Spectro release 4.19 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

guyni wants to merge 15 commits into release-4.19 from spectro-release-4.19

guyni commented Sep 4, 2025

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

Subject and description added to both, commit and PR.
Relevant issues have been referenced.
This change includes docs.
This change includes unit tests.

guyni added 5 commits

August 28, 2025 13:40


          feat: Implement MAAS platform support for HyperShift

2ec12f1

- Add MAAS platform types and API definitions
- Implement MAAS platform interface for hosted clusters
- Add MAAS machine template creation for NodePools
- Integrate MAAS support in control plane operator
- Add MAAS CLI commands (create/destroy)
- Update infrastructure reconciliation for MAAS
- Add MAAS ignition customization for storage wiping
- Update documentation with MAAS support instructions

MAAS is now supported as an 'out of the box' platform without requiring feature gates.


          feat: Add MAAS CRD manifest for NodePools

458f988

Add the generated MAAS.yaml CRD manifest file for NodePool platform support.


          feat: Add MAAS CAPI provider and API types to vendor

20bf20c

- Add spectrocloud/cluster-api-provider-maas dependency
- Add MAAS API types to vendor/github.com/openshift/hypershift
- Include all necessary MAAS CAPI provider files for build dependencies


          feat: Add comprehensive MAAS platform support to HyperShift

172d363

- Add MAAS platform API types and CRDs
- Implement MAAS platform controller and CAPI provider integration
- Add MAAS CLI commands for cluster and nodepool creation/destruction
- Implement MAAS-specific machine template and ignition customization
- Add MAAS CAPI provider vendor dependencies
- Create MAAS architecture documentation with PNG diagrams
- Update generated files and dependencies
- Revert ImagePullPolicy to PullIfNotPresent for production use

This commit enables full MAAS (Metal as a Service) platform support
in HyperShift, allowing users to provision OpenShift clusters on
bare metal infrastructure managed by MAAS.


          feat: Update generated files and control plane operator for MAAS support

b2818be

- Update generated CRD manifests and deepcopy files
- Update control plane operator configurations for MAAS compatibility
- Update hosted cluster config operator for MAAS platform
- Update vendor files and dependencies
- Update documentation and API references

This commit includes additional generated files and control plane
operator updates that were modified after the initial MAAS implementation.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.

guyni added 2 commits

September 9, 2025 12:44


          feat: Add MAAS platform support for HyperShift

aec06aa

This commit adds comprehensive MAAS (Metal as a Service) platform support
to HyperShift, enabling provisioning and management of OpenShift clusters
on MAAS infrastructure.

Key Features:
- MAAS HostedCluster platform configuration with NodePort service publishing
- MAAS NodePool support with custom image configuration
- CAPI provider integration for MAAS machine lifecycle management
- Infrastructure resource reconciliation for MAAS platform type
- CLI command for creating MAAS clusters with auto-detection

API Changes:
- Add MAASPlatform constant and MAAS platform types
- Add NodePortPublishingStrategy for MAAS service exposure
- Add MAAS-specific fields to HostedCluster and NodePool specs

Platform Integration:
- MAAS HostedCluster controller with credential management
- MAAS NodePool controller with machine template creation
- CAPI provider deployment with proper secret handling
- Infrastructure resource reconciliation setting platform type to 'None'

CLI Enhancements:
- Add --external-api-server-address flag for NodePort configuration
- Auto-detect API server address from node addresses
- Configure service publishing strategy for MAAS platforms

Critical Fixes:
- Fix secret name mismatch in MAAS credential reconciliation
- Add Infrastructure resource reconciliation for MAAS platforms
- Ensure proper platform type mapping (MAAS -> None)

Testing:
- Verified HostedCluster creation with MAAS platform
- Confirmed NodePool machine provisioning with custom images
- Validated CAPI provider deployment and credential handling
- Tested Infrastructure resource reconciliation

Documentation:
- Add comprehensive MAAS platform integration guide
- Include troubleshooting section with common issues
- Provide configuration examples and testing procedures


          chore: Update generated files for MAAS platform support

da83975

This commit includes all generated files that were updated as a result
of the MAAS platform integration changes:

