Add pulse OSS and STIG scan to internal gitlab CI

[maze88]

example run of pipeline: https://gitlab-master.nvidia.com/mzeevi/sriov-network-operator/-/pipelines/41067444

[github-actions]

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

• /test-all: To run all tests for all vendors.
• /test-e2e-all: To run all E2E tests for all vendors.
• /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

• /skip-all: To skip all tests for all vendors.
• /skip-e2e-all: To skip all E2E tests for all vendors.
• /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
  Best regards.

[greptile-apps]

Greptile Summary

This PR adds Pulse OSS and STIG security scanning to the internal GitLab CI pipeline. The changes include:

• Added Apache 2.0 license header to .gitlab-ci.yml
• Included Pulse scanning templates from pstooling/gitlab-templates
• Added two new pipeline stages: pulse-scan-oss and pulse-scan-stig
• Added variables for NSPECT and SSA credentials
• Modified build job to fetch gov-ready policy document and export release version artifacts
• Fixed JSON syntax bug in .github/workflows/fork-ci.yaml (missing closing bracket)
• Appended -stig-fips suffix to Docker tags for release builds

Issues Found:

• Security: The variable validation loop now prints all secret values (tokens, passwords) to CI logs in plain text. This should be masked or removed.

Confidence Score: 2/5

• PR has a security issue that exposes secrets in CI logs and should be fixed before merging.
• The PR introduces a security vulnerability where sensitive credentials are printed to CI logs. While the feature additions are valid, this security issue lowers confidence significantly.
• .gitlab-ci.yml - lines 72-73 contain security issue with secret exposure

Important Files Changed

Filename	Overview
.github/workflows/fork-ci.yaml	Fixed missing closing bracket ] in JSON components array - simple formatting fix.
.gitlab-ci.yml	Added Pulse OSS and STIG scanning jobs to the CI pipeline. Contains a security issue - secrets are printed to logs in variable validation.

Sequence Diagram

sequenceDiagram
    participant Git as Git Tag Push
    participant Build as build-image
    participant OSS as pulse-scan-oss
    participant STIG as pulse-scan-stig
    participant Deploy as deploy stage

    Git->>Build: Trigger on tag/branch push
    Build->>Build: Validate variables
    Build->>Build: Docker login to registries
    Build->>Build: Fetch STIG scripts
    Build->>Build: Fetch gov-ready policy
    Build->>Build: Build & push image
    Build->>OSS: Pass artifacts (build.env, policy)
    OSS->>OSS: Run OSS scan
    OSS->>STIG: Pass artifacts
    STIG->>STIG: Run STIG scan
    Note over OSS,STIG: Both scans allow_failure: true

Loading

[greptile-apps]

Additional Comments (2)

1. .gitlab-ci.yml, line 56 (link)

   logic: This line logs all validated variables including sensitive secrets (GITHUB_TOKEN, GITLAB_TOKEN, ARTIFACTORY_TOKEN, NVCR_TOKEN, SSA_CLIENT_SECRET_PULSE_OSS, SSA_CLIENT_SECRET_PULSE_STIG) to the CI pipeline logs in plaintext, creating a critical security vulnerability.

2. .gitlab-ci.yml, line 93 (link)

   logic: When running on branches (not tags), $CI_COMMIT_TAG is empty, so this command will fail with an invalid regex pattern. The variable should be quoted or checked before use.

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

1. .gitlab-ci.yml, line 56 (link)

   logic: echoing secret values to CI logs exposes sensitive credentials like SSA_CLIENT_SECRET_PULSE_OSS and SSA_CLIENT_SECRET_PULSE_STIG

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[maze88]

Additional Comments (2)

1. .gitlab-ci.yml, line 56 (link)
   logic: This line logs all validated variables including sensitive secrets (GITHUB_TOKEN, GITLAB_TOKEN, ARTIFACTORY_TOKEN, NVCR_TOKEN, SSA_CLIENT_SECRET_PULSE_OSS, SSA_CLIENT_SECRET_PULSE_STIG) to the CI pipeline logs in plaintext, creating a critical security vulnerability.
2. .gitlab-ci.yml, line 93 (link)
   logic: When running on branches (not tags), $CI_COMMIT_TAG is empty, so this command will fail with an invalid regex pattern. The variable should be quoted or checked before use.

2 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

1. They are "printed" safely as [MASKED].
2. Fixed, and updated PR.

[greptile-apps]

Additional Comments (2)

1. .gitlab-ci.yml, line 71-72 (link)

   logic: logging sensitive credentials (tokens, passwords, client secrets) to pipeline logs creates a security vulnerability

2. .gitlab-ci.yml, line 211 (link)

   logic: NSPECT_ID is used but not validated in the build-image job's before_script section - add it to the validation loop (lines 52-77) to catch configuration issues early

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

1. .gitlab-ci.yml, line 72-73 (link)

   logic: this validation prints the actual secret values to logs, which is a security issue

2. .gitlab-ci.yml, line 213 (link)

   logic: PROGRAM_VERSION will be undefined when running on branches (not tags), since NSPECT_RELEASE_VERSION is only set for tags. is this intentional since pulse scans only run on tags?

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

1. .gitlab-ci.yml, line 72-73 (link)

   logic: Security: Secrets logged to CI output. This prints sensitive credentials (ARTIFACTORY_TOKEN, NVCR_TOKEN, GITLAB_TOKEN, GITHUB_TOKEN, SSA_CLIENT_SECRET_*) to CI logs, exposing them to anyone with log access.

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

1. .gitlab-ci.yml, line 72-73 (link)

   logic: Security Issue: This prints sensitive secrets (tokens, passwords) to CI logs in plain text. Variables like ARTIFACTORY_TOKEN, NVCR_TOKEN, GITLAB_TOKEN, GITHUB_TOKEN, and SSA_CLIENT_SECRET_* will be exposed.

   Remove the echo statement or mask the output:

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}