OCM-00000 | ci: fix security-check#161
Conversation
Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
WalkthroughThe pull request enables pip3-based Python package management in the Docker build environment and refactors checkov installation to use a platform-dependent strategy: Linux systems install via pip3 into a local directory with a wrapper script, while non-Linux platforms restrict to macOS/Windows release binaries with pinned SHA256 verification. ChangesPlatform-aware checkov installation with pip3 support
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@hack/install-release-tool.sh`:
- Around line 136-143: The Linux install path in hack/install-release-tool.sh
currently runs pip3 install --target "$lib_dir" "checkov==${version}" without
hash verification; change that to install from a repo-maintained, versioned
requirements-with-hashes file (e.g., hack/checkov-<version>-requirements.txt or
reuse hack/checksums/checkov-<version>.sha256sums converted to a requirements
file) and invoke pip3 install --no-cache-dir --target "$lib_dir"
--require-hashes -r "<path-to-requirements-with-hashes>" instead of the plain
package spec; update the script locations/variables referenced (lib_dir,
dest_bin, version) to point to the new requirements file and add a note in
AGENTS.md clarifying that the checksum/require-hashes contract applies to the
Linux pip flow as well (or explicitly state it only applies to the non-Linux zip
flow if that is intended).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 8ffa166d-c3af-4238-8bf2-75e0f78f393f
📒 Files selected for processing (2)
Dockerfilehack/install-release-tool.sh
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amandahla, olucasfreitas The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/override ci/prow/rosa-hcp-private |
|
@amandahla: Overrode contexts on behalf of amandahla: ci/prow/rosa-hcp-private, ci/prow/rosa-hcp-public DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ebde8af
into
terraform-redhat:main
|
@amandahla: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
PR Summary
Fix
checkovinstallation on UBI9/RHEL9 (glibc 2.34) by installing viapip3on Linux instead of using the PyInstaller release zip, which requires glibc ≥ 2.38.Detailed Description of the Issue
The checkov GitHub release binaries are PyInstaller bundles that require GLIBC ≥ 2.38. The CI Dockerfile is based on UBI9/RHEL9 (glibc 2.34), so the zip-based install silently fails or errors at runtime. On Linux,
install-release-tool.shnow installs checkov viapip3 install --targetinto a private lib dir and wraps it in a launcher script. The zip-based path is retained for macOS and Windows.Related Issues and PRs
#Type of Change
Previous Behavior
install-release-tool.sh checkovon Linux downloaded the PyInstaller zip from GitHub releases, which requires GLIBC ≥ 2.38 and fails on UBI9/RHEL9.python3-pipwas not installed in the Dockerfile.Behavior After This Change
On Linux, checkov is installed via
pip3into a private directory ($dest_dir/.checkov-lib) and invoked through a wrapper script that setsPYTHONPATH. On non-Linux platforms the existing zip-based install path is preserved. The Dockerfile now installspython3-pipto satisfythe Linux pip3 prerequisite.
How to Test (Step-by-Step)
Preconditions
RHCS_TOKENand AWS credentials for full CI runs (N/A for this isolated change).Test Steps
docker build -t rhcs-ci .docker run --rm rhcs-ci bash -c "/path/to/hack/install-release-tool.sh checkov <version> /usr/local/bin && checkov --version"checkov --versionoutputs the expected version without a glibc error.Expected Results
checkovinstalls successfully and reports its version on a UBI9/RHEL9 container.Proof of the Fix
Breaking Changes
Breaking Change Details / Migration Plan
Developer Verification Checklist
rhcsresources/variables), I linked official Red Hat or cited ROSA HCP documentation that supports reference alignment, or I explained why the change still belongs in-repo perModule scope (AWS-only vs core HCP)in.cursor/rules/rosa-hcp-terraform.mdc.[JIRA-TICKET] | [TYPE]: <MESSAGE>.make pre-push-checkspasses (or each step:verify,verify-gen,lint,unit-tests,license-check,docs-lint).make terraform-docs).