chore(deps): Bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.36.0 in /kagenti-operator #222

Workflow file for this run

.github/workflows/security-scans.yaml at 600602b

	# Security Scans - Comprehensive security checks
	#
	# Jobs:
	# - Dependency Review (always)
	# - Shellcheck (shell scripts)
	# - YAML Lint (workflows, charts)
	# - Helm Lint (charts/)
	# - Hadolint (Dockerfiles)
	# - Trivy (filesystem + IaC)
	# - CodeQL (Go)
	# - Action Pinning (informational)
	#
	name: Security Scans

	on:
	pull_request:
	branches: [main]

	permissions: {}

	jobs:
	# ============================================================================
	# Phase 0: Foundations
	# ============================================================================

	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	# TODO: Remove continue-on-error after enabling Dependency Graph in
	# repo Settings > Code security and analysis
	continue-on-error: true
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Dependency Review
	uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
	with:
	fail-on-severity: moderate
	deny-licenses: GPL-3.0, AGPL-3.0
	comment-summary-in-pr: never

	shellcheck:
	name: Shell Script Lint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Install shellcheck
	run: sudo apt-get install -y shellcheck

	- name: Run shellcheck
	run: \|
	SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null \| grep -v ".git/" \|\| true)
	if [ -z "$SCRIPTS" ]; then
	echo "No shell scripts found"
	exit 0
	fi
	echo "Found scripts:"
	echo "$SCRIPTS"
	echo ""
	FAILED=0
	for script in $SCRIPTS; do
	echo "Checking: $script"
	if ! shellcheck --severity=error "$script"; then
	FAILED=1
	fi
	done
	if [ $FAILED -eq 1 ]; then
	echo "ERROR: Some scripts have shellcheck errors."
	exit 1
	fi
	echo "All scripts passed shellcheck (error level)"

	# ============================================================================
	# Phase A: Linting
	# ============================================================================

	yamllint:
	name: YAML Lint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Install yamllint
	run: pip install yamllint==1.*

	- name: Create config
	run: \|
	cat > .yamllint.yaml << 'EOF'
	extends: relaxed
	ignore: \|
	charts/*/templates/
	rules:
	line-length:
	max: 150
	level: warning
	truthy:
	check-keys: false
	document-start: disable
	comments:
	min-spaces-from-content: 1
	indentation:
	spaces: 2
	indent-sequences: whatever
	EOF

	- name: Lint YAML files
	run: \|
	yamllint -c .yamllint.yaml \
	.github/workflows/ \
	charts/ \|\| true
	echo ""
	echo "=== Summary ==="
	yamllint -c .yamllint.yaml -f parsable \
	.github/workflows/ charts/ > /tmp/yamllint_output.txt 2>&1 \|\| true
	ERROR_COUNT=$(grep -c ":error:" /tmp/yamllint_output.txt 2>/dev/null \|\| echo "0")
	echo "Errors: $ERROR_COUNT"
	if [ "$ERROR_COUNT" -gt 0 ] 2>/dev/null; then
	echo "ERROR: YAML files have syntax errors."
	exit 1
	fi

	helm-lint:
	name: Helm Chart Lint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Set up Helm
	uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
	with:
	version: 'v3.14.0'

	- name: Lint Helm charts
	run: \|
	for chart in charts/*/; do
	if [ -f "$chart/Chart.yaml" ]; then
	echo "Linting: $chart"
	# Informational only — don't fail on pre-existing chart issues
	helm lint "$chart" 2>&1 \|\| true
	echo ""
	fi
	done

	# ============================================================================
	# Phase B: Container/IaC Security
	# ============================================================================

	hadolint:
	name: Dockerfile Lint (Hadolint)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Find Dockerfiles
	id: find-dockerfiles
	run: \|
	DOCKERFILES=$(find . -name "Dockerfile*" -type f 2>/dev/null \| grep -v ".git/" \|\| true)
	if [ -z "$DOCKERFILES" ]; then
	echo "has_dockerfiles=false" >> "$GITHUB_OUTPUT"
	else
	echo "Found Dockerfiles:"
	echo "$DOCKERFILES"
	echo "has_dockerfiles=true" >> "$GITHUB_OUTPUT"
	fi

	- name: Run Hadolint
	if: steps.find-dockerfiles.outputs.has_dockerfiles == 'true'
	uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
	with:
	dockerfile: "*/Dockerfile"
	recursive: true
	failure-threshold: error
	# DL3007: Using latest tag, DL3008: Unpinned apt packages
	# DL3015: No --no-install-recommends, DL3059: Multiple consecutive RUN
	ignore: DL3007,DL3008,DL3015,DL3059

	trivy-fs:
	name: Trivy Filesystem Scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Dependency vulnerability scan (informational)
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	severity: 'CRITICAL,HIGH'
	exit-code: '0'
	ignore-unfixed: true
	format: 'table'

	- name: IaC config scan (informational)
	# Informational until pre-existing K8s security issues are addressed
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	scan-type: 'config'
	scan-ref: '.'
	severity: 'CRITICAL,HIGH,MEDIUM'
	skip-dirs: 'kagenti-operator/demos'
	exit-code: '0'
	format: 'table'

	# ============================================================================
	# Phase C: Advanced Security
	# ============================================================================

	codeql:
	name: CodeQL Analysis (Go)
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Initialize CodeQL
	uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
	with:
	languages: go
	queries: security-extended

	- name: Autobuild
	uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
	with:
	category: "/language:go"

	action-pinning:
	name: Verify Action Pinning
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Check for unpinned GitHub Actions
	run: \|
	echo "=== Checking for unpinned GitHub Actions ==="
	UNPINNED=$(grep -rh 'uses:' .github/workflows/ \| grep -E 'uses:.*@' \| grep -vE '@[0-9a-f]{40}' \| sort -u \|\| true)
	if [ -n "$UNPINNED" ]; then
	echo "::warning::Found actions not pinned to SHA commits:"
	echo "$UNPINNED"
	COUNT=$(echo "$UNPINNED" \| wc -l \| tr -d ' ')
	echo "Total unpinned actions: $COUNT"
	echo "NOTE: This check is informational."
	else
	echo "All actions are pinned to SHA commits!"
	fi
	exit 0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.36.0 in /kagenti-operator #222

Workflow file

chore(deps): Bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.36.0 in /kagenti-operator #222

Uh oh!

Workflow file for this run