ROSAENG-60028: Add optional Snyk security scan for terraform-provider-rhcs#81079
Conversation
|
@amandahla: This pull request references ROSAENG-60028 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughAdds an optional security presubmit stage to the terraform-provider-rhcs CI config. It conditionally skips doc/pattern-only changes and runs ChangesSecurity presubmit configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/pj-rehearse security |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@amandahla: job(s): security either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse list |
|
@amandahla: your |
|
/pj-rehearse list |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: your |
ac25028 to
98a5fc0
Compare
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
98a5fc0 to
b93c7d4
Compare
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
Blocked: |
b93c7d4 to
62fdad4
Compare
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
62fdad4 to
d832498
Compare
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: your |
d832498 to
6c9f5ea
Compare
|
@amandahla, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml`:
- Line 29: The SNYK_PRE_EXECUTION_HOOK_CMD currently vendors dependencies before
cleaning the module graph, which can leave the vendored tree stale for the scan.
Update the command so go mod tidy runs before go mod vendor, keeping the
vendored dependencies in sync; use the SNYK_PRE_EXECUTION_HOOK_CMD entry in the
terraform-provider-rhcs config to make the change.
- Line 24: The skip_if_only_changed regex in the terraform-provider-rhcs CI
config is using the wrong golangci filename pattern. Update the pattern in the
skip_if_only_changed entry to match the actual conventional file name used by
terraform-redhat/terraform-provider-rhcs, referenced by the skip regex in this
config, so changes to .golangci.yml are correctly covered by the skip condition.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: e16a7015-8294-4141-abba-02f26443c6e3
⛔ Files ignored due to path filters (1)
ci-operator/jobs/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main-presubmits.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (1)
ci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yaml
6c9f5ea to
b9b8c03
Compare
…-rhcs Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
b9b8c03 to
e93a352
Compare
|
[REHEARSALNOTIFIER]
Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@jerichokeyne: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amandahla, jerichokeyne The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse skip pull-ci-terraform-redhat-terraform-provider-rhcs-main-security |
|
@amandahla: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@amandahla: job(s): skip either don't exist or were not found to be affected, and cannot be rehearsed |
|
@amandahla I don't exactly know the reason for the pipeline to be failing, maybe we need to onboard the terraform org into something ? |
Its expected, every time that a security issue is found, the job fails. Thats why for now wont be required so it wont block PRs. |
|
/pj-rehearse ack |
|
@jerichokeyne: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@amandahla do we maybe want to fix the security issues and make sure it picks up the fix and runs correctly ? but if you are confident in getting this through this way, I'm fine with it too |
|
@amandahla: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1c1540e
into
openshift:main
…-rhcs (openshift#81079) Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
Add optional Snyk security scanning (
openshift-ci-security) toterraform-redhat/terraform-provider-rhcsonmainso PRs get dependency and code scans without blocking merge.Type of change
ci
Related
ROSAENG-60028
Changes
securitytest toci-operator/config/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main.yamlusing theopenshift-ci-securityworkflow.optional: trueso failures do not block Tide or merge.SNYK_ENABLE_DEPS_SCAN: "true") and code scan severity thresholdhigh(SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high).skip_if_only_changedpattern aspre-push-checks(skips docs/metadata-only PRs).ci-operator/jobs/terraform-redhat/terraform-provider-rhcs/terraform-redhat-terraform-provider-rhcs-main-presubmits.yaml(ci/prow/securitypresubmit)._prowconfig.yamlrequired checks (ci/prow/pre-push-checksremains the only required context).Breaking changes
No.
Testing / validation
make updatemake ci-operator-checkconfigmake jobs(prowgen + sanitize-prow-jobs)make checkconfig— failed locally withstat /release/core-services/prow/02_config: invalid argument(container volume mount on this host); CI on the PR should run this checkSummary by CodeRabbit
This update extends CI for
terraform-redhat/terraform-provider-rhcsonmainby adding an optionalsecuritypresubmit inci-operatorthat runs theopenshift-ci-securityworkflow (Snyk). The scan is configured to (1) enable dependency scanning and (2) enforce ahighseverity threshold for code findings, while using the existingskip_if_only_changedpattern to avoid running on docs/metadata-only PRs. The regenerated presubmit job config now includespull-ci-terraform-redhat-terraform-provider-rhcs-main-security.The component’s
_prowconfig.yamlrequired context remains unchanged, soci/prow/pre-push-checksis still the only required check for merging.