquasecurity/trivy-kubernetes@v0.8.0...v0.8.1)

Updates `github.com/onsi/ginkgo/v2` from 2.22.2 to 2.23.4
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.22.2...v2.23.4)

Updates `github.com/onsi/gomega` from 1.36.2 to 1.36.3
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.36.2...v1.36.3)

Updates `github.com/prometheus/client_golang` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](prometheus/client_golang@v1.21.0...v1.21.1)

Updates `golang.org/x/net` from 0.37.0 to 0.39.0
- [Commits](golang/net@v0.37.0...v0.39.0)

Updates `golang.org/x/text` from 0.23.0 to 0.24.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy-kubernetes
  dependency-version: 0.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-version: 2.23.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.36.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/prometheus/client_golang
  dependency-version: 1.21.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: golang.org/x/net
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: golang.org/x/text
  dependency-version: 0.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: skip excluded images in client server mode (#2516)

trivy-operator does not check excluded images in client server mode.

This change fixes this behavior.

* fix(misconfig): ordering policies for hash (#2520)

* fix(misconfig): ordering policies for hash

* refactor: Move sorting inside of loader

* use slices.Sort

* fix lint

* chore: skip the policy size check

* chore: skip the test

* remove an error return for empty policy slice

---------

Co-authored-by: Simar <simar@linux.com>

* chore: improve cache for policies (#2526)

* chore: use cache for hash calculations

* chore: update comments

* test: add benchmarks for cache calculation

* chore: fix linter error

* chore: remove unneeded mutex

* refactor: improve benchmarks for hash calculation

* fix tests

* fix: golangci-lint formatting

---------

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
Co-authored-by: Simar <simar@linux.com>

* chore(deps): bump up Trivy versions to v0.62.0 (#2528)

* chore: bump up Go version to 1.24.2

* chore: bump up Trivy version

* chore(deps): bump up Trivy to the latest version

* chore: bump up Trivy to v0.62.0

* release: prepare v0.26.0 (#2535)

* release: prepare v0.26.0

* docs: update helm docs

* chore: update Trivy version in the default config

* docs: bump up Trivy version in the samples (#2538)

---------

Co-authored-by: afdesk <work@afdesk.com>

* chore(ci): Free up space to build (#2539)

* chore(ci): Free up additional space (#2543)

* chore(ci): Free up additional space

* test: test using build step

* chore(ci): Clear up space prior to build

---------

Signed-off-by: Dmitry Ponomaryov <me@halje.ru>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: afdesk <work@afdesk.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Robert Goltz <robert@goltz.net>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
Co-authored-by: Dmitry Ponomaryov <me@halje.ru>
Co-authored-by: Pascal Hofmann <mail@pascalhofmann.de>
Co-authored-by: Simar <simar@linux.com>
Co-authored-by: Mark Dalton Gray <graymark@microsoft.com>

Author: 8 people

.github/workflows/build.yaml

@@ -60,6 +60,17 @@ jobs:
     name: Run tests
     runs-on: ubuntu-latest
     steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v5
+        with:
+          remove-android: 'true'
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+          remove-docker-images: 'true'
+          remove-large-packages: 'true'
+          remove-cached-tools: 'true'
+          remove-swapfile: 'true'
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Setup Go

.github/workflows/release.yaml

@@ -17,6 +17,18 @@ jobs:
     name: Run tests
     runs-on: ubuntu-latest
     steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v5
+        with:
+          remove-android: 'true'
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+          remove-docker-images: 'true'
+          remove-large-packages: 'true'
+          remove-cached-tools: 'true'
+          remove-swapfile: 'true'
+
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -78,6 +90,17 @@ jobs:
       id-token: write
       packages: write
     steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v5
+        with:
+          remove-android: 'true'
+          remove-dotnet: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+          remove-docker-images: 'true'
+          remove-large-packages: 'true'
+          remove-cached-tools: 'true'
+          remove-swapfile: 'true'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

