ci: updated megalinter to latest to stop trivy issue (#148)

.config/dotnet-tools.json

@@ -0,0 +1,10 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "csharpier": {
+      "version": "0.25.0",
+      "commands": ["dotnet-csharpier"]
+    }
+  }
+}

.github/workflows/build.yaml

@@ -126,7 +126,8 @@ jobs:
       - build
     permissions:
       actions: read
-      id-token: write # for creating OIDC tokens for signing.
+      # for creating OIDC tokens for signing.
+      id-token: write
       packages: write # for uploading attestations.
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]

.github/workflows/ci.yaml

@@ -19,7 +19,8 @@ jobs:
     permissions:
       actions: read
       contents: read
-      id-token: write # for creating OIDC tokens for signing.
+      # for creating OIDC tokens for signing.
+      id-token: write
       packages: write # for uploading container images, signatures, and attestations.
     strategy:
       matrix:
@@ -84,7 +85,8 @@ jobs:
     permissions:
       actions: read
       contents: write # for release notes
-      id-token: write # for creating OIDC tokens for signing.
+      # for creating OIDC tokens for signing.
+      id-token: write
       packages: write # for uploading container images, signatures, and attestations.
     needs:
       - k8s-test

.github/workflows/mega-linter.yml

@@ -4,9 +4,11 @@
 name: MegaLinter
 
 on:
+  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master
   pull_request:
-    branches:
-      - master
+    branches: [master]
+
+permissions: read-all
 
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration
@@ -18,28 +20,27 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-permissions: read-all
-
 jobs:
   build:
     name: MegaLinter
     runs-on: ubuntu-22.04
     permissions:
+      contents: read
       pull-requests: write
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0
+          fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
 
       # MegaLinter
       - name: MegaLinter
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://oxsecurity.github.io/megalinter/flavors/
-        uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2
+        uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0
         env:
           # All available variables are described in documentation
           # https://oxsecurity.github.io/megalinter/configuration/
@@ -49,8 +50,8 @@ jobs:
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
-        if: ${{ success() }} || ${{ failure() }}
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        if: ${{ always() }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: MegaLinter reports
           path: |

.github/workflows/release.yaml

@@ -170,7 +170,8 @@ jobs:
       - prepare-artifacts
     permissions:
       actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
+      # To sign the provenance.
+      id-token: write
       contents: write # To add assets to a release.
     # can't be referenced by digest. See <https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance>
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]

.github/workflows/test-compose-installation.yaml

@@ -34,6 +34,13 @@ jobs:
           docker load --input /tmp/notify-build-artifacts/notify-image.tar
           docker image ls -a
 
+      - name: Delete downloaded artifacts
+        run: |
+          df -h
+          rm -rf /tmp/*-build-artifacts
+          rm -rf /tmp/*-attestations
+          df -h
+
       - name: Deploy using Docker Compose in staging mode
         run: |
           docker compose \

.github/workflows/test-k8s-installation.yaml

@@ -16,6 +16,15 @@ jobs:
     steps:
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
+      - name: downgrade helm
+        shell: bash
+        run: |
+          rm /usr/local/bin/helm
+          curl -fsSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 > /tmp/helm.sh
+          chmod +x /tmp/helm.sh
+          /tmp/helm.sh --version v3.12.3
+          helm version
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
 

.kics.yaml

@@ -0,0 +1,6 @@
+exclude-paths:
+  - "tests/"
+  - "docs/"
+  - "src/hack"
+  - "charts/recruit/docs"
+  - "charts/recruit/values.yaml"

.mega-linter.yml

@@ -23,6 +23,7 @@ DISABLE_LINTERS:
   - YAML_V8R
   # seems to ignore yamllint config file entirely
   - YAML_YAMLLINT
+  - SPELL_LYCHEE
 
 SHOW_ELAPSED_TIME: true
 FILEIO_REPORTER: false
@@ -44,3 +45,11 @@ JAVA_CHECKSTYLE_CONFIG_FILE: src/config/checkstyle/checkstyle.xml
 REPOSITORY_TRIVY_ARGUMENTS:
   - "--severity=HIGH,CRITICAL"
   - "--ignore-unfixed"
+
+REPOSITORY_CHECKOV_ARGUMENTS:
+  - "--skip-path=tests/"
+
+REPOSITORY_KICS_ARGUMENTS:
+  - --fail-on=HIGH
+
+REPOSITORY_KICS_CONFIG_FILE: .kics.yaml

.polaris.yaml

@@ -18,6 +18,7 @@ checks:
   memoryLimitsMissing: ignore
 
   # security
+  # kics-scan ignore-line
   automountServiceAccountToken: ignore
   hostIPCSet: danger
   hostPIDSet: danger

charts/recruit/ci/kitchen-sink-values.yaml

@@ -73,6 +73,7 @@ query:
 postgresql:
   enabled: true
   auth:
+    # kics-scan ignore-line
     postgresPassword: recruit-notify-ha
   primary:
     service:
@@ -86,6 +87,7 @@ ohdsi:
       - host: recruit-ohdsi.127.0.0.1.nip.io
   postgresql:
     auth:
+      # kics-scan ignore-line
       postgresPassword: ohdsi
     primary:
       service:
@@ -132,6 +134,7 @@ fhirserver:
         paths: ["/"]
   postgresql:
     auth:
+      # kics-scan ignore-line
       postgresPassword: fhir
     primary:
       service:

charts/recruit/values-integrationtest.yaml

@@ -1,6 +1,7 @@
 fhirserver:
   postgresql:
     auth:
+      # kics-scan ignore-line
       postgresPassword: fhir
 
 query:
@@ -13,6 +14,7 @@ query:
     port: 5432
     database: postgres
     username: postgres
+    # kics-scan ignore-line
     password: mypass
     resultsSchema: demo_cdm_results
     cdmSchema: demo_cdm
@@ -47,6 +49,7 @@ notify:
 postgresql:
   enabled: true
   auth:
+    # kics-scan ignore-line
     postgresPassword: recruit-notify-ha
 
 ohdsi:
@@ -58,6 +61,7 @@ ohdsi:
       port: 5432
       database: "postgres"
       username: "postgres"
+      # kics-scan ignore-line
       password: "mypass"
       schema: "webapi"
     extraEnv:

charts/recruit/values-test.yaml

@@ -1,6 +1,7 @@
 ohdsi:
   postgresql:
     auth:
+      # kics-scan ignore-line
       postgresPassword: ohdsi
     primary:
       service:
@@ -17,6 +18,7 @@ ohdsi:
 fhirserver:
   postgresql:
     auth:
+      # kics-scan ignore-line
       postgresPassword: fhir
     primary:
       service:
@@ -73,6 +75,7 @@ notify:
 postgresql:
   enabled: true
   auth:
+    # kics-scan ignore-line
     postgresPassword: recruit-notify-ha
   primary:
     service:

