CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1

[miheer]

Security  ci/prow/security fails for PR  openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1

This commit adds Snyk ignores/policy for vendored paths.

Summary by CodeRabbit

This changes the cluster-network-operator CI configuration in openshift/release to avoid Snyk scanning vendored dependencies during the security test.

What changed:

• In ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml the security test now sets:
  • SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high
  • SNYK_PRE_EXECUTION_HOOK_CMD: rm -rf vendor
    The pre-execution hook removes the vendor directory before Snyk runs (effectively excluding vendored code from the scan).

Why:

• A Kubernetes dependency bump to 1.36.1 caused Snyk security checks to fail due to issues reported in vendored dependencies. Removing/excluding vendor files from Snyk analysis lets the security check focus on the operator's own code.

Impact:

• Low-risk, configuration-only change to CI in openshift/release that prevents false-positive or upstream-vendor Snyk failures for the cluster-network-operator security job without modifying operator source code.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: miheer
Once this PR has been reviewed and has the lgtm label, please assign kyrtapz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-network-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The security job in the cluster-network-operator master CI config now sets SNYK_CODE_ADDITIONAL_ARGS=--severity-threshold=high and SNYK_PRE_EXECUTION_HOOK_CMD='rm -rf vendor' to remove the vendor directory before Snyk runs.

Changes

Snyk code scanning configuration

Layer / File(s)	Summary
Snyk env vars and pre-exec hook ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml	Adds SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high and SNYK_PRE_EXECUTION_HOOK_CMD: rm -rf vendor to the security job environment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references a specific Jira ticket (CORENET-7277) and mentions the security check failure, which aligns with the PR's core objective of fixing a failing security workflow. However, the title is somewhat verbose and includes additional context about the k8s version bump that is tangential to the actual change being made (configuration adjustments for Snyk scanning).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR change is limited to CI config YAML setting SNYK env vars; scanning the file shows no Ginkgo test title calls (e.g., regex \bIt\( found 0).
Test Structure And Quality	✅ Passed	PR #80462 changes only ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml (Snyk env vars); no Ginkgo test code was modified, so the test-quality...
Microshift Test Compatibility	✅ Passed	PR #80462 changes only ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml; no new Ginkgo e2e tests were added to flag for MicroShift compatibility.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only CI/Prow configuration (Snyk environment variables) and does not add any Ginkgo e2e tests; SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies CI/Prow configuration for Snyk security scanning, not deployment manifests or operator code with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The PR only updates a CI/security YAML config (snyk env vars) and does not modify any OTE binary entrypoint/setup code that could write non-JSON to stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #80462 changes only ci-operator security (SNYK_CODE_ADDITIONAL_ARGS) in a YAML file; no new Ginkgo e2e tests are added, so IPv6/disconnected test compatibility is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates Snyk env (SNYK_CODE_ADDITIONAL_ARGS: --exclude=vendor); the YAML file contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB strings.
Container-Privileges	✅ Passed	In the modified ci-operator config YAML, changes only add Snyk env vars (severity-threshold + rm -rf vendor); no container/K8s privilege fields like privileged/hostPID/hostIPC/allowPrivilegeEscalat...
No-Sensitive-Data-In-Logs	✅ Passed	PR adds only SNYK_CODE_ADDITIONAL_ARGS: --exclude=vendor in the security job env; no changes add passwords/tokens/PII or log such data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[miheer]

/pj-rehearse pull-ci-openshift-cluster-network-operator-master-security

[openshift-merge-bot]

@miheer: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

@miheer: This pull request references CORENET-7277 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Security  ci/prow/security fails for PR  openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1

This commit adds Snyk ignores/policy for vendored paths.

Summary by CodeRabbit

This PR fixes a failing Snyk security check in the cluster-network-operator's CI/CD pipeline by configuring the security scan to exclude the vendor directory.

What changed: The security test configuration for cluster-network-operator now includes SNYK_CODE_ADDITIONAL_ARGS: --exclude=vendor, which prevents Snyk code scanning from analyzing vendored dependencies during CI validation.

Why: A recent Kubernetes 1.36.1 dependency upgrade introduced security check failures. By excluding the vendor directory from Snyk analysis, the security scanning can focus on the project's own code rather than flagging issues in upstream vendored dependencies.

Impact: This is a low-risk configuration-only change that allows the cluster-network-operator's security check step to pass in the CI pipeline without requiring modifications to the operator's codebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@miheer: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-network-operator-master-security	openshift/cluster-network-operator	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[miheer]

/pj-rehearse pull-ci-openshift-cluster-network-operator-master-security

[openshift-merge-bot]

@miheer: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml`:
- Around line 456-457: The current CI config sets SNYK_PRE_EXECUTION_HOOK_CMD to
remove vendor and also injects SNYK_CODE_ADDITIONAL_ARGS:
--severity-threshold=high which suppresses medium/low findings globally; instead
remove the severity-threshold arg and wire a Snyk policy to ignore vendored
paths (create or update a .snyk policy and pass it into the Snyk invocation via
--policy-path=.snyk or use snyk ignore entries), leaving
SNYK_PRE_EXECUTION_HOOK_CMD either removing vendor or better yet keep vendor and
rely on the .snyk policy; update/replace SNYK_CODE_ADDITIONAL_ARGS accordingly
to avoid masking non-vendored findings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0f181cfe-fd4b-4dbc-81f9-398e2c2158b6

📥 Commits

Reviewing files that changed from the base of the PR and between 21c6952 and 2c8cd71.

📒 Files selected for processing (1)

• ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does Snyk code test command support --exclude flag for excluding directories?

💡 Result:

The snyk code test command does not support the --exclude flag for excluding directories [1][2][3]. While the --exclude flag is available for other commands like snyk test (used for Open Source scanning) to ignore directories and files [4][5], it is not a recognized option for Snyk Code (SAST) scanning [1][2]. To exclude directories or files from a Snyk Code scan, you must use one of the following methods: 1. Use the snyk ignore --file-path=<directory_or_file> command: Running this command will automatically create or update a.snyk file in your repository to exclude the specified path from future snyk code test scans [6][3]. 2. Manually configure a.snyk file: You can manually create or edit a.snyk file in your repository to include the directories or files you wish to exclude from the scanning process [2][3].

Citations:

• 1: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/code-test
• 2: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/scan-source-code-with-snyk-code-using-the-cli
• 3: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/exclude-directories-and-files-from-snyk-code-cli-tests
• 4: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/test
• 5: https://github.com/snyk/user-docs/blob/main/docs/developer-tools/snyk-cli/commands/test.md
• 6: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/ignore

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml"

echo "=== YAML context around target lines ==="
# Print a safe window around 456-457 (approx); clamp by grep to show exact env keys too
nl -ba "$FILE" | sed -n '430,490p' | sed -n '/SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD/ p' -e '1,200p' || true
# Better: show full window
nl -ba "$FILE" | sed -n '440,475p'

echo "=== Full lines containing env vars (with some surrounding context) ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE" -n
# Print 20 lines before/after each match
rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$FILE" -n -C 15
rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE" -n -C 15

echo "=== Search where these env vars are consumed in the repo ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS" .
rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" .
rg -n "severity-threshold=high" .

Repository: openshift/release

Length of output: 306

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml"

echo "=== YAML context around target lines (440-475) ==="
cat -n "$FILE" | sed -n '440,475p'

echo "=== Matching lines only ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE"

echo "=== Where these env vars are consumed in the repo (limited to yaml/sh) ==="
rg -n --glob '*.{yaml,yml,sh}' "SNYK_CODE_ADDITIONAL_ARGS" .
rg -n --glob '*.{yaml,yml,sh}' "SNYK_PRE_EXECUTION_HOOK_CMD" .

echo "=== Any explicit snyk code test invocation with severity threshold ==="
rg -n --glob '*.{yaml,yml,sh}' "snyk( |-)code|snyk code|severity-threshold" .

Repository: openshift/release

Length of output: 50374

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find where SNYK_PRE_EXECUTION_HOOK_CMD is consumed
echo "=== Where SNYK_PRE_EXECUTION_HOOK_CMD is consumed ==="
rg -n --glob '*.{yaml,yml,sh}' "SNYK_PRE_EXECUTION_HOOK_CMD" .

# Inspect the ci-tools logic around SNYK_CODE_ADDITIONAL_ARGS parsing
TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml"
echo "=== Inspect SNYK_CODE_ADDITIONAL_ARGS parsing in $TOOLS_FILE ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE"

echo "=== Show surrounding logic (around first match) ==="
# show a small window around the first match for readability
FIRST_LINE=$(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" | head -n1 | cut -d: -f1)
START=$((FIRST_LINE-80))
END=$((FIRST_LINE+120))
sed -n "${START},${END}p" "$TOOLS_FILE" | nl -ba | head -n 240

echo "=== Also search inside ci-tools for severity-threshold usage ==="
rg -n "severity-threshold" "$TOOLS_FILE"

Repository: openshift/release

Length of output: 2580

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the step-registry snyk scan script
STEP_SCRIPT="ci-operator/step-registry/openshift/ci-security/snyk/scan/openshift-ci-security-snyk-scan-commands.sh"
echo "=== Inspect $STEP_SCRIPT (snyk invocation + env var usage) ==="
rg -n "snyk( |-)code test|SNYK_CODE_ADDITIONAL_ARGS|severity-threshold|SNYK_PRE_EXECUTION_HOOK_CMD|eval \"\\$SNYK_PRE_EXECUTION_HOOK_CMD\"|cd " "$STEP_SCRIPT"
echo "=== Show around eval of pre-exec hook ==="
rg -n "eval \"\\$SNYK_PRE_EXECUTION_HOOK_CMD\"|SNYK_PRE_EXECUTION_HOOK_CMD" "$STEP_SCRIPT" -n -C 8
echo "=== Show around SNYK_CODE_ADDITIONAL_ARGS usage ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$STEP_SCRIPT" -n -C 12

# 2) Inspect how ci-tools main uses SNYK_CODE_ADDITIONAL_ARGS and constructs params
TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml"
echo "=== Inspect $TOOLS_FILE around parsing SNYK_CODE_ADDITIONAL_ARGS ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" -n | head -n 20
FIRST_LINE=$(rg -n "if \\[ \"\\$SNYK_CODE_ADDITIONAL_ARGS\" \\]; then" "$TOOLS_FILE" -n | head -n1 | cut -d: -f1 || true)
if [ -n "${FIRST_LINE}" ]; then
  START=$((FIRST_LINE-60))
  END=$((FIRST_LINE+160))
  sed -n "${START},${END}p" "$TOOLS_FILE"
fi

echo "=== Inspect snyk code test command construction in ci-tools ==="
rg -n "snyk( |-)code test" "$TOOLS_FILE" -n -C 5
rg -n "severity-threshold" "$TOOLS_FILE" -n -C 5

Repository: openshift/release

Length of output: 296

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

STEP_SCRIPT="ci-operator/step-registry/openshift/ci-security/snyk/scan/openshift-ci-security-snyk-scan-commands.sh"
TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml"

echo "=== STEP SCRIPT: $STEP_SCRIPT (line count) ==="
wc -l "$STEP_SCRIPT"

echo "=== STEP SCRIPT: matches ==="
rg -n "SNYK_PRE_EXECUTION_HOOK_CMD|SNYK_CODE_ADDITIONAL_ARGS|snyk( |-)code test|severity-threshold" "$STEP_SCRIPT" || true

echo "=== STEP SCRIPT: show windows around SNYK_PRE_EXECUTION_HOOK_CMD ==="
for line in $(rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do
  start=$((line-40)); [ $start -lt 1 ] && start=1
  end=$((line+60))
  echo "--- $STEP_SCRIPT:$line ---"
  sed -n "${start},${end}p" "$STEP_SCRIPT"
done

echo "=== STEP SCRIPT: show windows around SNYK_CODE_ADDITIONAL_ARGS ==="
for line in $(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do
  start=$((line-40)); [ $start -lt 1 ] && start=1
  end=$((line+80))
  echo "--- $STEP_SCRIPT:$line ---"
  sed -n "${start},${end}p" "$STEP_SCRIPT"
done

echo "=== STEP SCRIPT: show windows around snyk code test ==="
for line in $(rg -n "snyk( |-)code test" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do
  start=$((line-40)); [ $start -lt 1 ] && start=1
  end=$((line+80))
  echo "--- $STEP_SCRIPT:$line ---"
  sed -n "${start},${end}p" "$STEP_SCRIPT"
done

echo "=== TOOLS FILE: $TOOLS_FILE (line count) ==="
wc -l "$TOOLS_FILE"

echo "=== TOOLS FILE: matches for snyk code test/severity threshold/SNYK_CODE_ADDITIONAL_ARGS ==="
rg -n "SNYK_CODE_ADDITIONAL_ARGS|snyk( |-)code test|severity-threshold" "$TOOLS_FILE" || true

echo "=== TOOLS FILE: show around SNYK_CODE_ADDITIONAL_ARGS parsing ==="
for line in $(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" | head -n 10 | cut -d: -f1); do
  start=$((line-40)); [ $start -lt 1 ] && start=1
  end=$((line+120))
  echo "--- $TOOLS_FILE:$line ---"
  sed -n "${start},${end}p" "$TOOLS_FILE" | head -n 260
done

Repository: openshift/release

Length of output: 27192

---

Snyk severity-threshold change suppresses non-vendored findings (vendor removal doesn’t limit it)

• SNYK_PRE_EXECUTION_HOOK_CMD: rm -rf vendor runs before the code scan, but SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high is injected into the same snyk code test invocation, so medium/low findings in the remaining (non-vendor) code are also suppressed.
• snyk code test doesn’t support --exclude; if the goal is to ignore vendored paths, use snyk ignore / a .snyk policy (and wire it in, e.g. via --policy-path=.snyk) instead of raising the global severity threshold.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml`
around lines 456 - 457, The current CI config sets SNYK_PRE_EXECUTION_HOOK_CMD
to remove vendor and also injects SNYK_CODE_ADDITIONAL_ARGS:
--severity-threshold=high which suppresses medium/low findings globally; instead
remove the severity-threshold arg and wire a Snyk policy to ignore vendored
paths (create or update a .snyk policy and pass it into the Snyk invocation via
--policy-path=.snyk or use snyk ignore entries), leaving
SNYK_PRE_EXECUTION_HOOK_CMD either removing vendor or better yet keep vendor and
rely on the .snyk policy; update/replace SNYK_CODE_ADDITIONAL_ARGS accordingly
to avoid masking non-vendored findings.

[openshift-ci]

@miheer: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.