chore(deps): updated megalinter to latest to fix trivy

.config/dotnet-tools.json

@@ -4,15 +4,11 @@
   "tools": {
     "dotnet-outdated-tool": {
       "version": "4.5.3",
-      "commands": [
-        "dotnet-outdated"
-      ]
+      "commands": ["dotnet-outdated"]
     },
     "csharpier": {
       "version": "0.25.0",
-      "commands": [
-        "dotnet-csharpier"
-      ]
+      "commands": ["dotnet-csharpier"]
     }
   }
-}
+}

.github/workflows/ci.yaml

@@ -288,7 +288,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
-      - uses: iter8-tools/iter8@bf13530586a447220caccf71fae506350b47fd75 # v0.18.4
+      - uses: iter8-tools/iter8@9b867240dcaa77858d2458f52a3845e47ea2c657 # v0.13.17
 
       - name: Create KinD cluster
         uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
@@ -419,7 +419,7 @@ jobs:
       - test-api-container
     permissions:
       actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
+      id-token: write
       packages: write # for uploading attestations.
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:

.github/workflows/mega-linter.yml

@@ -6,9 +6,8 @@ name: MegaLinter
 on:
   # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master
   pull_request:
-    branches: [master, main]
+    branches: [master]
 
-# Declare default permissions as read only.
 permissions: read-all
 
 env: # Comment env block if you do not want to apply fixes
@@ -31,27 +30,28 @@ jobs:
     steps:
       # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
 
       # MegaLinter
       - name: MegaLinter
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://oxsecurity.github.io/megalinter/flavors/
-        uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2
+        uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0
         env:
           # All available variables are described in documentation
           # https://oxsecurity.github.io/megalinter/configuration/
-          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+          VALIDATE_ALL_CODEBASE: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts
-        if: ${{ success() }} || ${{ failure() }}
-        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # tag=v2
+        if: ${{ always() }}
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: MegaLinter reports
           path: |

.kics.yaml

@@ -0,0 +1,3 @@
+exclude-paths:
+  - "tests/"
+  - "src/Vfps/Protos/vfps/api/v1/*.proto"

.markdownlintignore

@@ -0,0 +1 @@
+CHANGELOG.md

.mega-linter.yml

@@ -10,10 +10,26 @@ DISABLE:
 
 DISABLE_LINTERS:
   - REPOSITORY_DEVSKIM
+  - SPELL_LYCHEE
 
 SHOW_ELAPSED_TIME: true
 FILEIO_REPORTER: false
 # DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass
 
 REPOSITORY_TRIVY_ARGUMENTS:
-  - "--severity='HIGH,CRITICAL'"
+  - "--severity=MEDIUM,HIGH,CRITICAL"
+
+REPOSITORY_CHECKOV_ARGUMENTS:
+  - "--skip-path=tests/"
+
+IGNORE_GITIGNORED_FILES: true
+
+REPOSITORY_KICS_ARGUMENTS:
+  - --fail-on=HIGH
+
+REPOSITORY_KICS_CONFIG_FILE: .kics.yaml
+
+MARKDOWN_MARKDOWN_TABLE_FORMATTER_ARGUMENTS:
+  - -p 0
+
+REPOSITORY_TRIVY_CONFIG_FILE: .trivy.yaml

.trivy.yaml

@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - tests/

.trivyignore

@@ -1,3 +1,8 @@
 # iter8 requires access to secrets
+
 AVD-KSV-0041
 KSV041
+
+# OK, already covered by hadolint
+
+AVD-DS-0002

Dockerfile

@@ -1,4 +1,6 @@
 # syntax=docker/dockerfile:1.4
+# kics false positive "Missing User Instruction": <https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f/>
+# kics-scan ignore-line
 FROM mcr.microsoft.com/dotnet/nightly/aspnet:7.0.11-jammy-chiseled@sha256:8b2a9b9a8d3c424a368aa347f333d4653e9ed6eb78c9af70e450b5cc514bf3b8 AS runtime
 WORKDIR /opt/vfps
 EXPOSE 8080/tcp 8081/tcp 8082/tcp
@@ -74,6 +76,7 @@ COPY tests/chaos/chaos.yaml /tmp/
 COPY --from=build-stress-test /build/publish .
 # currently running into <https://github.com/dotnet/runtime/issues/80619>
 # when running as non-root.
+
 # hadolint ignore=DL3002
 USER 0:0
 ENTRYPOINT ["dotnet"]

README.md

@@ -58,21 +58,21 @@ See <https://github.com/miracum/charts/tree/master/charts/vfps> for a production
 
 Available configuration options which can be set as environment variables:
 
-| Variable                                           | Type         | Default             | Description                                                                                                                                                     |
-| -------------------------------------------------- | ------------ | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `ConnectionStrings__PostgreSQL`                    | `string`     | `""`                | Connection string to the PostgreSQL database. See <https://www.npgsql.org/doc/connection-string-parameters.html> for options.                                   |
-| `ForceRunDatabaseMigrations`                       | `bool`       | `false`             | Run database migrations as part of the startup. Only recommended when a single replica of the application is used.                                              |
-| `Tracing__IsEnabled`                               | `bool`       | `false`             | Enable distributed tracing support.                                                                                                                             |
-| `Tracing__Exporter`                                | `string`     | `"jaeger"`          | The tracing export format. One of `jaeger`, `otlp`.                                                                                                             |
-| `Tracing__ServiceName`                             | `string`     | `"vfps"`            | Tracing service name.                                                                                                                                           |
-| `Tracing__RootSampler`                             | `string`     | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler`                                                           |
-| `Tracing__SamplingProbability`                     | `double`     | `0.1`               | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`.                                                                     |
-| `Tracing__Jaeger`                                  | `object`     | `{}`                | Jaeger exporter options. See <https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Exporter.Jaeger/README.md#options-properties>. |
-| `Tracing__Otlp__Endpoint`                          | `string`     | `""`                | The OTLP gRPC Endpoint URL.                                                                                                                                     |
-| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool`       | `false`             | Set to `true` to enable namespace caching.                                                                                                                      |
-| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool`       | `false`             | Set to `true` to enable pseudonym caching.                                                                                                                      |
-| `Pseudonymization__Caching__SizeLimit`             | `int`        | `65534`             | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces.                                                              |
-| `Pseudonymization__Caching__AbsoluteExpiration`    | `D.HH:mm:nn` | `0.01:00:00`        | Time after which a cache entry expires.                                                                                                                         |
+| Variable                                           | Type         | Default             | Description                                                                                                                   |
+| -------------------------------------------------- | ------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| `ConnectionStrings__PostgreSQL`                    | `string`     | `""`                | Connection string to the PostgreSQL database. See <https://www.npgsql.org/doc/connection-string-parameters.html> for options. |
+| `ForceRunDatabaseMigrations`                       | `bool`       | `false`             | Run database migrations as part of the startup. Only recommended when a single replica of the application is used.            |
+| `Tracing__IsEnabled`                               | `bool`       | `false`             | Enable distributed tracing support.                                                                                           |
+| `Tracing__Exporter`                                | `string`     | `"jaeger"`          | The tracing export format. One of `jaeger`, `otlp`.                                                                           |
+| `Tracing__ServiceName`                             | `string`     | `"vfps"`            | Tracing service name.                                                                                                         |
+| `Tracing__RootSampler`                             | `string`     | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler`                         |
+| `Tracing__SamplingProbability`                     | `double`     | `0.1`               | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`.                                   |
+| `Tracing__Jaeger`                                  | `object`     | `{}`                | Jaeger exporter options.                                                                                                      |
+| `Tracing__Otlp__Endpoint`                          | `string`     | `""`                | The OTLP gRPC Endpoint URL.                                                                                                   |
+| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool`       | `false`             | Set to `true` to enable namespace caching.                                                                                    |
+| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool`       | `false`             | Set to `true` to enable pseudonym caching.                                                                                    |
+| `Pseudonymization__Caching__SizeLimit`             | `int`        | `65534`             | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces.                            |
+| `Pseudonymization__Caching__AbsoluteExpiration`    | `D.HH:mm:nn` | `0.01:00:00`        | Time after which a cache entry expires.                                                                                       |
 
 ## Observability
 

docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   postgresql:
-    image: docker.io/library/postgres:15.4@sha256:33c234a3fa0147070cd8697cddac925e543a218e5a2fc92758f6d5296eef3d22
+    image: docker.io/library/postgres:16.0@sha256:f1aaf6f8be5552bef66c5580efbd2942c37d7277cd0416ef4939fa34bf0baf31
     restart: unless-stopped
     deploy:
       resources:
@@ -13,6 +13,7 @@ services:
       - "no-new-privileges:true"
     privileged: false
     environment:
+      # kics-scan ignore-line
       POSTGRES_PASSWORD: postgres
       POSTGRES_DB: vfps
     ports:
@@ -64,6 +65,7 @@ services:
       ForceRunDatabaseMigrations: "true"
       ConnectionStrings__PostgreSQL: "Host=postgresql:5432;Database=vfps;Timeout=60;Max Auto Prepare=5;Application Name=vfps;Maximum Pool Size=50;"
       PGUSER: postgres
+      # kics-scan ignore-line
       PGPASSWORD: postgres
     ports:
       # Http1, Http2, Http3

grpc-utils.Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1.4
-FROM docker.io/library/ubuntu:22.10@sha256:e322f4808315c387868a9135beeb11435b5b83130a8599fd7d0014452c34f489
+FROM docker.io/library/ubuntu:22.04@sha256:9b8dec3bf938bc80fbe758d856e96fdfab5f56c39d44b0cff351e847bb1b01ea
 SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
 
-ENV GRPCURL_URL=https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz \
-    GHZ_URL=https://github.com/bojand/ghz/releases/download/v0.110.0/ghz-linux-x86_64.tar.gz
+ENV GRPCURL_URL=https://github.com/fullstorydev/grpcurl/releases/download/v1.8.8/grpcurl_1.8.8_linux_x86_64.tar.gz \
+    GHZ_URL=https://github.com/bojand/ghz/releases/download/v0.117.0/ghz-linux-x86_64.tar.gz
 
 # hadolint ignore=DL3008
 RUN <<EOF