Skip to content

ROSAENG-60028: Add optional Snyk security scan for terraform-provider-rhcs#81079

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
amandahla:ROSAENG-60028-provider
Jun 29, 2026
Merged

ROSAENG-60028: Add optional Snyk security scan for terraform-provider-rhcs#81079
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
amandahla:ROSAENG-60028-provider

Conversation

@amandahla

@amandahla amandahla commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Add optional Snyk security scanning (openshift-ci-security) to terraform-redhat/terraform-provider-rhcs on main so PRs get dependency and code scans without blocking merge.

Type of change

ci

Related

ROSAENG-60028

Changes

  • Add security test to ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml using the openshift-ci-security workflow.
  • Set optional: true so failures do not block Tide or merge.
  • Enable dependency scanning (SNYK_ENABLE_DEPS_SCAN: "true") and code scan severity threshold high (SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high).
  • Reuse the same skip_if_only_changed pattern as pre-push-checks (skips docs/metadata-only PRs).
  • Regenerate ci-operator/jobs/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main-presubmits.yaml (ci/prow/security presubmit).
  • No change to _prowconfig.yaml required checks (ci/prow/pre-push-checks remains the only required context).

Breaking changes

No.

Testing / validation

  • make update
  • make ci-operator-checkconfig
  • make jobs (prowgen + sanitize-prow-jobs)
  • make checkconfig — failed locally with stat /release/core-services/prow/02_config: invalid argument (container volume mount on this host); CI on the PR should run this check

Summary by CodeRabbit

This update extends CI for terraform-redhat/terraform-provider-rhcs on main by adding an optional security presubmit in ci-operator that runs the openshift-ci-security workflow (Snyk). The scan is configured to (1) enable dependency scanning and (2) enforce a high severity threshold for code findings, while using the existing skip_if_only_changed pattern to avoid running on docs/metadata-only PRs. The regenerated presubmit job config now includes pull-ci-terraform-redhat-terraform-provider-rhcs-main-security.

The component’s _prowconfig.yaml required context remains unchanged, so ci/prow/pre-push-checks is still the only required check for merging.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 25, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@amandahla: This pull request references ROSAENG-60028 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Add optional Snyk security scanning (openshift-ci-security) to terraform-redhat/terraform-provider-rhcs on main so PRs get dependency and code scans without blocking merge.

Type of change

ci

Related

ROSAENG-60028

Changes

  • Add security test to ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml using the openshift-ci-security workflow.
  • Set optional: true so failures do not block Tide or merge.
  • Enable dependency scanning (SNYK_ENABLE_DEPS_SCAN: "true") and code scan severity threshold high (SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high).
  • Reuse the same skip_if_only_changed pattern as pre-push-checks (skips docs/metadata-only PRs).
  • Regenerate ci-operator/jobs/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main-presubmits.yaml (ci/prow/security presubmit).
  • No change to _prowconfig.yaml required checks (ci/prow/pre-push-checks remains the only required context).

Breaking changes

No.

Testing / validation

  • make update
  • make ci-operator-checkconfig
  • make jobs (prowgen + sanitize-prow-jobs)
  • make checkconfig — failed locally with stat /release/core-services/prow/02_config: invalid argument (container volume mount on this host); CI on the PR should run this check

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds an optional security presubmit stage to the terraform-provider-rhcs CI config. It conditionally skips doc/pattern-only changes and runs openshift-ci-security with Snyk dependency scanning and a Go module pre-execution hook.

Changes

Security presubmit configuration

Layer / File(s) Summary
Optional security presubmit
ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml
Adds an optional security stage with skip_if_only_changed, openshift-ci-security, and Snyk dependency scanning plus a Go module pre-execution hook.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

  • openshift/release#80912: Also changes skip_if_only_changed behavior for optional terraform-provider-rhcs CI tests.

