fix: add missing env var for gcp e2e and missing Semgrep stuff (#3960)

* fix: add missing env var for gcp e2e

Signed-off-by: Jorge Turrado <[email protected]>

* add missing gh-cli for checking out

Signed-off-by: Jorge Turrado <[email protected]>

* update security page with semgrep

Signed-off-by: Jorge Turrado <[email protected]>

Signed-off-by: Jorge Turrado <[email protected]>

.github/workflows/static-analysis.yml

@@ -69,6 +69,7 @@ jobs:
         id: checkout
         if: ${{ github.event.number > 0 }}
         run: |
+          apk add github-cli
           gh pr checkout ${{ github.event.number }}
 
       - run: semgrep ci --sarif --output=semgrep.sarif

.github/workflows/template-main-e2e-test.yml

@@ -27,6 +27,7 @@ jobs:
         env:
           AWS_RUN_IDENTITY_TESTS: true
           AZURE_RUN_WORKLOAD_IDENTITY_TESTS: true
+          GCP_RUN_IDENTITY_TESTS: true
         run: make e2e-test
 
       - name: Delete all e2e related namespaces

SECURITY.md

@@ -22,6 +22,7 @@ We have a few preventive measures in place to detect security vulnerabilities:
   - Published images on GitHub Container Registry are monitored to detect new vulnerabilities so we can ship patches
 - [Whitesource Bolt for GitHub](https://www.whitesourcesoftware.com/free-developer-tools/bolt/) helps us with identifying vulnerabilities in our dependencies to raise awareness.
 - [Trivy](https://aquasecurity.github.io/trivy/latest/) helps us with identifying vulnerabilities in our dependencies and docker images to raise awareness as part of our CI.
+- [Semgrep](https://semgrep.dev/) helps us with identifying vulnerabilities in our code and docker images to raise awareness as part of our CI.
 - [GitHub's security features](https://github.com/features/security) are constantly monitoring our repo and dependencies:
   - All pull requests (PRs) are using CodeQL to scan our source code for vulnerabilities
   - Dependabot will automatically identify vulnerabilities based on GitHub Advisory Database and open PRs with patches