add security scan

[rccrdpccl]

Summary by CodeRabbit

• New Features

  • Introduced an automated security scan workflow that checks container images for vulnerabilities on code pushes and pull requests.
  • Added a configuration file for vulnerability scanning with specified settings.

• Chores

  • Standardized container image naming and environment settings across build, deployment, and configuration processes.
  • Updated image references for both bootstrap and control plane components to maintain consistent naming throughout the release process.
  • Updated environment variables for image names used in the build process.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rccrdpccl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rccrdpccl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The changes update image naming conventions across several configuration files. Environment variables, sed commands, and image references in GitHub workflows, the Makefile, and Kubernetes deployment manifests have been modified to use new image names. Additionally, a new GitHub Actions workflow for security scanning has been added. These modifications ensure consistency in image naming and incorporate vulnerability scanning before deployment.

Changes

File(s)	Change Summary
.github/workflows/release.yaml	Updated environment variables and sed commands to reference new image names for controlplane and bootstrap components.
.github/workflows/security-scan.yaml	Added new workflow for security scanning on push/PR events, including steps for checkout, Docker build, and Trivy scans for both controlplane and bootstrap images.
Makefile	Modified CONTAINER_REPOSITORY variable and updated docker build/push commands to use the new image naming convention.
bootstrap-components.yaml bootstrap/config/manager/kustomization.yaml	Updated container image names and corresponding image configuration for the bootstrap controller to the new naming scheme.
controlplane-components.yaml controlplane/config/manager/kustomization.yaml	Updated container image names and corresponding image configuration for the controlplane controller to the new naming scheme.
.trivy.yaml	Introduced new configuration file for vulnerability scanning settings.

Sequence Diagram(s)

sequenceDiagram
    participant Trigger as GitHub Event
    participant Runner as GitHub Actions Runner
    participant Checkout as Code Checkout
    participant DockerBuild as Docker Build (make docker-build-all)
    participant TrivyC as Trivy Scan (Controlplane Image)
    participant TrivyB as Trivy Scan (Bootstrap Image)
    
    Trigger->>Runner: Trigger workflow on push/PR
    Runner->>Checkout: Checkout repository code
    Checkout-->>Runner: Provide source code
    Runner->>DockerBuild: Execute Docker build command
    DockerBuild-->>Runner: Docker image built (SHA tag)
    Runner->>TrivyC: Run Trivy scan for controlplane image
    TrivyC-->>Runner: Return scan results
    Runner->>TrivyB: Run Trivy scan for bootstrap image
    TrivyB-->>Runner: Return scan results

Loading

Poem

I'm a rabbit with a hop so bright,
Watching new images take flight.
Updated names in YAML and Makefile too,
Security scans ensure our code is true.
With whiskers twitching in pure delight,
I celebrate these changes all day and night!
🥕🐇

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f8b1f4 and dba16b3.

📒 Files selected for processing (8)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• .trivy.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (8)

• bootstrap/config/manager/kustomization.yaml
• bootstrap-components.yaml
• controlplane-components.yaml
• controlplane/config/manager/kustomization.yaml
• .trivy.yaml
• .github/workflows/release.yaml
• Makefile
• .github/workflows/security-scan.yaml

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Security scan

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/security-scan.yaml (1)

14-15: Action Update: Checkout Action Version
The workflow uses actions/checkout@v3 (line 15), but static analysis suggests that this version may be outdated. Consider updating to a newer version (for example, v4) to benefit from the latest improvements and compatibility fixes.

🧰 Tools

🪛 actionlint (1.7.4)

15-15: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af2a1e7 and 05acb60.

📒 Files selected for processing (7)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/security-scan.yaml

15-15: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (11)

controlplane/config/manager/kustomization.yaml (1)

7-7: Update: Controller Image Name Updated
The newName field is now set to
quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted
which aligns with the new naming convention. Verify that using the latest tag here is intentional.

bootstrap/config/manager/kustomization.yaml (1)

7-7: Update: Bootstrap Controller Image Name Updated
The image’s newName has been updated to
quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted
to match the new naming standards. Please confirm that the associated tag remains appropriately set.

bootstrap-components.yaml (1)

1-36: Consistency Check: Bootstrap Components Configuration
Although no explicit diff markers (˜) are present, the deployment configuration for the bootstrap controller is expected to reference the new image name (quay.io/edge-infrastructure/cluster-api-bootstrap-provider-openshift-assisted:latest). Ensure that any usage of the old image name is fully replaced and that related workflows (e.g. in .github/workflows/release.yaml) refer to the updated image.

controlplane-components.yaml (1)

1069-1072: Update: Control Plane Container Image Updated
In the Deployment for capi-agent-controlplanecontroller-manager, the container image has been updated from the old naming scheme to
quay.io/edge-infrastructure/cluster-api-controlplane-provider-openshift-assisted:latest.
Please verify that all downstream systems (e.g. release pipelines and deployment scripts) have been updated accordingly.