CONTRIBUTING.md

@@ -303,7 +303,7 @@ kubectl delete -k deploy/static
      OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED=true \
      OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED=true \
      OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS=false \
-     OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL="" \
+     OPERATOR_SCANNER_REPORT_TTL="" \
      OPERATOR_BATCH_DELETE_LIMIT=3 \
      OPERATOR_BATCH_DELETE_DELAY="30s" \
      go run cmd/trivy-operator/main.go

README.md

@@ -67,7 +67,7 @@ Install the Helm Chart:
    helm install trivy-operator aqua/trivy-operator \
      --namespace trivy-system \
      --create-namespace \
-     --version 0.27.0
+     --version 0.28.0
 ```
 
 #### Option 2: Install from OCI registry (supported in Helm v3.8.0+)
@@ -78,7 +78,7 @@ Install the Helm Chart:
    helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \
      --namespace trivy-system \
      --create-namespace \
-     --version 0.27.0
+     --version 0.28.0
 ```
 
 This will install the Trivy Helm Chart into the `trivy-system` namespace and start triggering the scans.

RELEASING.md

@@ -46,17 +46,17 @@
 5. Create an annotated git tag and push it to the `upstream`. This will trigger the [`.github/workflows/release.yaml`] workflow
 
    ```sh
-   git tag -v0.25.0 -m 'Release v0.25.0'
-   git push upstream v0.25.0
+   git tag -v0.26.0 -m 'Release v0.26.0'
+   git push upstream v0.26.0
    ```
 
 6. Verify that the `release` workflow has built and published the following artifacts
    1. Trivy-operator container images published to DockerHub
-       `docker.io/aquasec/trivy-operator:0.25.0`
+       `docker.io/aquasec/trivy-operator:0.26.0`
    2. Trivy-operator container images published to Amazon ECR Public Gallery
-       `public.ecr.aws/aquasecurity/trivy-operator:0.25.0`
+       `public.ecr.aws/aquasecurity/trivy-operator:0.26.0`
    3. Trivy-operator container images published to GitHub Container Registry
-       `ghcr.io/aquasecurity/trivy-operator:0.25.0`
+       `ghcr.io/aquasecurity/trivy-operator:0.26.0`
 
 7. Submit trivy-operator Operator to OperatorHub and ArtifactHUB by opening the PR to the <https://github.com/k8s-operatorhub/community-operators> repository.
 

deploy/helm/Chart.yaml

@@ -6,12 +6,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.27.0
+version: 0.28.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.25.0
+appVersion: 0.26.0
 
 # kubeVersion: A SemVer range of compatible Kubernetes versions (optional)
 

deploy/helm/README.md

@@ -1,6 +1,6 @@
 # trivy-operator
 
-![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.25.0](https://img.shields.io/badge/AppVersion-0.25.0-informational?style=flat-square)
+![Version: 0.28.0](https://img.shields.io/badge/Version-0.28.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.26.0](https://img.shields.io/badge/AppVersion-0.26.0-informational?style=flat-square)
 
 Keeps security report resources updated
 
@@ -148,7 +148,7 @@ Keeps security report resources updated
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
 | trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image |
-| trivy.image.tag | string | `"0.60.0"` | tag version of the Trivy image |
+| trivy.image.tag | string | `"0.62.0"` | tag version of the Trivy image |
 | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |

deploy/helm/templates/specs/eks-cis-1.4.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.25.0
+    app.kubernetes.io/version: 0.26.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote }}

deploy/helm/templates/specs/k8s-cis-1.23.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.25.0
+    app.kubernetes.io/version: 0.26.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote }}

deploy/helm/templates/specs/k8s-nsa-1.0.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: trivy-operator
     app.kubernetes.io/instance: trivy-operator
-    app.kubernetes.io/version: 0.25.0
+    app.kubernetes.io/version: 0.26.0
     app.kubernetes.io/managed-by: kubectl
 spec:
   cron: {{ .Values.compliance.cron | quote}}