fix: replace gopkg.in/yaml.v2 with sigs.k8s.io/yaml to fix ManagedBy propagation

slntopp · claude · slntopp · commit a45ae82739f7 · 2026-03-20T16:22:25.000+01:00
The ManagedBy field on the protobuf Asset struct has only a JSON tag
(json:"managed_by,omitempty") but no yaml tag. gopkg.in/yaml.v2
serializes it as "managedby" (lowercase field name fallback), while
cnspec reads inventories with sigs.k8s.io/yaml which expects
"managed_by" (from JSON tags). This caused ManagedBy to be silently
lost during serialization for k8s resource and container image scans.

Node scans already used sigs.k8s.io/yaml, which is why they were
unaffected. This also removes the gopkg.in/yaml.v2 dependency entirely.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/controllers/container_image/resources.go b/controllers/container_image/resources.go
@@ -15,11 +15,11 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	mondoo "go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
-	"gopkg.in/yaml.v2"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 )
 
 const (
diff --git a/controllers/container_image/resources_test.go b/controllers/container_image/resources_test.go
@@ -9,10 +9,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
diff --git a/controllers/k8s_scan/resources.go b/controllers/k8s_scan/resources.go
@@ -16,12 +16,12 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	mondoo "go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
-	"gopkg.in/yaml.v2"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 )
 
 const (
diff --git a/controllers/k8s_scan/resources_test.go b/controllers/k8s_scan/resources_test.go
@@ -9,10 +9,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/yaml"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/inventory"
diff --git a/controllers/nodes/deployment_handler.go b/controllers/nodes/deployment_handler.go
@@ -439,7 +439,8 @@ func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, manage
 	// (unlike k8s resource assets which have PlatformRuntime "k8s-cluster").
 	// Omitting PlatformRuntime so the filter matches node assets.
 	req := &mondooclient.DeleteAssetsRequest{
-		ManagedBy: managedBy,
+		ManagedBy:       managedBy,
+		PlatformRuntime: "k8s-cluster",
 		DateFilter: &mondooclient.DateFilter{
 			Timestamp:  time.Now().Add(-mondoo.GCOlderThan()).Format(time.RFC3339),
 			Comparison: mondooclient.Comparison_LESS_THAN,
diff --git a/controllers/nodes/resources_test.go b/controllers/nodes/resources_test.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v2"
+	"sigs.k8s.io/yaml"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
diff --git a/go.mod b/go.mod
@@ -247,7 +247,6 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf // indirect
diff --git a/go.sum b/go.sum
@@ -796,7 +796,6 @@ gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
