Skip to content
pr

ci: rework compliance step #460

Sign in to view logs

ci: rework compliance step

ci: rework compliance step #460

Triggered via pull request November 23, 2024 08:42
@phbelitzphbelitz
opened #1836
ci/compliance/rework
Status Success
Total duration 8m 20s
Artifacts 4

pr.yml

on: pull_request
ci  /  conditionals
0s
ci / conditionals
ci  /  ...  /  context
11s
ci / build / context
ci  /  ...  /  dependency review
5s
ci / compliance / dependency review
ci  /  ...  /  check-commit-message
3s
ci / compliance / check-commit-message
ci  /  ...  /  unit tests
1m 14s
ci / unit-test / unit tests
ci  /  ...  /  checkov
29s
ci / sast / checkov
ci  /  ...  /  codeql
3m 36s
ci / sast / codeql
ci  /  ...  /  golangci-lint
1m 46s
ci / sast / golangci-lint
ci  /  ...  /  gosec
27s
ci / sast / gosec
ci  /  ...  /  hadolint
23s
ci / sast / hadolint
ci  /  ...  /  kubelinter
15s
ci / sast / kubelinter
ci  /  ...  /  semgrep
34s
ci / sast / semgrep
ci  /  ...  /  trivy config
38s
ci / sast / trivy config
ci  /  ...  /  deploy
19s
ci / docs / deploy
ci  /  ...  /  build
2m 49s
ci / build / build
ci  /  ...  /  trivy image
30s
ci / sca / trivy image
ci  /  ...  /  grype
45s
ci / sca / grype
ci  /  ...  /  dependency review
19s
ci / sca / syft / dependency review
Matrix: ci / integration-test / functional
Matrix: ci / integration-test / k8s versions
Matrix: ci / integration-test / optional
Matrix: ci / integration-test / optional k8s versions
Matrix: ci / integration-test / self-hosted-notary
Fit to window
Zoom out
Zoom in

Annotations

10 errors and 5 warnings
ci / sast / checkov: deployment/deployment.yaml#L286
CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
ci / sast / checkov: deployment/deployment.yaml#L286
CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
ci / sast / checkov: deployment/deployment.yaml#L286
CKV_K8S_43: "Image should use digest"
ci / sast / checkov: deployment/deployment.yaml#L286
CKV_K8S_15: "Image Pull Policy should be Always"
ci / sast / checkov: deployment/deployment.yaml#L410
CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
ci / sast / checkov: deployment/deployment.yaml#L410
CKV_K8S_43: "Image should use digest"
ci / sast / checkov: deployment/deployment.yaml#L410
CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
ci / sast / checkov: deployment/deployment.yaml#L286
CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
ci / sast / checkov: deployment/deployment.yaml#L410
CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
ci / sast / checkov: deployment/deployment.yaml#L219
CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
ci / sast / trivy config
Uploading multiple SARIF runs with the same category is deprecated and will be removed on June 4, 2025. Please update your workflow to upload a single run per category. For more information, see https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload
ci / unit-test / unit tests
The following actions use a deprecated Node.js version and will be forced to run on node20: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
ci / unit-test / unit tests
Failed to restore: "/usr/bin/tar" failed with error: The process '/usr/bin/tar' failed with exit code 2
ci / sast / codeql
1 issue was detected with this workflow: Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.
ci / sast / codeql
Unable to validate code scanning workflow: MissingPushHook

Artifacts

Produced during runtime
Name Size
cosign.pub
287 Bytes
sbom.cdx
32 KB
sse-secure-systems-connaisseur-test_sha-3fd2041.cyclonedx.json
32.1 KB
sse-secure-systems~connaisseur~NVVE5W.dockerbuild
46.4 KB