[PR] chore: add vulnerability scanning, Scorecard, and Helm values schema [superset-kubernetes-operator]

Fri, 05 Jun 2026 17:15:46 -0700 


villebro opened a new pull request, #121:
URL: https://github.com/apache/superset-kubernetes-operator/pull/121

   ## Summary
   
   Adds supply-chain and release tooling: Go dependency and container image 
vulnerability scanning, an OpenSSF Scorecard workflow, a Helm values JSON 
schema, Artifact Hub chart metadata, and full-length commit-SHA image tags.
   
   ## Details
   
   - **govulncheck:** new `make govulncheck` target (pinned `v1.3.0` via the 
existing `go-install-tool` pattern), run in the CI `lint` job — scans Go 
dependencies and the standard library for reachable CVEs.
   - **Trivy image scan:** the CI `docker` job scans the built image with 
`lhotari/sandboxed-trivy-action` (ASF-allowlisted), `HIGH,CRITICAL`, `vuln` 
scanner, and uploads SARIF to code scanning on pushes to `main`.
   - **OpenSSF Scorecard:** new `scorecard.yml` workflow (scheduled + 
`branch_protection_rule` + push to `main`) that publishes results and uploads 
SARIF; README badge added.
   - **Helm values schema:** `charts/superset-operator/values.schema.json` 
validates chart values at lint/install time (typed fields, `watch.scope` and 
`image.pullPolicy` enums, unknown keys rejected); excluded from Apache RAT.
   - **Artifact Hub metadata:** `Chart.yaml` gains an `icon` and 
`artifacthub.io/{license,operator,links}` annotations.
   - **Image tags:** release images are tagged with the full commit SHA 
(`sha-<40-char>`) on every build (main and release tags), replacing the short, 
main-only SHA tag.
   - **Docs:** the `security.md` supply-chain section documents the scanning 
and Scorecard.
   
   Tooling was chosen to avoid overlap: CodeQL (Go SAST), govulncheck (Go 
source CVEs), Trivy (image CVEs), BuildKit (SBOM/provenance), Renovate 
(updates), and Apache RAT (license headers) — no duplicate scanners were added.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to