Suggested labels

rehearsals-ack

Suggested reviewers

  • olucasfreitas
  • BraeTroutman
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding an optional Snyk security scan for terraform-provider-rhcs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only edits CI operator YAML; no Ginkgo test definitions or titles were added or changed, so no unstable test names are present.
Test Structure And Quality ✅ Passed PR only changes CI YAML; no Ginkgo test files or test blocks were modified, so this test-quality checklist is not applicable.
Microshift Test Compatibility ✅ Passed PR only edits ci-operator YAML/job config; no Ginkgo test sources or new It/Describe/Context/When blocks to assess for MicroShift APIs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Config-only change adds a ci/prow security scan job; no new Ginkgo e2e tests or multi-node assumptions were introduced.
Topology-Aware Scheduling Compatibility ✅ Passed CI-only change adds a prow security job; no deployment manifests, operators, or controllers were modified, so no topology-aware scheduling risk.
Ote Binary Stdout Contract ✅ Passed PR only changes ci-operator YAML/presubmit generation; no Go/OTE binary code or stdout writes in main/suite setup are touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only ci-operator/job YAML changed; no Ginkgo e2e test code or network/IP logic was added, so this IPv6/disconnected check is not applicable.
No-Weak-Crypto ✅ Passed Changed files only add a Snyk CI test; no MD5/SHA1/DES/RC4/3DES/Blowfish, ECB mode, custom crypto, or secret-comparison code was introduced.
Container-Privileges ✅ Passed The added security job only sets a ci-operator workflow and env vars; no privileged/root/hostNetwork/allowPrivilegeEscalation/SYS_ADMIN settings appear in the changed manifests.
No-Sensitive-Data-In-Logs ✅ Passed The added security job only sets env vars and workflow; no logging statements or sensitive literals (passwords/tokens/PII) were introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 25, 2026
@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: job(s): security either don't exist or were not found to be affected, and cannot be rehearsed

@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse list

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse list

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amandahla

amandahla commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from ac25028 to 98a5fc0 Compare June 25, 2026 17:14
@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from 98a5fc0 to b93c7d4 Compare June 25, 2026 20:01
@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amandahla

Copy link
Copy Markdown
Contributor Author

Blocked:
Status: 404 Not Found (SNYK-OPENAPI-0004)
snyk dependencies scan failed

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from b93c7d4 to 62fdad4 Compare June 26, 2026 12:22
@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from 62fdad4 to d832498 Compare June 26, 2026 14:01
@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from d832498 to 6c9f5ea Compare June 26, 2026 18:30
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 26, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto cd8e6cf2c6c4c25d05fe15966cb5ee0baef451c0 due to conflicts
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml`:
- Line 29: The SNYK_PRE_EXECUTION_HOOK_CMD currently vendors dependencies before
cleaning the module graph, which can leave the vendored tree stale for the scan.
Update the command so go mod tidy runs before go mod vendor, keeping the
vendored dependencies in sync; use the SNYK_PRE_EXECUTION_HOOK_CMD entry in the
terraform-provider-rhcs config to make the change.
- Line 24: The skip_if_only_changed regex in the terraform-provider-rhcs CI
config is using the wrong golangci filename pattern. Update the pattern in the
skip_if_only_changed entry to match the actual conventional file name used by
terraform-redhat/terraform-provider-rhcs, referenced by the skip regex in this
config, so changes to .golangci.yml are correctly covered by the skip condition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e16a7015-8294-4141-abba-02f26443c6e3

📥 Commits

Reviewing files that changed from the base of the PR and between b93c7d4 and 6c9f5ea.

⛔ Files ignored due to path filters (1)
  • ci-operator/jobs/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main-presubmits.yaml is excluded by !ci-operator/jobs/**
📒 Files selected for processing (1)
  • ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml

@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from 6c9f5ea to b9b8c03 Compare June 26, 2026 18:52
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 26, 2026
…-rhcs

Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@amandahla amandahla force-pushed the ROSAENG-60028-provider branch from b9b8c03 to e93a352 Compare June 29, 2026 12:54
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@amandahla: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-terraform-redhat-terraform-provider-rhcs-main-security terraform-redhat/terraform-provider-rhcs presubmit Presubmit changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@jerichokeyne

Copy link
Copy Markdown
Contributor

/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@jerichokeyne: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@jerichokeyne

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amandahla, jerichokeyne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amandahla

Copy link
Copy Markdown
Contributor Author

/pj-rehearse skip pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amandahla: job(s): skip either don't exist or were not found to be affected, and cannot be rehearsed

@olucasfreitas

Copy link
Copy Markdown
Contributor

@amandahla I don't exactly know the reason for the pipeline to be failing, maybe we need to onboard the terraform org into something ?

@amandahla

Copy link
Copy Markdown
Contributor Author

@amandahla I don't exactly know the reason for the pipeline to be failing, maybe we need to onboard the terraform org into something ?

Its expected, every time that a security issue is found, the job fails. Thats why for now wont be required so it wont block PRs.

@jerichokeyne

Copy link
Copy Markdown
Contributor

/pj-rehearse ack

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@jerichokeyne: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jun 29, 2026
@olucasfreitas

Copy link
Copy Markdown
Contributor

@amandahla do we maybe want to fix the security issues and make sure it picks up the fix and runs correctly ? but if you are confident in getting this through this way, I'm fine with it too

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@amandahla: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/terraform-redhat/terraform-provider-rhcs/main/security e93a352 link unknown /pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 1c1540e into openshift:main Jun 29, 2026
16 of 17 checks passed
krisnababu pushed a commit to oharan2/release that referenced this pull request Jul 3, 2026
…-rhcs (openshift#81079)

Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants