feat: add Snyk jobs to TopoLVM (openshift#54312)

Signed-off-by: Suleyman Akbas <sakbas@redhat.com>

ci-operator/config/openshift/topolvm/openshift-topolvm-main.yaml

@@ -8,11 +8,36 @@ build_root:
   image_stream_tag:
     name: builder
     namespace: ocp
-    tag: rhel-9-golang-1.21-openshift-4.16
+    tag: rhel-9-golang-1.22-openshift-4.17
 images:
 - dockerfile_path: Dockerfile
   from: ubi_minimal
   to: topolvm
+- dockerfile_literal: |-
+    FROM ubi_minimal
+
+    COPY --from=root:current /usr/lib/golang /usr/local/go
+    ENV PATH=$PATH:/usr/local/go/bin
+
+    ENV GOPATH=/tmp/go
+    ENV GOTOOLCHAIN=auto
+    ENV GOTOOLDIR=/tmp/gotools
+
+    RUN mkdir /.cache ${GOPATH} && chmod 775 -R /.cache ${GOPATH}
+    RUN mkdir /.local && chmod 777 /.local
+    RUN mkdir /tmp/gotools && chmod 777 /tmp/gotools
+
+    ENV SNYK_DIR=/tmp/snyk
+    RUN mkdir -p ${SNYK_DIR}
+    RUN curl https://static.snyk.io/cli/latest/snyk-linux -o ${SNYK_DIR}/snyk
+    RUN chmod +x ${SNYK_DIR}/snyk
+    ENV PATH=$PATH:${SNYK_DIR}
+  from: ubi_minimal
+  inputs:
+    root:
+      as:
+      - root:current
+  to: topolvm-snyk
 promotion:
   to:
   - namespace: lvms
@@ -35,6 +60,26 @@ tests:
   steps:
     cluster_profile: aws
     workflow: lvms-topolvm-conformance
+- as: snyk-code
+  commands: |
+    SNYK_TOKEN=$(cat /tmp/secret/token) snyk code test --project-name=lvms --severity-threshold="medium" --org="81de31f3-6dff-46ff-af37-664e272a9fe3" --report
+  container:
+    clone: true
+    from: topolvm-snyk
+  optional: true
+  secret:
+    mount_path: /tmp/secret
+    name: lvms-snyk-token
+- as: snyk-deps
+  commands: |
+    SNYK_TOKEN=$(cat /tmp/secret/token) snyk test --project-name=lvms --severity-threshold="medium" --org="81de31f3-6dff-46ff-af37-664e272a9fe3" --report
+  container:
+    clone: true
+    from: topolvm-snyk
+  optional: true
+  secret:
+    mount_path: /tmp/secret
+    name: lvms-snyk-token
 zz_generated_metadata:
   branch: main
   org: openshift

ci-operator/jobs/openshift/topolvm/openshift-topolvm-main-presubmits.yaml

@@ -135,3 +135,129 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build03
+    context: ci/prow/snyk-code
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-topolvm-main-snyk-code
+    optional: true
+    rerun_command: /test snyk-code
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/lvms-snyk-token
+        - --target=snyk-code
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/lvms-snyk-token
+          name: lvms-snyk-token
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: lvms-snyk-token
+        secret:
+          secretName: lvms-snyk-token
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )snyk-code,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build03
+    context: ci/prow/snyk-deps
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-topolvm-main-snyk-deps
+    optional: true
+    rerun_command: /test snyk-deps
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/lvms-snyk-token
+        - --target=snyk-deps
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/lvms-snyk-token
+          name: lvms-snyk-token
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: lvms-snyk-token
+        secret:
+          secretName: lvms-snyk-token
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )snyk-deps,?($|\s.*)