chore(deps): update dependency go to v1.23.0

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - run: make unit-tests
       - name: Upload unit-tests coverage to Codecov
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
@@ -35,8 +35,8 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - name: golangci-lint
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
-          version: v1.59.1
+          version: v1.60.1

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Install Golang
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.21"
+          go-version: "1.23"
 
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.golangci.yml

@@ -11,7 +11,8 @@ run:
   # Timeout for analysis, e.g. 30s, 5m.
   # Default: 1m
   timeout: 3m
-
+  build-tags:
+    - testing
 
 # This file contains only configs which differ from defaults.
 # All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
@@ -166,7 +167,7 @@ linters-settings:
   nolintlint:
     # Exclude following linters from requiring an explanation.
     # Default: []
-    allow-no-explanation: [ funlen, gocognit, lll ]
+    allow-no-explanation: [funlen, gocognit, lll]
     # Enable to require an explanation of nonzero length after each nolint directive.
     # Default: false
     require-explanation: true
@@ -209,7 +210,6 @@ linters-settings:
     # Default: false
     all: true
 
-
 linters:
   disable-all: true
   enable:
@@ -234,7 +234,6 @@ linters:
     - errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error
     - errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13
     - exhaustive # checks exhaustiveness of enum switch statements
-    - exportloopref # checks for pointers to enclosing loop variables
     - fatcontext # detects nested contexts in loops
     - forbidigo # forbids identifiers
     - funlen # tool for detection of long functions
@@ -323,26 +322,26 @@ linters:
     #- tagliatelle # checks the struct tags
     #- thelper # detects golang test helpers without t.Helper() call and checks the consistency of test helpers
     #- wsl # [too strict and mostly code is not more readable] whitespace linter forces you to use empty lines
-    
+
     ############################################################################
     # Kubewarden linter customization
     # The following linters are disabled because they does not make sense for
-    # the Kubewarden 
+    # the Kubewarden
     ############################################################################
 
     # We disable the testpackage linter because we have tests which is not
     # black boxed and that will not cause issues for us for now.
     # - testpackage # makes you use a separate _test package
-    
+
     # We disable the lll linter because we have long lines in many places and splitting them
     # will not make the code more readable.
-    # - lll 
+    # - lll
 
     # We use replace directives in go.mod to replace some dependencies. Dependabot updates it over time.
     # - gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod
-    
-    # Init functions are used in many places in the project. For instance, to registry types in the 
-    # scheme. This is a common usage in kubebuilder projects 
+
+    # Init functions are used in many places in the project. For instance, to registry types in the
+    # scheme. This is a common usage in kubebuilder projects
     # - gochecknoinits # checks that no init functions are present in Go code
 
 issues:
@@ -353,9 +352,11 @@ issues:
 
   exclude-rules:
     - source: "(noinspection|TODO)"
-      linters: [ godot ]
+      linters: [godot]
     - source: "//noinspection"
-      linters: [ gocritic ]
+      linters: [gocritic]
+    - text: 'shadow: declaration of "(err|ctx)" shadows declaration at'
+      linters: [govet]
     - path: "_test\\.go"
       linters:
         - bodyclose

Dockerfile

@@ -1,5 +1,5 @@
 # Build the audit-scanner binary
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

Makefile

@@ -2,7 +2,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 BIN_DIR := $(abspath $(ROOT_DIR)/bin)
 IMG ?= audit-scanner:latest
 
-GOLANGCI_LINT_VER := v1.59.1
+GOLANGCI_LINT_VER := v1.60.1
 GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(BIN_DIR)/$(GOLANGCI_LINT_BIN)
 

cmd/root.go

@@ -27,109 +27,120 @@
 	defaultPageSize            = 100
 )
 
