LCORE-858: konflux - activate SAST Snyk Checks

[raptorsun]

Description

activate SAST Snyk Checks on Konflux and upload reports to Snyk.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue # LCORE-858
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Configured enhanced security scanning in pull request and deployment workflows with project-specific parameters for improved vulnerability detection and reporting.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A new ARGS parameter is added to the sast-snyk-check-oci-ta task invocations in two Tekton pipeline files. The ARGS value provides Snyk CLI arguments: project name, report flag, and organization UUID. These changes augment task execution without altering control flow.

Changes

Cohort / File(s)	Change Summary
Tekton Pipeline Configuration .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Added ARGS parameter to sast-snyk-check-oci-ta task invocations with value: --project-name=lightspeed-stack --report --org=dca2ca89-7e51-4a3a-b7a5-6ad5633057b8

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Straightforward parameter additions to configuration files with identical modifications across both Tekton pipelines
• Changes are non-functional (configuration only) with no logic, control flow, or behavioral alterations

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: activating SAST Snyk Checks in Konflux, which aligns with adding ARGS parameters to sast-snyk-check-oci-ta tasks in both Tekton pipeline files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.tekton/lightspeed-stack-pull-request.yaml (1)

407-408: Security: Hardcoded organization UUID should be externalized.

Same issue as in .tekton/lightspeed-stack-push.yaml (lines 404-405). The Snyk organization UUID is hardcoded and should be stored as a secret or injected parameter to avoid exposing sensitive organizational information in version control.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6ef1f4 and 7da7869.

📒 Files selected for processing (2)

• .tekton/lightspeed-stack-pull-request.yaml (1 hunks)
• .tekton/lightspeed-stack-push.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: e2e_tests (ci)
• GitHub Check: e2e_tests (azure)

🔇 Additional comments (1)

.tekton/lightspeed-stack-push.yaml (1)

404-405: Verify that the sast-snyk-check-oci-ta task accepts the ARGS parameter.

The sast-snyk-check-oci-ta:0.4 task does not appear in public Tekton Hub documentation or public repositories. This task is likely internal to your organization. Verification of ARGS parameter support requires access to the task definition file to confirm the parameters it accepts.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hardcoded organization UUID should be externalized to a secret.

The Snyk organization UUID (dca2ca89-7e51-4a3a-b7a5-6ad5633057b8) is hardcoded in the pipeline file. This is sensitive organizational information that should be stored as a Tekton secret or pipeline parameter rather than exposed in version control.

Consider refactoring to use a parameter or secret reference:

- name: ARGS
  value: --project-name=lightspeed-stack --report --org=$(params.snyk-org-id)

Then define snyk-org-id as a parameter that references a secret or is injected from a secure store.

🤖 Prompt for AI Agents

In .tekton/lightspeed-stack-push.yaml around lines 404-405 the Snyk organization
UUID is hardcoded; replace the literal value with a parameter or secret
reference (for example use --org=$(params.snyk-org-id) or inject from a secret
via taskRun/pipelineResource) and update the task/pipeline definition to declare
the snyk-org-id parameter and/or mount a tekton secret reference that provides
the org ID; ensure the secret is created in the cluster and the
pipeline/task/pipelinerun binds that secret or parameter so the org UUID is no
longer stored in version control.

[are-ces]

PTAL at coderabbits comments

[tisnik]

LGTM