feat: update pipeline

.github/workflows/build.yaml

@@ -22,9 +22,9 @@ on:
       - LICENSE
       - NOTICE
 env:
-  KIND_VERSION: v0.17.0
-  KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-  GO_VERSION: '1.22'
+  KIND_VERSION: v0.24.0
+  KIND_IMAGE: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865
+  GO_VERSION: '1.23'
 permissions: {}
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -45,12 +45,10 @@ jobs:
         with:
           aqua_version: v1.25.0
       - name: Verify Go code
-        uses: golangci/golangci-lint-action@v6.1.0
+        uses: golangci/golangci-lint-action@v6.1.1
         with:
           args: --verbose
-          version: v1.57.2
-          skip-pkg-cache: true
-          skip-build-cache: true
+          version: v1.61.0
       - name: Verify YAML code
         uses: ibiqlik/action-yamllint@v3
       - name: Vendor Go modules
@@ -207,46 +205,46 @@ jobs:
           chmod 700 get_helm.sh
 
           ./get_helm.sh
-      - name: Image scan mode producing vulnerability,misconfig and exposedsecrets
+      - name: Image scan mode producing vulnerability, misconfig, and exposedsecrets
           reports tests
         run: >
           kubectl create namespace e2e-test
 
           ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/image-mode.yaml
 
           ./tests/resources-cleanup.sh > /dev/null 2>&1
-      - name: Files System scan mode producing vulnerability,misconfig and exposedsecrets reports tests
+      - name: Files System scan mode producing vulnerability, misconfig, and exposedsecrets reports tests
         run: |
           kubectl create namespace e2e-test
 
           ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/fs-mode.yaml
 
           ./tests/resources-cleanup.sh > /dev/null 2>&1
-      - name: Client/server mode producing vulnerability,misconfig and exposedsecrets
+      - name: Client/server mode producing vulnerability, misconfig, and exposedsecrets
           reports tests
         run: >
           kubectl create namespace e2e-test
 
           ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server.yaml
 
           ./tests/resources-cleanup.sh > /dev/null 2>&1
-      - name: Standalon mode with Sbom scanning
+      - name: Standalone mode with SBOM scanning
           reports tests
         run: >
           kubectl create namespace e2e-test
 
           ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/sbom-standalone.yaml
 
           ./tests/resources-cleanup.sh > /dev/null 2>&1
-      - name: Client/Server with Sbom scanning
+      - name: Client/Server with SBOM scanning
           reports tests
         run: >
           kubectl create namespace e2e-test
 
           ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server-sbom.yaml
 
           ./tests/resources-cleanup.sh > /dev/null 2>&1
-      - name: file system with Sbom scanning
+      - name: file system with SBOM scanning
           reports tests
         run: >
           kubectl create namespace e2e-test

.github/workflows/chart-testing.yaml

@@ -14,7 +14,7 @@ on:
 env:
   KIND_VERSION: v0.17.0
   KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 permissions: {}
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/private-registries.yaml

@@ -24,7 +24,7 @@ on:
 env:
   KIND_VERSION: v0.17.0
   KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 permissions: {}
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/publish-helm-chart.yaml

@@ -19,8 +19,8 @@ jobs:
     # this job will only run if the PR has been merged
     if: github.event.client_payload.action == 'chart-release' || github.event.client_payload.action == 'chart-and-app-release'
     permissions:
-      contents: write  # for peter-evans/repository-dispatch to create a repository dispatch event
-      packages: write  # to push OCI chart package to GitHub Registry
+      contents: write # for peter-evans/repository-dispatch to create a repository dispatch event
+      packages: write # to push OCI chart package to GitHub Registry
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -74,7 +74,6 @@ jobs:
           user_email: aqua-bot@users.noreply.github.com
           user_name: "aqua-bot"
 
-        # OCI registry as helm repository (helm 3.8+)
       - name: Login to GHCR
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:

.github/workflows/release-snapshot.yaml

@@ -8,7 +8,7 @@ on:
     - cron: "0 0 * * *"
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 
 # Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
 permissions: {}
@@ -36,7 +36,7 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
       - name: Release snapshot
         uses: goreleaser/goreleaser-action@v6
         with:

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ on:
 env:
   KIND_VERSION: v0.17.0
   KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 jobs:
   tests:
     name: Run tests
@@ -95,7 +95,7 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@v3.7.0
       - name: Login to docker.io registry
         uses: docker/login-action@v3.3.0
         with:

.golangci.yml

@@ -1,14 +1,16 @@
 linters:
-  disable:
-    - structcheck # FIXME: Currently doesn't work on Go 1.18: https://github.com/golangci/golangci-lint/issues/2649
   enable:
     - errorlint
     - gocritic
     - gosec
-    # - unparam FIXME: Currently doesn't work on Go 1.18: https://github.com/golangci/golangci-lint/issues/2649
+    - misspell
 linters-settings:
   gocritic:
     enabled-checks:
       - importShadow
+  misspell:
+    locale: US
+    ignore-words:
+      - "importas" # linter name
 run:
   timeout: 5m

deploy/helm/README.md

@@ -124,7 +124,7 @@ Keeps security report resources updated
 | targetNamespaces | string | `""` | targetNamespace defines where you want trivy-operator to operate. By default, it's a blank string to select all namespaces, but you can specify another namespace, or a comma separated list of namespaces. |
 | targetWorkloads | string | `"pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"` | targetWorkloads is a comma seperated list of Kubernetes workload resources to be included in the vulnerability and config-audit scans if left blank, all workload resources will be scanned |
 | tolerations | list | `[]` | tolerations set the operator tolerations |
-| trivy.additionalVulnerabilityReportFields | string | `""` | additionalVulnerabilityReportFields is a comma separated list of additional fields which can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType |
+| trivy.additionalVulnerabilityReportFields | string | `""` | additionalVulnerabilityReportFields is a comma separated list of additional fields which can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath, PackageType, SeveritySource, and DataSource |
 | trivy.clientServerSkipUpdate | bool | `false` | clientServerSkipUpdate is the flag to enable skip databases update for Trivy client. Only applicable in ClientServer mode. |
 | trivy.command | string | `"image"` | command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan. For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured to run as the root user (runAsUser = 0). |
 | trivy.createConfig | bool | `true` | createConfig indicates whether to create config objects |
@@ -159,7 +159,7 @@ Keeps security report resources updated
 | trivy.podLabels | object | `{}` | podLabels is the extra pod labels to be used for trivy server |
 | trivy.priorityClassName | string | `""` | priorityClassName is the name of the priority class used for trivy server |
 | trivy.registry | object | `{"mirror":{}}` | Mirrored registries. There can be multiple registries with different keys. Make sure to quote registries containing dots |
-| trivy.resources | object | `{"limits":{"cpu":"500m","memory":"500M"},"requests":{"cpu":"100m","memory":"100M"}}` | resources resource requests and limits for scan job containers |
+| trivy.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | resources resource requests and limits for scan job containers |
 | trivy.sbomSources | string | `""` | sbomSources trivy will try to retrieve SBOM from the specified sources (oci,rekor) |
 | trivy.server.podSecurityContext | object | `{"fsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}` | podSecurityContext set trivy-server podSecurityContext |
 | trivy.server.replicas | int | `1` | the number of replicas of the trivy-server |

deploy/helm/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml

@@ -212,6 +212,18 @@ spec:
                       type: object
                     cvsssource:
                       type: string
+                    dataSource:
+                      description: DataSource represents the source of vulnerability
+                        data.
+                      properties:
+                        id:
+                          description: SourceID represents data source such as NVD.
+                          type: string
+                        name:
+                          type: string
+                        url:
+                          type: string
+                      type: object
                     description:
                       type: string
                     fixedVersion:
@@ -255,6 +267,9 @@ spec:
                       - LOW
                       - UNKNOWN
                       type: string
+                    severitySource:
+                      description: SourceID represents data source such as NVD.
+                      type: string
                     target:
                       type: string
                     title:

deploy/helm/crds/aquasecurity.github.io_vulnerabilityreports.yaml

@@ -213,6 +213,18 @@ spec:
                       type: object
                     cvsssource:
                       type: string
+                    dataSource:
+                      description: DataSource represents the source of vulnerability
+                        data.
+                      properties:
+                        id:
+                          description: SourceID represents data source such as NVD.
+                          type: string
+                        name:
+                          type: string
+                        url:
+                          type: string
+                      type: object
                     description:
                       type: string
                     fixedVersion:
@@ -256,6 +268,9 @@ spec:
                       - LOW
                       - UNKNOWN
                       type: string
+                    severitySource:
+                      description: SourceID represents data source such as NVD.
+                      type: string
                     target:
                       type: string
                     title:

deploy/helm/values.yaml

@@ -378,7 +378,7 @@ trivy:
   priorityClassName: ""
 
   # -- additionalVulnerabilityReportFields is a comma separated list of additional fields which
-  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType
+  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath, PackageType, SeveritySource, and DataSource
   additionalVulnerabilityReportFields: ""
 
   # -- httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
@@ -472,11 +472,11 @@ trivy:
   resources:
     requests:
       cpu: 100m
-      memory: 100M
+      memory: 100Mi
       # ephemeralStorage: "2Gi"
     limits:
       cpu: 500m
-      memory: 500M
+      memory: 500Mi
       # ephemeralStorage: "2Gi"
 
   # -- githubToken is the GitHub access token used by Trivy to download the vulnerabilities

deploy/static/trivy-operator.yaml

@@ -1419,6 +1419,18 @@ spec:
                       type: object
                     cvsssource:
                       type: string
+                    dataSource:
+                      description: DataSource represents the source of vulnerability
+                        data.
+                      properties:
+                        id:
+                          description: SourceID represents data source such as NVD.
+                          type: string
+                        name:
+                          type: string
+                        url:
+                          type: string
+                      type: object
                     description:
                       type: string
                     fixedVersion:
@@ -1462,6 +1474,9 @@ spec:
                       - LOW
                       - UNKNOWN
                       type: string
+                    severitySource:
+                      description: SourceID represents data source such as NVD.
+                      type: string
                     target:
                       type: string
                     title:
@@ -2853,6 +2868,18 @@ spec:
                       type: object
                     cvsssource:
                       type: string
+                    dataSource:
+                      description: DataSource represents the source of vulnerability
+                        data.
+                      properties:
+                        id:
+                          description: SourceID represents data source such as NVD.
+                          type: string
+                        name:
+                          type: string
+                        url:
+                          type: string
+                      type: object
                     description:
                       type: string
                     fixedVersion:
@@ -2896,6 +2923,9 @@ spec:
                       - LOW
                       - UNKNOWN
                       type: string
+                    severitySource:
+                      description: SourceID represents data source such as NVD.
+                      type: string
                     target:
                       type: string
                     title:
@@ -3053,9 +3083,9 @@ data:
   trivy.timeout: "5m0s"
   trivy.mode: "Standalone"
   trivy.resources.requests.cpu: "100m"
-  trivy.resources.requests.memory: "100M"
+  trivy.resources.requests.memory: "100Mi"
   trivy.resources.limits.cpu: "500m"
-  trivy.resources.limits.memory: "500M"
+  trivy.resources.limits.memory: "500Mi"
 ---
 # Source: trivy-operator/templates/secrets/operator.yaml
 apiVersion: v1