-// log level
-var level logconfig.Level
-
-// print result of scan as JSON to stdout
-var outputScan bool
-
-// list of namespaces to be skipped from scan
-var skippedNs []string
-
-// skip SSL cert validation when connecting to PolicyServers endpoints
-var insecureSSL bool
-
-// disable storing the results in the k8s cluster
-var disableStore bool
-
-// rootCmd represents the base command when called without any subcommands
-var rootCmd = &cobra.Command{
-	Use:   "audit-scanner",
-	Short: "Reports evaluation of existing Kubernetes resources with your already deployed Kubewarden policies",
-	Long: `Scans resources in your kubernetes cluster with your already deployed Kubewarden policies.
+//nolint:gocognit
+func NewRootCommand() *cobra.Command {
+	var (
+		level        logconfig.Level // log level.
+		outputScan   bool            // print result of scan as JSON to stdout.
+		skippedNs    []string        // list of namespaces to be skipped from scan.
+		insecureSSL  bool            // skip SSL cert validation when connecting to PolicyServers endpoints.
+		disableStore bool            // disable storing the results in the k8s cluster.
+	)
+
+	// rootCmd represents the base command when called without any subcommands.
+	rootCmd := &cobra.Command{
+		Use:   "audit-scanner",
+		Short: "Reports evaluation of existing Kubernetes resources with your already deployed Kubewarden policies",
+		Long: `Scans resources in your kubernetes cluster with your already deployed Kubewarden policies.
 Each namespace will have a PolicyReport with the outcome of the scan for resources within this namespace.
 There will be a ClusterPolicyReport with results for cluster-wide resources.`,
 
-	RunE: func(cmd *cobra.Command, _ []string) error {
-		level.SetZeroLogLevel()
-		namespace, err := cmd.Flags().GetString("namespace")
-		if err != nil {
-			return err
-		}
-		kubewardenNamespace, err := cmd.Flags().GetString("kubewarden-namespace")
-		if err != nil {
-			return err
-		}
-		clusterWide, err := cmd.Flags().GetBool("cluster")
-		if err != nil {
-			return err
-		}
-		policyServerURL, err := cmd.Flags().GetString("policy-server-url")
-		if err != nil {
-			return err
-		}
-		caCertFile, err := cmd.Flags().GetString("extra-ca")
-		if err != nil {
-			return err
-		}
-		parallelNamespacesAudits, err := cmd.Flags().GetInt("parallel-namespaces")
-		if err != nil {
-			return err
-		}
-		parallelResourcesAudits, err := cmd.Flags().GetInt("parallel-resources")
-		if err != nil {
-			return err
-		}
-		parallelPoliciesAudit, err := cmd.Flags().GetInt("parallel-policies")
-		if err != nil {
-			return err
-		}
-		pageSize, err := cmd.Flags().GetInt("page-size")
-		if err != nil {
-			return err
-		}
-
-		config := ctrl.GetConfigOrDie()
-		dynamicClient := dynamic.NewForConfigOrDie(config)
-		clientset := kubernetes.NewForConfigOrDie(config)
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			level.SetZeroLogLevel()
+			namespace, err := cmd.Flags().GetString("namespace")
+			if err != nil {
+				return err
+			}
+			kubewardenNamespace, err := cmd.Flags().GetString("kubewarden-namespace")
+			if err != nil {
+				return err
+			}
+			clusterWide, err := cmd.Flags().GetBool("cluster")
+			if err != nil {
+				return err
+			}
+			policyServerURL, err := cmd.Flags().GetString("policy-server-url")
+			if err != nil {
+				return err
+			}
+			caCertFile, err := cmd.Flags().GetString("extra-ca")
+			if err != nil {
+				return err
+			}
+			parallelNamespacesAudits, err := cmd.Flags().GetInt("parallel-namespaces")
+			if err != nil {
+				return err
+			}
+			parallelResourcesAudits, err := cmd.Flags().GetInt("parallel-resources")
+			if err != nil {
+				return err
+			}
+			parallelPoliciesAudit, err := cmd.Flags().GetInt("parallel-policies")
+			if err != nil {
+				return err
+			}
+			pageSize, err := cmd.Flags().GetInt("page-size")
+			if err != nil {
+				return err
+			}
+
+			config := ctrl.GetConfigOrDie()
+			dynamicClient := dynamic.NewForConfigOrDie(config)
+			clientset := kubernetes.NewForConfigOrDie(config)
+
+			auditScheme, err := scheme.NewScheme()
+			if err != nil {
+				return err
+			}
+			client, err := client.New(config, client.Options{Scheme: auditScheme})
+			if err != nil {
+				return err
+			}
+			policiesClient, err := policies.NewClient(client, kubewardenNamespace, policyServerURL)
+			if err != nil {
+				return err
+			}
+			k8sClient, err := k8s.NewClient(dynamicClient, clientset, kubewardenNamespace, skippedNs, int64(pageSize))
+			if err != nil {
+				return err
+			}
+			policyReportStore := report.NewPolicyReportStore(client)
+			scanner, err := scanner.NewScanner(policiesClient, k8sClient, policyReportStore, outputScan, disableStore, insecureSSL, caCertFile,
+				parallelNamespacesAudits,
+				parallelResourcesAudits,
+				parallelPoliciesAudit)
+			if err != nil {
+				return err
+			}
+			return startScanner(namespace, clusterWide, scanner)
+		},
+	}
 
