Merge branch 'master' into lbsfvt

Author: lucasarag

.github/workflows/build-cli.yml

@@ -210,6 +210,9 @@ jobs:
       # -------------------------------------------------------------------------------------------
       - name: Build the container image
         id: docker-build
+        env:
+          ARTIFACTORY_GENERIC_RELEASE_URL: ${{ secrets.ARTIFACTORY_GENERIC_RELEASE_URL }}
+          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
           echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
@@ -287,6 +290,9 @@ jobs:
       # -------------------------------------------------------------------------------------------
       - name: Build the container image
         id: docker-build
+        env:
+          ARTIFACTORY_GENERIC_RELEASE_URL: ${{ secrets.ARTIFACTORY_GENERIC_RELEASE_URL }}
+          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
           echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
@@ -295,7 +301,7 @@ jobs:
           docker login --username "${{ secrets.QUAYIO_USERNAME }}" --password "${{ secrets.QUAYIO_PASSWORD }}" quay.io
 
           # Build the images
-          $GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli --target-platform amd64 -b image/cli
+          $GITHUB_WORKSPACE/build/bin/docker-build.sh -r quay.io/ibmmas/cli --target-platform amd64 -b image/cli --scap-data-stream ssg-rhel9-ds
 
           # List available images
           docker images
@@ -363,6 +369,9 @@ jobs:
       # -------------------------------------------------------------------------------------------
       - name: Build the container image
         id: docker-build
+        env:
+          ARTIFACTORY_GENERIC_RELEASE_URL: ${{ secrets.ARTIFACTORY_GENERIC_RELEASE_URL }}
+          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
           echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"
@@ -439,6 +448,9 @@ jobs:
       # -------------------------------------------------------------------------------------------
       - name: Build the container image
         id: docker-build
+        env:
+          ARTIFACTORY_GENERIC_RELEASE_URL: ${{ secrets.ARTIFACTORY_GENERIC_RELEASE_URL }}
+          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
         run: |
           echo "GITHUB_REF=$GITHUB_REF"
           echo "GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME"

.gitignore

@@ -57,3 +57,4 @@ python/README.rst
 /.venv
 /site
 report/
+/python/.venv

.pre-commit-config.yaml

@@ -14,3 +14,4 @@ repos:
     hooks:
       - id: detect-secrets
         args: [--baseline, .secrets.baseline, --use-all-plugins, --fail-on-unaudited]
+        additional_dependencies: [boxsdk<4]

.secrets.baseline

@@ -1,6 +1,6 @@
 {
   "exclude": {
-    "files": "^.secrets.baseline$",
+    "files": "build/bin/config/oscap/ssg-rhel9-ds.xml|^.secrets.baseline$",
     "lines": null
   },
   "generated_at": "2025-11-03T13:30:26Z",
@@ -212,7 +212,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": true,
         "is_verified": false,
-        "line_number": 313,
+        "line_number": 312,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -222,7 +222,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": true,
         "is_verified": false,
-        "line_number": 338,
+        "line_number": 337,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -242,7 +242,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 455,
+        "line_number": 494,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -252,7 +252,7 @@
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 154,
+        "line_number": 153,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -262,7 +262,7 @@
         "hashed_secret": "1459943ba5fd876f7ef6e48f566a40b448a2bf08",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 481,
+        "line_number": 487,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -292,7 +292,7 @@
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 178,
+        "line_number": 177,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -312,7 +312,7 @@
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 233,
+        "line_number": 232,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -362,15 +362,15 @@
         "hashed_secret": "effb7852555adce89885fb075fb43a77a1e0e77e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 276,
+        "line_number": 275,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 283,
+        "line_number": 282,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -390,23 +390,23 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 636,
+        "line_number": 643,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "effb7852555adce89885fb075fb43a77a1e0e77e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 805,
+        "line_number": 823,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 807,
+        "line_number": 825,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -444,7 +444,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 540,
+        "line_number": 545,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -474,15 +474,15 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 238,
+        "line_number": 243,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fb3c6e4de85bd9eae26fdc63e75f10a7f39e850e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 348,
+        "line_number": 356,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -492,7 +492,7 @@
         "hashed_secret": "effb7852555adce89885fb075fb43a77a1e0e77e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 725,
+        "line_number": 728,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -502,7 +502,7 @@
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 336,
+        "line_number": 346,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -512,7 +512,7 @@
         "hashed_secret": "e62334bcf07206e5aacba407fb29c1b85540d61f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 215,
+        "line_number": 219,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -567,6 +567,16 @@
         "verified_result": null
       }
     ],
+    "image/cli/mascli/templates/gitops/appset-configs/cluster/image-mirroring.yaml.j2": [
+      {
+        "hashed_secret": "fee2d55ad9a49a95fc89abe8f414dad66704ebfd",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 7,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
     "image/cli/mascli/templates/gitops/appset-configs/cluster/instance/configs/ibm-mas-jdbc-config.yaml.j2": [
       {
         "hashed_secret": "146abac680841f15b3e7b5259e1dfcdd9de49fdd",
@@ -760,7 +770,7 @@
         "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 27,
+        "line_number": 32,
         "type": "Secret Keyword",
         "verified_result": null
       }

build/bin/.env.sh

@@ -6,6 +6,11 @@
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export PATH=$PATH:$DIR:$DIR/ptc
 
+CONFIG_DIR=$DIR/config
+# Use OSCAP tools to produce image hardening report for built images
+export OSCAP_ENABLED=${OSCAP_ENABLED:-true}
+export OSCAP_DIR=$GITHUB_WORKSPACE/.oscap
+
 # Version file (semver)
 export VERSION_FILE=${GITHUB_WORKSPACE}/.version
 if [ -f "$VERSION_FILE" ]; then

build/bin/.functions.sh

@@ -93,3 +93,8 @@ function artifactory_upload() {
   echo "Uploading $1 to $2"
   curl -H "Authorization:Bearer $ARTIFACTORY_TOKEN"  -H "X-Checksum-Md5: $md5Value" -H "X-Checksum-Sha1: $sha1Value" -T $1 $2 || exit 1
 }
+
+# install oscap tools
+function install_oscap() {
+  sudo apt-get install -y openscap-scanner
+}