- Generated deepcopy files for new MAAS types
- Generated CRD manifests for HostedCluster, HostedControlPlane, and NodePool
- Updated API documentation with MAAS platform references
- Updated vendor files with generated code

These files are automatically generated from the API type definitions
and are required for the MAAS platform support to function correctly.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          feat: enhance MAAS NodePool platform support

7d4848c

- Add missing fields to MAASNodePoolPlatform API (minDiskSize, lxd, staticIP)
- Fix MAAS NodePool controller to properly map Zone to FailureDomain
- Add comprehensive CLI support for MAAS NodePool creation
- Update controller logic to map minCpu, minMemory, image, resourcePool, tags
- Add MAAS_SUPPORT_INSTRUCTIONS.md with implementation details and testing results

Fixes issues where MaasMachine CRs showed incorrect values:
- minCPU: 1 (hardcoded default) → now uses NodePool specification
- failureDomain: default → now properly maps from NodePool zone

Tested with NodePool requiring 20 CPU cores - successfully allocated
MAAS machine with correct resource requirements.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          feat: Add MAAS CAPI provider image override functionality

11e5824

- Add ClusterAPIProviderMAASImage annotation constant for MAAS provider image override
- Add MAASCAPIProviderEnvVar environment variable support
- Update platform logic to check annotation override first, then fall back to hardcoded image
- Update MAAS platform controller to support environment variable override

This allows users to customize the MAAS CAPI provider image via:
1. HostedCluster annotation: hypershift.openshift.io/capi-provider-maas-image
2. Environment variable: IMAGE_MAAS_CAPI_PROVIDER

Resolves issue where control-plane-operator was reverting CAPI provider deployment image changes.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          Fix HyperShift on Kubernetes clusters and improve MAAS cluster creation

b7721ef

- Fixed control-plane-operator cache configuration to handle cluster-scoped Infrastructure CRD
  * Added ByObject exclusion for config.openshift.io/v1/Infrastructure
  * Prevents namespace field selector errors on cluster-scoped resources

- Improved MAAS cluster creation with --render flag
  * Removed --create-secret flag (redundant with --render-sensitive)
  * GenerateResources() now conditionally includes MAAS credentials secret
  * Secrets properly included in --render-sensitive output

- Fixed NodePool defaults handling
  * Removed hardcoded UpgradeType defaults from CLI
  * Let mutating webhook and CRD defaults fill in management fields
  * Prevents validation errors when values are explicitly set to empty

- Added documentation for running HyperShift on Kubernetes
  * Created KUBERNETES_MANAGEMENT_CLUSTER_SETUP.md with setup instructions
  * Documents required OpenShift CRDs for non-OpenShift management clusters
  * Includes RBAC setup and troubleshooting guide

These changes enable HyperShift to run on standard Kubernetes clusters
and improve the MAAS platform integration workflow.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          fix: MAAS platform improvements for HyperShift

- Increase MachineDeployment ProgressDeadlineSeconds from 10min to 1hour
- Add configurable timeout via NodePool annotation
- Remove Infrastructure object creation for MAAS to prevent management cluster overwrite
- Increase CAPI provider resource limits for better performance
- Update MAAS support documentation

Fixes:
- Machine deployment timeouts causing premature rollbacks
- Infrastructure object conflicts between management and hosted clusters
- CAPI provider resource constraints

Changes:
- hypershift-operator/controllers/nodepool/capi.go: Default timeout 600s->3600s, add annotation support
- control-plane-operator: Remove Infrastructure creation for MAAS platforms
- api/hypershift/v1beta1: Add MachineDeploymentProgressDeadlineSecondsAnnotation
- hypershift-operator/controllers/hostedcluster/internal/platform/maas/maas.go: Increase resource limits
- MAAS_SUPPORT_INSTRUCTIONS.md: Document timeout and Infrastructure fixes

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/capi.go:396:30
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          fix: restore Infrastructure resource creation in HCCO and remove unne…

04d03cd

…cessary cache config

- Restore Infrastructure resource creation in HCCO reconcileConfig function
  This creates Infrastructure resources in the hosted cluster where they belong
- Remove Infrastructure resource cache configuration from control-plane-operator main.go
  This was unnecessary and not the root cause of the crash

The real issue was that Infrastructure resources were missing from the hosted cluster
because the creation code was removed from HCCO. The control-plane-operator was
crashing when trying to access Infrastructure resources that didn't exist.