-		auditScheme, err := scheme.NewScheme()
-		if err != nil {
-			return err
-		}
-		client, err := client.New(config, client.Options{Scheme: auditScheme})
-		if err != nil {
-			return err
-		}
-		policiesClient, err := policies.NewClient(client, kubewardenNamespace, policyServerURL)
-		if err != nil {
-			return err
-		}
-		k8sClient, err := k8s.NewClient(dynamicClient, clientset, kubewardenNamespace, skippedNs, int64(pageSize))
-		if err != nil {
-			return err
-		}
-		policyReportStore := report.NewPolicyReportStore(client)
+	// make sure we always get json formatted errors, even for flag errors
+	rootCmd.SilenceErrors = true
+	rootCmd.SilenceUsage = true
 
-		scanner, err := scanner.NewScanner(policiesClient, k8sClient, policyReportStore, outputScan, disableStore, insecureSSL, caCertFile,
-			parallelNamespacesAudits,
-			parallelResourcesAudits,
-			parallelPoliciesAudit)
-		if err != nil {
-			return err
-		}
+	rootCmd.Flags().StringP("namespace", "n", "", "namespace to be evaluated")
+	rootCmd.Flags().BoolP("cluster", "c", false, "scan cluster wide resources")
+	rootCmd.Flags().StringP("kubewarden-namespace", "k", defaultKubewardenNamespace, "namespace where the Kubewarden components (e.g. PolicyServer) are installed (required)")
+	rootCmd.Flags().StringP("policy-server-url", "u", "", "URI to the PolicyServers the Audit Scanner will query. Example: https://localhost:3000. Useful for out-of-cluster debugging")
+	rootCmd.Flags().VarP(&level, "loglevel", "l", fmt.Sprintf("level of the logs. Supported values are: %v", logconfig.GetSupportedValues()))
+	rootCmd.Flags().BoolVarP(&outputScan, "output-scan", "o", false, "print result of scan in JSON to stdout")
+	rootCmd.Flags().StringSliceVarP(&skippedNs, "ignore-namespaces", "i", nil, "comma separated list of namespace names to be skipped from scan. This flag can be repeated")
+	rootCmd.Flags().BoolVar(&insecureSSL, "insecure-ssl", false, "skip SSL cert validation when connecting to PolicyServers endpoints. Useful for development")
+	rootCmd.Flags().StringP("extra-ca", "f", "", "File path to CA cert in PEM format of PolicyServer endpoints")
+	rootCmd.Flags().BoolVar(&disableStore, "disable-store", false, "disable storing the results in the k8s cluster")
+	rootCmd.Flags().IntP("parallel-namespaces", "", defaultParallelNamespaces, "number of Namespaces to scan in parallel")
+	rootCmd.Flags().IntP("parallel-resources", "", defaultParallelResources, "number of resources to scan in parallel")
+	rootCmd.Flags().IntP("parallel-policies", "", defaultParallelPolicies, "number of policies to evaluate for a given resource in parallel")
+	rootCmd.Flags().IntP("page-size", "", defaultPageSize, "number of resources to fetch from the Kubernetes API server when paginating")
 
-		return startScanner(namespace, clusterWide, scanner)
-	},
+	return rootCmd
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
-func Execute() {
-	// make sure we always get json formatted errors, even for flag errors
-	rootCmd.SilenceErrors = true
-	rootCmd.SilenceUsage = true
-
+func Execute(rootCmd *cobra.Command) {
 	if err := rootCmd.Execute(); err != nil {
 		log.Fatal().Err(err).Msg("Error on cmd.Execute()")
 	}
@@ -158,20 +169,3 @@
 	}
 	return scanner.ScanAllNamespaces(ctx, runUID)
 }
-
-func init() {
-	rootCmd.Flags().StringP("namespace", "n", "", "namespace to be evaluated")
-	rootCmd.Flags().BoolP("cluster", "c", false, "scan cluster wide resources")
-	rootCmd.Flags().StringP("kubewarden-namespace", "k", defaultKubewardenNamespace, "namespace where the Kubewarden components (e.g. PolicyServer) are installed (required)")
-	rootCmd.Flags().StringP("policy-server-url", "u", "", "URI to the PolicyServers the Audit Scanner will query. Example: https://localhost:3000. Useful for out-of-cluster debugging")
-	rootCmd.Flags().VarP(&level, "loglevel", "l", fmt.Sprintf("level of the logs. Supported values are: %v", logconfig.SupportedValues))
-	rootCmd.Flags().BoolVarP(&outputScan, "output-scan", "o", false, "print result of scan in JSON to stdout")
-	rootCmd.Flags().StringSliceVarP(&skippedNs, "ignore-namespaces", "i", nil, "comma separated list of namespace names to be skipped from scan. This flag can be repeated")
-	rootCmd.Flags().BoolVar(&insecureSSL, "insecure-ssl", false, "skip SSL cert validation when connecting to PolicyServers endpoints. Useful for development")
-	rootCmd.Flags().StringP("extra-ca", "f", "", "File path to CA cert in PEM format of PolicyServer endpoints")
-	rootCmd.Flags().BoolVar(&disableStore, "disable-store", false, "disable storing the results in the k8s cluster")
-	rootCmd.Flags().IntP("parallel-namespaces", "", defaultParallelNamespaces, "number of Namespaces to scan in parallel")
-	rootCmd.Flags().IntP("parallel-resources", "", defaultParallelResources, "number of resources to scan in parallel")
-	rootCmd.Flags().IntP("parallel-policies", "", defaultParallelPolicies, "number of policies to evaluate for a given resource in parallel")
-	rootCmd.Flags().IntP("page-size", "", defaultPageSize, "number of resources to fetch from the Kubernetes API server when paginating")
-}

go.mod

@@ -1,8 +1,6 @@
 module github.com/kubewarden/audit-scanner
 
-go 1.22.0
-
-toolchain go1.22.6
+go 1.23.0
 
 require (
 	github.com/google/uuid v1.6.0

go.sum

@@ -791,8 +791,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
 sigs.k8s.io/controller-runtime v0.6.3/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY=
-sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw=
-sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk=
 sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

internal/constants/constants.go

@@ -11,5 +11,5 @@ const (
 	AuditScannerRunUIDLabel              = "kubewarden.io/audit-scanner-run-uid"
 )
 
-// ErrResourceNotFound is an error used to tell that the required resource is not found
+// ErrResourceNotFound is an error used to tell that the required resource is not found.
 var ErrResourceNotFound = errors.New("resource not found")