update(deps): vulnerabilities cleanup (#7315)

* vulnerabilities cleanup

* exclude test files from trivy and grype

* typo

* fix

* upgrade go.mod packages

* add binary dep to artifacts

* fix action

* fix unit test

* upgrade images

.github/workflows/go-ci-coverage.yaml

@@ -33,11 +33,11 @@ jobs:
           curl -L \
             https://img.shields.io/badge/Go%20Coverage-${{ steps.testcov.outputs.coverage }}%25-${{ steps.testcov.outputs.color }}.svg > coverage.svg
           cat coverage.svg
-      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ runner.os }}-badge-latest
           path: coverage.svg
-      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ runner.os }}-coverage-latest
           path: coverage.html

.github/workflows/go-ci-integration.yml

@@ -22,7 +22,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
       - name: Cache Docker layers
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.ref }}
@@ -59,7 +59,7 @@ jobs:
             -p "/path" \
             -o "/path/"
       - name: Archive test logs
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: always()
         with:
           name: integration-logs-${{ github.event.pull_request.head.sha }}
@@ -68,7 +68,7 @@ jobs:
         run: |
           cat  ${PWD}/assets/queries/results.json
       - name: Archive test results
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: integration-results-${{ github.event.pull_request.head.sha }}
           path: assets/queries/results.json

.github/workflows/go-ci-metrics.yaml

@@ -26,7 +26,7 @@ jobs:
           curl -L \
             https://img.shields.io/badge/Queries-${{ steps.metrics.outputs.total_queries }}-blue.svg > queries.svg
           cat queries.svg
-      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ runner.os }}-queries-badge-latest
           path: queries.svg

.github/workflows/go-ci.yml

@@ -56,7 +56,7 @@ jobs:
         shell: bash
         run: echo "GO_BUILD=$(go env GOCACHE)" >>$GITHUB_OUTPUT
       - name: Cache dependencies
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ${{ steps.go-cache-paths.outputs.GO_BUILD }}
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -86,7 +86,7 @@ jobs:
           go test -mod=vendor -tags dev -v -timeout 2100s $(go list -tags dev ./... | grep -v e2e) -count=1 -coverprofile=cover.out | tee unit-test.log
       - name: Archive test logs
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: unit-test-${{ runner.os }}-${{ github.event.pull_request.head.sha }}.log
           path: unit-test.log

.github/workflows/go-e2e-debian.yaml

@@ -44,7 +44,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
       - name: Cache Docker layers
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.ref }}
@@ -100,7 +100,7 @@ jobs:
           DOCKER_NAME=$(echo docker/Dockerfile.debian | sed 's/\//-/')
       - name: Archive test report
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: e2e-tests-report-dockerfile-$DOCKER_NAME
           path: e2e-report.html

.github/workflows/go-e2e.yaml

@@ -45,7 +45,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
       - name: Cache Docker layers
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.ref }}
@@ -99,7 +99,7 @@ jobs:
           echo "DOCKER_NAME=$DOCKER_NAME" >> $GITHUB_ENV
       - name: Archive test report
         if: always()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: e2e-tests-report-${{ env.DOCKER_NAME }}
           path: e2e-report.html

.github/workflows/go-test-race.yml

@@ -27,7 +27,7 @@ jobs:
           echo "::set-output name=go-build::$(go env GOCACHE)"
           echo "::set-output name=go-mod::$(go env GOMODCACHE)"
       - name: Cache dependencies
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ${{ steps.go-cache-paths.outputs.go-build }}
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -45,7 +45,7 @@ jobs:
           exit $result_code
       - name: Archive test logs
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: unit-test-${{ runner.os }}-${{ github.event.pull_request.head.sha }}.log
           path: unit-test.log

.github/workflows/kics-gh-action.yaml

@@ -20,7 +20,7 @@ jobs:
           output_path: ./results
           output_formats: json,html
           type: dockerfile
-      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: results
           path: ./results

.github/workflows/sec-checks.yaml

@@ -19,14 +19,15 @@ jobs:
           format: 'table'
           output: './results.txt'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          skip-dirs: '.github'
           exit-code: '1'
         # trivy-config: trivy.yaml
       - name: Inspect action report
         if: always()
         run: cat ./results.txt
       - name: Upload artifact
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: trivy-fs-scan-results
           path: ./results.txt
@@ -74,7 +75,7 @@ jobs:
         run: cat ./results.txt
       - name: Upload artifact
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: trivy-docker-image-scan-results
           path: ./results.txt
@@ -151,7 +152,7 @@ jobs:
         run: cat ./results.txt
       - name: Upload artifact
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: govulncheck-fs-scan-results
           path: ./results.txt
@@ -177,7 +178,18 @@ jobs:
         run: cat ./results.txt
       - name: Upload artifact
         if: always()
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: govulncheck-binary-scan-results
           path: ./results.txt
+      - name: Inspect final dependencies from binary
+        if: github.event_name == 'pull_request'
+        run: |
+          strings ./bin/kics | grep -P "dep\t" | sort -u > binary_dependencies.txt
+          cat binary_dependencies.txt
+      - name: Upload artifact
+        if: always()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: binary-dependencies
+          path: ./binary_dependencies.txt

.grype.yaml

@@ -8,4 +8,4 @@ ignore:
   - package:
       location: "/usr/local/bin/terraform"
 exclude:
-  - './.github/scripts/report/**' # test files
+  - './.github/scripts/**' # test files

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.23.1-r0@sha256:61d8f083c9781614cad318dc8a0b35fb2b9c7f88226829f4a5bdc00117c47cc2 AS build_env
+FROM checkmarx/go:1.23.4-r0@sha256:07aa6232e1255b14e2cbde76323059af733b5017890d64670b57d51b33744220 AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git@sha256:a4253a0291cec1dab3c4e85ccfd0c49d8c6d4a52e34c9159a59cb6a5fc7b4432
+FROM checkmarx/git:2.47.0-r0@sha256:2f3ce1eb50ac04e3a9930a5f71526e3e3e22cd09964a9a2aab9d4c3787f25b21
 
 ENV TERM xterm-256color