Skip to content

Add comprehensive security scanning workflows#216

Open
pdettori wants to merge 1 commit intomainfrom
orchestrate/ci
Open

Add comprehensive security scanning workflows#216
pdettori wants to merge 1 commit intomainfrom
orchestrate/ci

Conversation

@pdettori
Copy link
Contributor

@pdettori pdettori commented Mar 11, 2026

Summary

Add the security scanning workflows that were missing from kagenti-operator CI, bringing it to parity with kagenti-extensions.

New workflows

Workflow Jobs Purpose
security-scans.yaml 8 jobs PR security gates
scorecard.yaml 1 job Repo security posture

Security scans breakdown

Phase Job Tool Enforcement
0 Dependency Review actions/dependency-review-action v4 Fails on moderate+ severity; denies GPL-3.0/AGPL-3.0 (continue-on-error until Dependency Graph enabled)
0 Shellcheck shellcheck Blocks on error-severity issues
A YAML Lint yamllint Blocks on syntax errors only
A Helm Lint helm lint Informational
B Hadolint hadolint-action v3.3.0 Blocks on error threshold
B Trivy (filesystem + IaC) aquasecurity/trivy-action v0.35.0 Informational (exit-code 0)
C CodeQL (Go) github/codeql-action v4 SARIF upload to Security tab
C Action Pinning Custom grep Informational

Dependabot updates

Added missing ecosystems to .github/dependabot.yaml:

  • gomod/kagenti-operator directory
  • docker/kagenti-operator and /kagenti-operator/cmd/agentcard-signer

(Previously only github-actions was covered.)

OpenSSF Scorecard

Weekly Scorecard run with SARIF upload to GitHub Security tab.

Design decisions

  • Go-only CodeQL — no Python in this repo, unlike kagenti-extensions which needs Go + Python
  • No Bandit — Python-specific scanner, not relevant here
  • All actions SHA-pinned — consistent with kagenti-extensions conventions
  • Informational Trivyexit-code: 0 to avoid blocking PRs while establishing baseline visibility; tighten after initial findings are triaged
  • Trivy skip-dirs — excludes kagenti-operator/demos (demo manifests, not production)

TODO after merge

  • Enable Dependency Graph in repo Settings > Code security and analysis (removes continue-on-error need on dependency-review)
  • Review initial Trivy findings and consider switching to exit-code: 1 for blocking
  • Pin existing CI actions (ci.yaml, goreleaser.yml) to SHA commits (currently using @v6/@v7 tags)

Test plan

  • Verify security-scans.yaml triggers on this PR
  • Confirm CodeQL initializes and analyzes Go code successfully
  • Confirm Trivy scans filesystem and IaC configs
  • Confirm Hadolint finds and lints the 2 Dockerfiles
  • Confirm Shellcheck finds and checks the 10 shell scripts

@pdettori
feat: add security scanning workflows (Trivy, CodeQL, Scorecard, Hado…
dc1e76f 
…lint)

Add comprehensive security scanning that was missing from CI:

- security-scans.yaml: dependency review, shellcheck, YAML lint, Helm lint,
  Hadolint (Dockerfiles), Trivy (filesystem + IaC), CodeQL (Go SAST),
  and action pinning verification
- scorecard.yaml: OpenSSF Scorecard for repo security posture assessment
- dependabot.yaml: add gomod and docker ecosystems (was github-actions only)

All actions are SHA-pinned consistent with kagenti-extensions conventions.
Scanning jobs start as informational (continue-on-error or exit-code 0)
to avoid breaking existing PRs while establishing baseline visibility.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@pdettori pdettori requested a review from a team as a code owner March 11, 2026 23:08
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 11, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

mrsabath
mrsabath approved these changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@mrsabath mrsabath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Well-crafted security scanning addition bringing kagenti-operator CI to parity with kagenti-extensions. All 14 CI checks pass — including the new security scans themselves, which validates the workflows on this very PR.

Highlights:

  • All actions SHA-pinned with version comments
  • Top-level permissions: {} with minimal per-job grants
  • Phased enforcement: informational scans first (Trivy exit-code: 0, Helm lint || true), with clear TODOs to tighten
  • persist-credentials: false on Scorecard checkout
  • Dependabot expanded to cover gomod and docker ecosystems
  • Excellent PR body — tables, design decisions, and post-merge TODO checklist

Areas reviewed: CI/GitHub Actions, Security, YAML
Commits: 1 commit, signed-off ✓, Assisted-By ✓
CI status: all 14 checks passing ✓

Minor suggestions (non-blocking):

  1. pip install yamllint==1.* — wildcard minor version. Consider exact pin for reproducibility.
  2. Action-pinning grep matches 40-char SHA-1 hashes. GitHub is moving to SHA-256 (64 chars) — consider @[0-9a-f]{40,64} for future-proofing.

LGTM — great addition to the operator's CI pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrsabath mrsabath mrsabath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pdettori @mrsabath