.github/workflows/security-scan.yaml (2)

1-13: New Workflow: Security Scan Added
A new GitHub Actions workflow named build has been introduced. It sets the environment variable CONTAINER_TAG to the current GitHub SHA and runs two Trivy vulnerability scans (one for controlplane and one for bootstrap images). This implementation helps ensure that critical and high-severity vulnerabilities are caught before deployment.

---

16-35: Security Scan Steps Verification
The steps that run the Trivy vulnerability scanner (lines 18–26 for the controlplane image and lines 27–35 for the bootstrap image) are correctly configured with parameters such as format, exit-code, ignore-unfixed, vuln-type, and severity. Confirm that an exit code of 1 is appropriate to fail the workflow when critical or high vulnerabilities are detected.

.github/workflows/release.yaml (3)

13-14: Environment Variables Updated for New Image Naming Convention
The new environment variable values for controlplane_image_name and bootstrap_image_name correctly reflect the updated naming scheme. Ensure these variables are consistently used across all steps in the workflow.

---

29-30: Updated sed Commands to Use New Image Names
The sed commands have been modified to replace the old image identifiers with the new ones using the specified environment variables. This change should correctly update the image tags in your manifest files during release.

---

1-62: Review Note on Security Scan Integration
Although the PR title and objectives mention adding a security scan, this workflow file focuses on release steps and image tagging. Please ensure that the new GitHub Actions workflow for security scanning (or corresponding steps) is present and correctly integrated in another file.

Makefile (2)

4-4: Updated Container Repository Naming
The variable CONTAINER_REPOSITORY on line 4 now uses the new naming standard (cluster-api-$(PROVIDER)-provider-openshift-assisted). This update aligns with the new image naming convention applied in the release workflow.

---

105-109: Consistent Image Tagging in Docker Build/Push Targets
The targets for provider-docker-build (line 105) and provider-docker-push (line 109) have been updated to reference the new repository name format. This change is consistent with other parts of the build pipeline. Double-check that any downstream scripts or deployment configurations use the updated image names.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/security-scan.yaml (2)

1-7: Workflow Trigger Configuration:
The workflow’s trigger settings are correctly defined, with push events filtered to the master branch and pull requests included. If additional branches should be scanned, consider updating the branch filter accordingly.

---

16-19: Step Naming Clarification:
There are two sequential steps with the name "Build an image from Dockerfile." The first step (lines 16-17) correctly builds the Docker image via make docker-build-all, while the second step (lines 18-19) lists images using podman image ls. Renaming the second step (e.g., to "List built images") would improve clarity and avoid confusion.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05acb60 and 32e079c.

📒 Files selected for processing (7)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• controlplane/config/manager/kustomization.yaml
• bootstrap/config/manager/kustomization.yaml
• bootstrap-components.yaml
• .github/workflows/release.yaml
• controlplane-components.yaml
• Makefile

🔇 Additional comments (4)

.github/workflows/security-scan.yaml (4)

8-12: Job Setup and Environment Variable:
The build job is properly configured to run on Ubuntu 24.04, and the environment variable CONTAINER_TAG is correctly set using ${{ github.sha }}.

---

13-15: Checkout Step Verification:
The step for checking out the code using actions/checkout@v4 is set up appropriately.

---

20-28: Controlplane Trivy Scan:
The configuration for running the Trivy vulnerability scanner on the controlplane image is well defined. The image-ref correctly incorporates the GitHub SHA, and parameters for output format, exit-code behavior, vulnerability types, and severity are appropriately set. Just ensure that the built image is tagged as expected.

---

29-37: Bootstrap Trivy Scan:
The bootstrap image scan is configured similarly to the controlplane scan and appears correct. As with the previous scanner, verify that the image reference aligns with the actual built image.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/security-scan.yaml (3)

8-12: Job Definition and Environment Variable Setup
The job is defined with the name "Security scan" and runs on ubuntu-24.04, with the environment variable CONTAINER_TAG correctly set to ${{ github.sha }}. For enhanced clarity, consider renaming the job’s identifier from build to something more descriptive, such as security_scan.

---

18-19: Step Naming Clarification for Image Listing
The step is currently named "Build an image from Dockerfile" but executes podman image ls, which actually lists the built images rather than building them. To avoid confusion, consider renaming this step to "List built images".

Suggested change:

-      - name: Build an image from Dockerfile
+      - name: List built images

---

33-41: Trivy Scanner for Bootstrap with Version Discrepancy
This step scans the bootstrap image using aquasecurity/trivy-action@0.28.0, and it outputs results in table format with an exit code of 1 if vulnerabilities are detected. The use of a different version (0.28.0) and output format compared to the controlplane scanner (which uses 0.30.0 and SARIF) raises a question: Is this discrepancy intentional? If not, consider aligning the version and possibly the output format between the two scans for consistency.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 74546c1 and 0ebef3f.

📒 Files selected for processing (8)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• .trivy.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .trivy.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• bootstrap-components.yaml
• controlplane/config/manager/kustomization.yaml
• bootstrap/config/manager/kustomization.yaml
• controlplane-components.yaml
• .github/workflows/release.yaml
• Makefile

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Security scan

🔇 Additional comments (6)

.github/workflows/security-scan.yaml (6)

1-1: Workflow Naming is Clear
The workflow name "security-scan" clearly represents its purpose.

---

2-7: Trigger Configuration Review
The workflow is triggered on pushes to the master branch and on pull requests. Please verify that master is indeed your repository’s default branch—if you've transitioned to a branch like main, this configuration should be updated accordingly.

---

14-15: Checkout Step is Standard
The step using actions/checkout@v4 correctly checks out the repository code.

---

16-17: Image Build Step Using Makefile
The step "Build an image from Dockerfile" calls make docker-build-all, which should build the images as per the updated image naming conventions. Please ensure that the Makefile has been updated in line with the new image names.

---

20-27: Trivy Scanner for Controlplane
This step uses aquasecurity/trivy-action@0.30.0 to scan the controlplane image and outputs results in SARIF format, which is appropriate for integration with GitHub’s security features. The parameters (ignoring unfixed vulnerabilities, specifying vulnerability types, and filtering by severity) are well configured for scanning critical and high-severity issues.

---

28-32: SARIF Upload Step for Security Results
The step that uploads the scan results using github/codeql-action/upload-sarif@v3 is correctly configured, including the use of if: always() to ensure that results are uploaded regardless of the scan outcome.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/security-scan.yaml (2)

1-6: Verify Branch Trigger Configuration

The workflow triggers on pushes to the branch master and on pull requests. Ensure that using master is intentional (and not main or another branch) based on your repository’s branch naming conventions.

---

29-33: Bootstrap Vulnerability Scan: Version Consistency Consideration

The bootstrap scanner uses aquasecurity/trivy-action@0.28.0 which differs from the controlplane scan version (0.30.0). If this version difference is intentional, please disregard; otherwise, consider aligning the versions to ensure consistency in vulnerability assessment.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a4aaf3f and f262bc7.

📒 Files selected for processing (8)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• .trivy.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

• controlplane/config/manager/kustomization.yaml
• .trivy.yaml
• bootstrap/config/manager/kustomization.yaml
• .github/workflows/release.yaml
• bootstrap-components.yaml
• controlplane-components.yaml
• Makefile

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Security scan

🔇 Additional comments (4)

.github/workflows/security-scan.yaml (4)

7-13: Job and Environment Configuration Looks Solid

The job definition under jobs: build: is clear with the environment variables and the use of ubuntu-24.04. The setting of CONTAINER_TAG based on ${{ github.sha }} and CONTAINER_TOOL as docker is appropriate.

---

15-18: Checkout and Docker Build Steps are Appropriate

The steps to checkout the code using actions/checkout@v4 and building images via make docker-build-all are well defined. Just ensure that the make docker-build-all target correctly interprets any changes from the updated image naming conventions.

---

19-23: Controlplane Vulnerability Scan is Configured Correctly

The Trivy action for scanning the controlplane image (using aquasecurity/trivy-action@0.30.0) is set up with the correct image reference and configuration file. This integration should help in detecting container vulnerabilities effectively.

---

24-28: Uploading SARIF Results for Controlplane Scan

The step for uploading the Trivy scan results using github/codeql-action/upload-sarif@v3 is properly configured with if: always() and the specified SARIF file.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/security-scan.yaml (1)

28-33: Trivy Scanner for Bootstrap Version Consistency

This step is similar to the controlplane scanner but uses aquasecurity/trivy-action@0.28.0. For consistency in scanning behavior and output formatting between components, consider aligning the Trivy action version across both steps.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe8434c and 6abab06.

📒 Files selected for processing (8)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• .trivy.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

• .trivy.yaml
• bootstrap/config/manager/kustomization.yaml
• controlplane/config/manager/kustomization.yaml
• .github/workflows/release.yaml
• controlplane-components.yaml
• bootstrap-components.yaml
• Makefile

🔇 Additional comments (6)

.github/workflows/security-scan.yaml (6)

1-7: Workflow Trigger Configuration

The on: event configuration correctly triggers on pushes to the master branch and pull requests. Consider verifying if additional branches (e.g., main) should be included, depending on your repository’s branching strategy.

---

8-14: Job Definition and Environment Variables

The job "Security scan" is well-defined for an Ubuntu 24.04 runner. The environment variables (CONTAINER_TAG and CONTAINER_TOOL) are appropriately set to be used in subsequent steps.

---

15-16: Checkout Code Step

The checkout action using actions/checkout@v4 is correctly set up to pull the repository code.

---

17-18: Docker Image Build Step

The step running make docker-build-all correctly kicks off the image build process. Ensure that the corresponding Makefile targets have been updated to reflect the new image naming conventions.

---

19-21: Create Scans Folder Step

The use of mkdir -p scans/ to create the scans folder is a standard and effective approach.

---

22-27: Trivy Scanner for Controlplane

The Trivy action is used with version 0.30.0 and is properly configured with the image reference, configuration file (.trivy.yaml), and output path (scans/trivy-results-controlplane.sarif). Verify that the .trivy.yaml file exists and contains the intended scan settings.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/security-scan.yaml (1)

19-21: Create Scans Folder

The step creates a scans/ directory to store scan results. Consider verifying that this directory is added to your .gitignore if it shouldn’t be tracked by Git.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6abab06 and 4f8b1f4.

📒 Files selected for processing (8)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/security-scan.yaml (1 hunks)
• .trivy.yaml (1 hunks)
• Makefile (2 hunks)
• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/kustomization.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/kustomization.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

• .trivy.yaml
• bootstrap/config/manager/kustomization.yaml
• controlplane/config/manager/kustomization.yaml
• bootstrap-components.yaml
• controlplane-components.yaml
• .github/workflows/release.yaml
• Makefile

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Security scan

🔇 Additional comments (8)

.github/workflows/security-scan.yaml (8)

1-1: Define Workflow Name

The workflow is clearly named security-scan, which aligns well with the PR objective of adding a security scan.

---

2-6: Trigger Configuration

The workflow triggers on push events for the master branch and on pull requests. This configuration follows standard CI/CD practices.

---

7-13: Job Environment Setup

The job named "Security scan" is correctly configured to run on ubuntu-24.04 and sets appropriate environment variables (CONTAINER_TAG and CONTAINER_TOOL).

---

14-16: Checkout Step

The checkout step uses actions/checkout@v4, which is the latest stable version. No issues here.

---

17-18: Docker Image Build Step

The step that builds the Docker images via make docker-build-all is succinct and assumes that the associated Makefile is correctly configured.

---

22-27: Trivy Scan for Controlplane

The configuration for the controlplane scan is well defined using aquasecurity/trivy-action@0.30.0. The output is directed to scans/trivy-results-controlplane.sarif, which is consistent with the folder structure.

---

28-33: Trivy Scan for Bootstrap

Similarly, the bootstrap scan is configured correctly and outputs its results to scans/trivy-results-bootstrap.sarif.

---

39-43: Upload SARIF Results

The upload step uses github/codeql-action/upload-sarif@v3 with the glob pattern scans/*.sarif, which should correctly pick up the scan results when the output paths are consistent across all scan steps. Once the output from the repo mode scan is adjusted, this step will function as intended.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Review Output Location for Repo Mode Scan

The "Run Trivy vulnerability scanner in repo mode" step outputs its results to trivy-results-repo.sarif (line 38), which is outside the scans/ folder. Since the subsequent upload step uses the pattern scans/*.sarif, this file may be omitted from the upload. It is recommended to change the output path to scans/trivy-results-repo.sarif for consistency and to ensure all scan results are captured.

Proposed Diff:

-          output: 'trivy-results-repo.sarif'
+          output: 'scans/trivy-results-repo.sarif'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@0.30.0
	with:
	scan-type: 'fs'
	output: 'trivy-results-repo.sarif'
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@0.30.0
	with:
	scan-type: 'fs'
	output: 'scans/trivy-results-repo.sarif'

[rccrdpccl]

Lint timed out

/retest