Merge pull request #1 from raft-tech/feature/initial-application

Initial application framework

.dockerignore

@@ -0,0 +1,6 @@
+*.iml
+
+/.github
+/.idea
+/bin
+/inspect

.github/ISSUE_TEMPLATE/BUG_REPORT.yml

@@ -0,0 +1,51 @@
+name: Report a Bug
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug", "triage"]
+assignees:
+  - dagan
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for helping us make Konfirm better! Your contributions make the community stronger. 💪
+  - type: textarea
+    id: description
+    attributes:
+      label: What went wrong?
+      description: What happened (or didn't happen)? What did you expect?
+    validations:
+      required: true
+  - type: input
+    id: inspections-version
+    attributes:
+      label: What version of Konfirm Inspections are you using?
+  - type: textarea
+    id: associated-systems
+    attributes:
+      label: Tell us about your environment.
+      description: Are you using Istio? What CSI and CNI are you using? etc.
+  - type: dropdown
+    id: kubernetes-version
+    attributes:
+      label: What version of Kubernetes are you using?
+      multiple: true
+      options:
+        - v1.31
+        - v1.30
+        - v1.29
+        - v1.28
+        - Other
+  - type: textarea
+    id: kubernetes-details
+    attributes:
+      label: Which Kubernetes distribution are you using?
+      description: Are you using EKS, AKS, GKE, RKE2, something else? If not a supported version, what version are you using?
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/raft-tech/konfirm/blob/develop/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow the Konfirm Code of Conduct
+          required: true

.github/ISSUE_TEMPLATE/FEATURE_REQUEST.yml

@@ -0,0 +1,26 @@
+name: Enhancement
+description: Request an enhancement or new feature
+title: "[Enhancement]: "
+labels: ["enhancement", "triage"]
+assignees:
+  - dagan
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for helping us make Konfirm better! Your contributions make the community stronger. 💪
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the ask
+      description: What enhancement or new feature would you like to see?
+    validations:
+      required: true
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/raft-tech/konfirm/blob/develop/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow the Konfirm Code of Conduct
+          required: true

.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      ginkgo:
+        patterns:
+          - github.com/onsi/ginkgo/v2
+          - github.com/onsi/gomega
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "docker"
+    directories:
+      - "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -0,0 +1,71 @@
+name: Build
+
+permissions: { }
+
+on:
+  push:
+    branches: ['develop']
+  pull_request:
+    branches: ['develop']
+    types:
+      - opened
+      - ready_for_review
+      - reopened
+      - synchronize
+    paths-ignore:
+      - '.github/**'
+      - 'charts/**'
+      - 'LICENSE'
+      - 'README.md'
+
+jobs:
+
+  Test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: stable
+      - name: Install Dependencies
+        run: go mod download
+      - name: Test
+        run: make test
+
+  Build:
+    needs: ['Test']
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: stable
+      - name: Install Dependencies
+        run: go mod download
+      - name: Build
+        run: make image
+      - name: Scan with Trivy
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        with:
+          scan-type: 'image'
+          scanners: 'vuln'
+          image-ref: 'ghcr.io/raft-tech/konfirm/inspections:latest'
+          ignore-unfixed: 'true'
+          limit-severities-for-sarif: true
+          output: 'trivy-results.sarif'
+          format: 'sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          vuln-type: 'os,library'
+      - name: Upload scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/docker-build.yml

@@ -0,0 +1,57 @@
+name: Docker Build
+
+permissions: {}
+
+on:
+  push:
+    branches: ['develop']
+  release:
+    types: ['published']
+
+env:
+  IMAGE_REGISTRY: ghcr.io/raft-tech/konfirm
+  IMAGE_NAME: inspections
+
+jobs:
+
+  Publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+    outputs:
+      IMAGE_ID: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }}
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1
+      - name: Login to the Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Extract metadata (tags, labels) for Docker
+        id: metadata
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1
+        with:
+          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=edge,branch=develop
+      - name: Build and push
+        id: docker
+        uses: docker/build-push-action/@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          annotations: ${{ steps.metadata.outputs.annotations }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          tags: ${{ steps.metadata.outputs.tags }}

.github/workflows/scorecard.yml

@@ -0,0 +1,45 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  workflow_dispatch:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  # branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '27 12 * * 1'
+  push:
+    branches: ["develop"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -0,0 +1,6 @@
+*.iml
+
+/.idea
+/bin
+/cover.out
+/inspect

Dockerfile

@@ -0,0 +1,16 @@
+FROM --platform=$BUILDPLATFORM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build
+ARG TARGETOS
+ARG TARGETARCH
+WORKDIR /go/src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . ./
+ARG GOOS=${TARGETOS}
+ARG GOARCH=${TARGETARCH}
+RUN make build
+
+FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a
+COPY --from=build --chown=0:0 /go/src/bin/ /usr/local/bin/
+COPY --from=build --chown=0:0 /go/src/inspect /usr/local/bin/
+USER 1001
+ENTRYPOINT ["/usr/local/bin/inspect"]