Skip to content

OCM-00000 | ci: fix security-check#161

Merged
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
amandahla:fix-security-check
Jun 11, 2026
Merged

OCM-00000 | ci: fix security-check#161
openshift-merge-bot[bot] merged 1 commit into
terraform-redhat:mainfrom
amandahla:fix-security-check

Conversation

@amandahla

@amandahla amandahla commented Jun 11, 2026

Copy link
Copy Markdown
Member

PR Summary

Fix checkov installation on UBI9/RHEL9 (glibc 2.34) by installing via pip3 on Linux instead of using the PyInstaller release zip, which requires glibc ≥ 2.38.

Detailed Description of the Issue

The checkov GitHub release binaries are PyInstaller bundles that require GLIBC ≥ 2.38. The CI Dockerfile is based on UBI9/RHEL9 (glibc 2.34), so the zip-based install silently fails or errors at runtime. On Linux, install-release-tool.sh now installs checkov via pip3 install --target into a private lib dir and wraps it in a launcher script. The zip-based path is retained for macOS and Windows.

Related Issues and PRs

  • Jira: OCM-00000
  • Fixes: #
  • Related PR(s):
  • Related design/docs:

Type of Change

  • feat - adds a new module capability or new user-facing behavior.
  • fix - resolves incorrect module behavior or bug.
  • docs - updates documentation only.
  • style - formatting/naming changes with no logic impact.
  • refactor - module code restructuring with no behavior change.
  • test - adds or updates tests only.
  • chore - maintenance work (tooling, housekeeping, non-product code).
  • build - changes build system, packaging, or dependencies for build output.
  • ci - changes CI pipelines, jobs, or automation workflows.
  • perf - improves performance without changing intended behavior.

Previous Behavior

install-release-tool.sh checkov on Linux downloaded the PyInstaller zip from GitHub releases, which requires GLIBC ≥ 2.38 and fails on UBI9/RHEL9. python3-pip was not installed in the Dockerfile.

Behavior After This Change

On Linux, checkov is installed via pip3 into a private directory ($dest_dir/.checkov-lib) and invoked through a wrapper script that sets PYTHONPATH. On non-Linux platforms the existing zip-based install path is preserved. The Dockerfile now installs python3-pip to satisfy
the Linux pip3 prerequisite.

How to Test (Step-by-Step)

Preconditions

  • Docker with UBI9/RHEL9-based image build capability.
  • RHCS_TOKEN and AWS credentials for full CI runs (N/A for this isolated change).

Test Steps

  1. Build the CI Docker image: docker build -t rhcs-ci .
  2. Run inside the container: docker run --rm rhcs-ci bash -c "/path/to/hack/install-release-tool.sh checkov <version> /usr/local/bin && checkov --version"
  3. Verify checkov --version outputs the expected version without a glibc error.

Expected Results

checkov installs successfully and reports its version on a UBI9/RHEL9 container.

Proof of the Fix

  • Screenshots:
  • Videos:
  • Logs/CLI output:
  • Other artifacts:

Breaking Changes

  • No breaking changes
  • Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

Developer Verification Checklist

  • AWS-only changes: If this PR is mainly AWS-only (no rhcs resources/variables), I linked official Red Hat or cited ROSA HCP documentation that supports reference alignment, or I explained why the change still belongs in-repo per Module scope (AWS-only vs core HCP) in .cursor/rules/rosa-hcp-terraform.mdc.
  • I checked if this affects terraform-rhcs-rosa-classic and submitted (or already submitted) a companion PR when needed.
  • Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
  • PR description clearly explains both what changed and why.
  • Relevant Jira/GitHub issues and related PRs are linked.
  • Tests were added/updated where appropriate.
  • I manually tested the change.
  • make pre-push-checks passes (or each step: verify, verify-gen, lint, unit-tests, license-check, docs-lint).
  • Documentation was added/updated where appropriate (see make terraform-docs).
  • Any risk, limitation, or follow-up work is documented.

Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The pull request enables pip3-based Python package management in the Docker build environment and refactors checkov installation to use a platform-dependent strategy: Linux systems install via pip3 into a local directory with a wrapper script, while non-Linux platforms restrict to macOS/Windows release binaries with pinned SHA256 verification.

Changes

Platform-aware checkov installation with pip3 support

Layer / File(s) Summary
Python3-pip in Docker base image
Dockerfile
Docker yum install command now includes python3-pip alongside existing build utilities, enabling Python package installation in the container.
Platform-aware checkov installation
hack/install-release-tool.sh
Checkov installation is now platform-dependent: Linux installs via pip3 into a local .checkov-lib directory with a PYTHONPATH wrapper executable; non-Linux platforms restrict to macOS/Windows release archives and enforce SHA256 checksum verification against pinned files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title 'OCM-00000 | ci: fix security-check' directly matches the primary changes: adding python3-pip to Dockerfile and refactoring checkov installation in hack/install-release-tool.sh to fix security concerns.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Pr Checklist Claims Vs Evidence (Generic) ✅ Passed No checklist items are marked as checked ([x]) in the PR description; all items remain unchecked ([]), so no claims require verification.
Description check ✅ Passed PR description follows template structure with clear problem statement, detailed solution explanation, type of change selection, testing steps, and verification checklist items completed.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@amandahla

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/install-release-tool.sh`:
- Around line 136-143: The Linux install path in hack/install-release-tool.sh
currently runs pip3 install --target "$lib_dir" "checkov==${version}" without
hash verification; change that to install from a repo-maintained, versioned
requirements-with-hashes file (e.g., hack/checkov-<version>-requirements.txt or
reuse hack/checksums/checkov-<version>.sha256sums converted to a requirements
file) and invoke pip3 install --no-cache-dir --target "$lib_dir"
--require-hashes -r "<path-to-requirements-with-hashes>" instead of the plain
package spec; update the script locations/variables referenced (lib_dir,
dest_bin, version) to point to the new requirements file and add a note in
AGENTS.md clarifying that the checksum/require-hashes contract applies to the
Linux pip flow as well (or explicitly state it only applies to the non-Linux zip
flow if that is intended).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8ffa166d-c3af-4238-8bf2-75e0f78f393f

📥 Commits

Reviewing files that changed from the base of the PR and between 8f49326 and 187643d.

📒 Files selected for processing (2)
  • Dockerfile
  • hack/install-release-tool.sh

Comment thread hack/install-release-tool.sh
@olucasfreitas

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [amandahla,olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amandahla

Copy link
Copy Markdown
Member Author

/override ci/prow/rosa-hcp-private
/override ci/prow/rosa-hcp-public

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

@amandahla: Overrode contexts on behalf of amandahla: ci/prow/rosa-hcp-private, ci/prow/rosa-hcp-public

Details

In response to this:

/override ci/prow/rosa-hcp-private
/override ci/prow/rosa-hcp-public

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit ebde8af into terraform-redhat:main Jun 11, 2026
11 checks passed
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

@amandahla: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/pre-push-checks 187643d link unknown /test pre-push-checks
ci/prow/rosa-hcp-public 187643d link unknown /test rosa-hcp-public
ci/prow/rosa-hcp-private 187643d link unknown /test rosa-hcp-private

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants