Merge pull request #6969 from Checkmarx/update-to-go-1.22.1-and-adopt…

…-chainguard-images update(go): updating go to 1.22.1 and updating to chainguard images
Checkmarx · Apr 12, 2024 · e387aa2 · e387aa2
2 parents f4d132d + f5d4299
commit e387aa2
Show file tree

Hide file tree

Showing 26 changed files with 6,713 additions and 57 deletions.
diff --git a/.github/scripts/queries-validator/requirements.txt b/.github/scripts/queries-validator/requirements.txt
diff --git a/.github/workflows/check-go-coverage.yaml b/.github/workflows/check-go-coverage.yaml
@@ -16,10 +16,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go 1.22.x
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.x
+          go-version-file: go.mod
       - name: Run test metrics script
         id: testcov
         run: |

diff --git a/.github/workflows/go-ci-coverage.yaml b/.github/workflows/go-ci-coverage.yaml
@@ -17,10 +17,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go 1.22.x
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.x
+          go-version-file: go.mod
       - name: Run test metrics script
         id: testcov
         run: |

diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version-file: go.mod
           cache: false
       - name: golangci-lint
         uses: golangci/[email protected]
@@ -24,27 +24,27 @@ jobs:
     name: go-generate
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
-        with:
-          go-version: 1.21.x
       - name: Check out code
         uses: actions/checkout@v3
         with:
           persist-credentials: false
           fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
       - name: Generate mocks and marshall/unmarshall code
         run: make generate
   unit-tests:
     name: unit-tests
     strategy:
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Check out code into the Go module directory

diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml
@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -22,8 +22,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Print go env

diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml
@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest]
         kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"]
     runs-on: ${{ matrix.os }}
@@ -23,8 +23,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Print go env

diff --git a/.github/workflows/go-test-race.yml b/.github/workflows/go-test-race.yml
@@ -13,10 +13,10 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Set up Go 1.20.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.20.x
+          go-version-file: go.mod
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/release-apispec.yml b/.github/workflows/release-apispec.yml
@@ -32,7 +32,7 @@ jobs:
             - name: View HEAD Commit
               value: https://github.com/Checkmarx/kics/commit/${{ github.sha }}
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.x
       - name: Run GoReleaser

diff --git a/.github/workflows/release-commits.yaml b/.github/workflows/release-commits.yaml
@@ -12,10 +12,10 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version-file: go.mod
       - uses: actions/setup-python@v4
         with:
           python-version: "3.x"

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
@@ -49,7 +49,7 @@ jobs:
             - name: View HEAD Commit
               value: https://github.com/Checkmarx/kics/commit/${{ github.sha }}
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.x
       - name: Run GoReleaser

diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml
@@ -21,6 +21,7 @@ jobs:
           output: './trivy-results.json'
           severity: 'CRITICAL,HIGH,MEDIUM'
           exit-code: '1'
+        # trivy-config: trivy.yaml
 
       - name: Inspect action report
         if: always()
@@ -64,6 +65,7 @@ jobs:
           output: './trivy-image-results.json'
           severity: 'CRITICAL,HIGH,MEDIUM'
           ignore-policy: './trivy-ignore.rego'
+        # trivy-config: trivy.image.yaml
       - name: Inspect action report
         if: always()
         shell: bash

diff --git a/.github/workflows/statistics.yaml b/.github/workflows/statistics.yaml
@@ -11,10 +11,10 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version-file: go.mod
       - name: Run test metrics script
         id: testcoverage
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21.6-alpine as build_env
+FROM cgr.dev/chainguard/go@sha256:bc4b9e98ca6c4304c93b537c0c8f40715d0b11de2600691700b562fa47f0571c as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -25,23 +25,17 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
     -ldflags "-s -w -X github.com/Checkmarx/kics/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \
     -a -installsuffix cgo \
     -o bin/kics cmd/console/main.go
-USER Checkmarx
 
-# Healthcheck the container
-HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
+USER nonroot
 
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM alpine:3.19
+FROM cgr.dev/chainguard/git@sha256:1b0095b607c13391ea987bbcdac81745a363090cb3660bf7768de4582cfe29de
 
 ENV TERM xterm-256color
 
-# Install additional components from Alpine
-RUN apk update --no-cache \
-    && apk add --no-cache \
-    gcompat~=1.1.0 \
-    git~=2.43
+USER root
 
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated
@@ -54,7 +48,6 @@ COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/
 WORKDIR /app/bin
 
 # Healthcheck the container
-HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt
 ENV PATH $PATH:/app/bin
 
 # Command to run the executable

diff --git a/assets/queries/cicd/github/run_block_injection/test/negative.yaml b/assets/queries/cicd/github/run_block_injection/test/negative.yaml
@@ -13,10 +13,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go 1.22.x
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version: 1.22.x
       - name: Run test metrics script
         id: testcov
         run: |

diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.20.5-buster as build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22.1-bookworm as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx

diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8
@@ -4,10 +4,10 @@ WORKDIR /build
 
 ENV PATH=$PATH:/usr/local/go/bin
 
-ADD https://golang.org/dl/go1.20.2.linux-amd64.tar.gz .
+ADD https://golang.org/dl/go1.22.1.linux-amd64.tar.gz .
 RUN yum install git gcc -y \
-  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.20.2.linux-amd64.tar.gz \
-  && rm -f go1.20.2.linux-amd64.tar.gz
+  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.1.linux-amd64.tar.gz \
+  && rm -f go1.22.1.linux-amd64.tar.gz
 
 ENV GOPRIVATE=github.com/Checkmarx/*
 ARG VERSION="development"

diff --git a/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md b/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md
@@ -204,10 +204,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go 1.21.x
-        uses: actions/setup-go@v4
+      - name: Set up Go 1.22.x
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.21.x
+          go-version: 1.22.x
       - name: Run test metrics script
         id: testcov
         run: |

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/Checkmarx/kics
 
-go 1.21
+go 1.22.1
 
 replace (
 	github.com/containerd/containerd => github.com/containerd/containerd v1.6.26