docker-compose/docker-compose.staging.yaml

@@ -15,6 +15,7 @@ services:
     ports:
       - "127.0.0.1:80:80"
     volumes:
+      # kics-scan ignore-line
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
     deploy:
       resources:
@@ -54,6 +55,7 @@ services:
       DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver
       DATASOURCE_URL: jdbc:postgresql://omopdb:5432/ohdsi
       DATASOURCE_USERNAME: postgres
+      # kics-scan ignore-line
       DATASOURCE_PASSWORD: postgres
       DATASOURCE_OHDSI_SCHEMA: ohdsi
       SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT: org.hibernate.dialect.PostgreSQLDialect
@@ -62,6 +64,7 @@ services:
       FLYWAY_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver
       FLYWAY_DATASOURCE_URL: jdbc:postgresql://omopdb:5432/ohdsi
       FLYWAY_DATASOURCE_USERNAME: postgres
+      # kics-scan ignore-line
       FLYWAY_DATASOURCE_PASSWORD: postgres
       FLYWAY_LOCATIONS: classpath:db/migration/postgresql
       FLYWAY_PLACEHOLDERS_OHDSISCHEMA: ohdsi
@@ -118,6 +121,7 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:postgresql://fhir-db:5432/fhir?currentSchema=public"
       SPRING_DATASOURCE_USERNAME: postgres
+      # kics-scan ignore-line
       SPRING_DATASOURCE_PASSWORD: postgres
       SPRING_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver
       spring.jpa.properties.hibernate.dialect: ca.uhn.fhir.jpa.model.dialect.HapiFhirPostgres94Dialect
@@ -147,6 +151,7 @@ services:
       - "no-new-privileges:true"
     privileged: false
     environment:
+      # kics-scan ignore-line
       POSTGRES_PASSWORD: postgres
       POSTGRES_DB: fhir
 
@@ -191,6 +196,7 @@ services:
     privileged: false
     environment:
       KEYCLOAK_USER: admin
+      # kics-scan ignore-line
       KEYCLOAK_PASSWORD: admin
       KEYCLOAK_STATISTICS: "all"
     volumes:

docker-compose/docker-compose.yaml

@@ -45,6 +45,7 @@ services:
       FHIR_URL: ${FHIR_URL:?}
       OMOP_JDBCURL: ${OMOP_JDBCURL:?}
       OMOP_USERNAME: ${OMOP_USERNAME:?}
+      # kics-scan ignore-line
       OMOP_PASSWORD: ${OMOP_PASSWORD:?}
       OMOP_RESULTSSCHEMA: ${OMOP_RESULTSSCHEMA:?}
       OMOP_CDMSCHEMA: ${OMOP_CDMSCHEMA:?}
@@ -86,6 +87,7 @@ services:
       SPRING_MAIL_HOST: ${NOTIFY_MAIL_HOST:?}
       SPRING_MAIL_PORT: ${NOTIFY_MAIL_SMTP_PORT:?}
       SPRING_MAIL_USERNAME: ${NOTIFY_MAIL_USERNAME}
+      # kics-scan ignore-line
       SPRING_MAIL_PASSWORD: ${NOTIFY_MAIL_PASSWORD}
     volumes:
       - type: tmpfs

src/hack/docker-compose.yaml

@@ -15,6 +15,7 @@ services:
     ports:
       - "127.0.0.1:80:80"
     volumes:
+      # kics-scan ignore-line
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
     deploy:
       resources:

src/list/frontend/deploy/docker-compose.dev.yml

@@ -43,6 +43,7 @@ services:
       - -Dkeycloak.migration.file=/tmp/realm.json
     environment:
       KEYCLOAK_USER: admin
+      # kics-scan ignore-line
       KEYCLOAK_PASSWORD: admin
     volumes:
       - ./data/aio-export.json:/tmp/realm.json

src/list/frontend/tests/e2e/docker-compose.yaml

@@ -64,6 +64,7 @@ services:
       - -Dkeycloak.migration.file=/tmp/realm.json
     environment:
       KEYCLOAK_USER: admin
+      # kics-scan ignore-line
       KEYCLOAK_PASSWORD: admin
     volumes:
       - ${PWD}/frontend/deploy/data/aio-export.json:/tmp/realm.json:ro

src/notify/src/main/resources/application-dev.yml

@@ -40,11 +40,13 @@ spring:
   datasource:
     url: "jdbc:postgresql://localhost:6432/recruit_notify_jobs?ApplicationName=recruit-notify"
     username: "postgres"
+    # kics-scan ignore-line
     password: "postgres" # pragma: allowlist secret
   mail:
     host: localhost
     port: 3025
     username: [email protected]
+    # kics-scan ignore-line
     password: ""
     properties:
       mail: