From 20acd806a21ce93f8b7ad79a86705c1d81b3d38d Mon Sep 17 00:00:00 2001
From: thiyyakat <meghana.thiyyakat@gmail.com>
Date: Fri, 17 Jan 2025 14:26:56 +0530
Subject: [PATCH] Adapt pipeline_definitions to include SAST linting logs in
 OCM descriptor (#959)

* Add newline at the end of files

* Adapt pipeline_definitions to include SAST linting logs in OCM descriptor
---
 .ci/pipeline_definitions    | 17 +++++++++++++++++
 hack/add_license_headers.sh |  2 +-
 hack/sast.sh                |  2 +-
 hack/tools.mk               |  2 +-
 hack/tools/install-gosec.sh |  2 +-
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
index 340d15de1..ab6310aa7 100644
--- a/.ci/pipeline_definitions
+++ b/.ci/pipeline_definitions
@@ -1,5 +1,12 @@
 machine-controller-manager:
   base_definition:
+    repo:
+      source_labels:
+        - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
+          value:
+            policy: skip
+            comment: |
+              we use gosec for sast scanning. See attached log.
     traits:
       version:
         preprocess:
@@ -55,6 +62,16 @@ machine-controller-manager:
           ocm_repository: europe-docker.pkg.dev/gardener-project/releases
         release:
           nextversion: 'bump_minor'
+          assets:
+            - type: build-step-log
+              step_name: check
+              purposes:
+                - lint
+                - sast
+                - gosec
+              comment: |
+                we use gosec (linter) for SAST scans
+                see: https://github.com/securego/gosec
         publish:
           dockerimages:
             machine-controller-manager:
diff --git a/hack/add_license_headers.sh b/hack/add_license_headers.sh
index 6f827e35b..cf2b378cd 100755
--- a/hack/add_license_headers.sh
+++ b/hack/add_license_headers.sh
@@ -23,4 +23,4 @@ addlicense \
   -ignore "**/*.md" \
   -ignore "**/*.yaml" \
   -ignore "**/Dockerfile" \
-  .
\ No newline at end of file
+  .
diff --git a/hack/sast.sh b/hack/sast.sh
index 997658eaa..cabb2d358 100755
--- a/hack/sast.sh
+++ b/hack/sast.sh
@@ -41,4 +41,4 @@ fi
 # Thus, generated code is excluded from gosec scan.
 # Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder
 # is excluded too. It does not contain productive code anyway.
-gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...
\ No newline at end of file
+gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...
diff --git a/hack/tools.mk b/hack/tools.mk
index a6208e414..a301a34e7 100644
--- a/hack/tools.mk
+++ b/hack/tools.mk
@@ -81,4 +81,4 @@ $(GOLANGCI_LINT): $(TOOLS_BIN_DIR)
 	GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
 
 $(GOSEC):
-	GOSEC_VERSION=$(GOSEC_VERSION) bash $(TOOLS_PKG_PATH)/install-gosec.sh
\ No newline at end of file
+	GOSEC_VERSION=$(GOSEC_VERSION) bash $(TOOLS_PKG_PATH)/install-gosec.sh
diff --git a/hack/tools/install-gosec.sh b/hack/tools/install-gosec.sh
index cefdb5755..9026eeac7 100755
--- a/hack/tools/install-gosec.sh
+++ b/hack/tools/install-gosec.sh
@@ -37,4 +37,4 @@ curl -L -o ${temp_dir}/${file_name} "https://github.com/securego/gosec/releases/
 
 tar -xzm -C "${temp_dir}" -f "${temp_dir}/${file_name}"
 mv "${temp_dir}/gosec" $TOOLS_BIN_DIR
-chmod +x $TOOLS_BIN_DIR/gosec
\ No newline at end of file
+chmod +x $TOOLS_BIN_DIR/gosec