Architecture is now correct:
- HCCO creates Infrastructure resources in hosted cluster
- Control-plane-operator only uses Infrastructure for in-memory configuration
- Infrastructure resources exist where they should (hosted cluster)

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.


          fix: reorder Infrastructure resource creation to match upstream

b1152f4

Move Infrastructure resource creation before DNS config creation to match
the upstream HyperShift order. This ensures consistency with the upstream
codebase and follows the correct reconciliation sequence.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/capi.go:396:30
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/capi.go:396:30
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          fix: remove debug logging from MAAS Infrastructure reconciliation

8161d8e

Remove unnecessary debug logging from ReconcileInfrastructure function
to make it consistent with other platforms. The MAAS platform type
conversion to 'None' is still correct and necessary since OpenShift
doesn't natively support MAAS platform types.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/capi.go:396:30
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.


          Revert ignition customization for MAAS in token.go

e057960

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ Syft license check scan found restrictive licenses:

github.com/OpenPeeDeeP/depguard/v2
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later
github.com/denis-tingaikin/go-header
Available Licenses:
- GPL-3.0
github.com/firefart/nonamedreturns
Available Licenses:
- GPL-3.0
github.com/golangci/plugin-module-register
Available Licenses:
- GPL-3.0
github.com/leonklingele/grouper
Available Licenses:
- GPL-3.0
github.com/xen0n/gosmopolitan
Available Licenses:
- GPL-3.0
- GPL-3.0-or-later

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoVulnCheck scan found vulnerabilities:

GO-2025-3595
- Module: golang.org/x/net
- Found in: v0.37.0
- Fixed in: v0.38.0
- Example Traces:
  1. cmd/infra/powervs/destroy.go:190:20: powervs.DestroyInfra calls powervs.deleteCOS, which eventually calls charset.fromHTML

Please review these findings and fix the issues before merging.

bulwark-spectrocloud bot requested changes

View reviewed changes

bulwark-spectrocloud bot left a comment

⚠️ GoSec scan found code issues:

G115: integer overflow conversion uint64 -> int64, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/nodepool/core/create.go:271:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:61:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:302:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/options.go:300:33
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/metrics/metrics.go:248:26
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/aws.go:270:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/globalconfig/network.go:34:23
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:422:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:420:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/supportedversion/version.go:62:88
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/pkg/etcdcli/helpers.go:49:20
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedclustersizing/hostedclustersizing_controller.go:404:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2381:22
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2273:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/e2e/util/util.go:2228:50
- ... (truncated), run gosec locally to capture all failure for the rule G115
G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand), Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:59:50
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/test/integration/framework/pki.go:45:45
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/rand.go:24:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:174:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/cmd/cluster/core/dump.go:145:3
G402: TLS MinVersion too low., Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/etcd-recovery/etcdrecovery.go:424-428:15
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go:690:21
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/util.go:247:25
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go:2054:24
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/availability-prober/availability_prober.go:117:53
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32, Severity: HIGH
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:872:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:871:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:869:17
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/scheduler/aws/autoscaler.go:868:19
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/capi.go:396:30
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/hypershift-operator/controllers/nodepool/apiserver-haproxy/haproxy.go:217:9
G401: Use of weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:9:27
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:505:27
G501: Blocklisted import crypto/md5: weak cryptographic primitive, Severity: MEDIUM
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/util/hash.go:4:2
- 1. File: /home/runner/_work/bulwark/bulwark/target-repo/support/certs/tls.go:5:2

Please review these findings and fix the issues before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet