Skip to content

Update deps#293

Closed
santoshkal wants to merge 52 commits intomainfrom
update-deps
Closed

Update deps#293
santoshkal wants to merge 52 commits intomainfrom
update-deps

Conversation

@santoshkal
Copy link
Copy Markdown
Collaborator

@santoshkal santoshkal commented Mar 25, 2025

Updates all the dependencies in go.mod

santoshkal and others added 30 commits October 1, 2024 16:28
@santoshkal
Update dependabot.yaml and dependencies
f3386ba
@dependabot
Upgrade: Bump aquasecurity/trivy-action from 0.24.0 to 0.28.0 (#192)
f36fac6 
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.24.0 to 0.28.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@6e7b7d1...915b19b)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#189)
7189030 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@4959ce0...dc72c7d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump actions/setup-go from 5.0.2 to 5.1.0 (#191)
34daa92 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2 to 5.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@0a12ed9...41dfa10)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@santoshkal
Add validation with Regex patterns (#168)
d617699 
* Update dependabot.yaml and dependencies (#165)

* Initial regex command files

* Initial regex command files with table output

* Move regex files to validate package

* Fix lint errors

* Fix lint errors
@dependabot
Upgrade: Bump github/codeql-action from 3.26.7 to 3.27.0 (#190)
4b16945 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.7 to 3.27.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@8214744...6624720)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump actions/checkout from 4.1.7 to 4.2.2 (#193)
da847a6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@692973e...11bd719)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump sigs.k8s.io/release-utils from 0.8.4 to 0.8.5 (#194)
20fb774 
Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.8.4 to 0.8.5.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](kubernetes-sigs/release-utils@v0.8.4...v0.8.5)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump golang.org/x/net from 0.28.0 to 0.30.0 (#195)
22a491d 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.28.0 to 0.30.0.
- [Commits](golang/net@v0.28.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to 6.6.1 (#197)
3649fc8 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.5.9 to 6.6.1.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](jedib0t/go-pretty@v6.5.9...v6.6.1)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (#199)
3bfd572 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.1.0 to 6.1.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@aaa42aa...971e284)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump anchore/sbom-action from 0.17.2 to 0.17.5 (#200)
c07ed02 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.2 to 0.17.5.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@61119d4...1ca97d9)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/fatih/color from 1.17.0 to 1.18.0 (#207)
d60aa58 
Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.17.0 to 1.18.0.
- [Release notes](https://github.com/fatih/color/releases)
- [Commits](fatih/color@v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/fatih/color
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/open-policy-agent/opa from 0.67.1 to 0.70.0 (#…
277451b 
…206)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.67.1 to 0.70.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.67.1...v0.70.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@santoshkal
Fix golang-ci-lint version from 1.59 to 1.60 (#214)
8950de0
@santoshkal
Fix lint errors in pre-main (#217)
57645ce 
* Fix lint errors in pre-main

* Fix tests

* Fix GoVet errors

* Fix static check errors

* Fix TOMANYREQUESTS err for Trivy step
@santoshkal
Add genai command for interacting with LLMs for generating IaC files (#…
886c542 
…213)

* Initial regex command files

* Initial regex command files with table output

* First cut of Llama3 integration with Ollama APIs

Signed-off-by: Santosh <ksantosh@intelops.dev>

* Initialize the config in llm

* Make NewOllamaClient a method on Config

* More updateds to llm pkg

Merged OllamaClient in the config struct and removed a redunant
ollamaClient struct.

* Make endpoint dynamic

created a function to create a default endpoint and use it incase
--endpoint == "", else use e.Host, e.Port

Update envconfig to use env variables for LLM parameters

* Fix Scheme

* More Endpoint fixes

* Add PoC for OpenAI integration

Signed-off-by: Santosh <ksantosh@intelops.dev>

* WIP - Enhancing system prompts with examples

* WIP: integrating charmbraclet/bubbletea

* WIP: working bubbletea integration for --assistant and --prompt

* first working code for textarea for user-prompt with cursor movements

* Add Regx policy generation to AI

* Initial set of files for new setup

* Initial AI files

* Initial working code for genai init command

* Extract supported tools out of code to init directory

remove backend and API configs collection from init command

First working code for
- genai init command that downloads all the required systemPrompts and list of supported tools to user's local directory
- genai command that pulls the markdown file from local and check is the user has provided a supported tool in genai args
- Mapps supported tool with the available systemPrompt stored in users local and pulls for generateing the Chat completion

First working code for
- genai init command that downloads all the required systemPrompts and list of supported tools to user's local directory
- genai command that pulls the markdown file from local and check is the user has provided a supported tool in genai args
- Mapps supported tool with the available systemPrompt stored in users local and pulls for generateing the Chat completion

* Initial set of updated genai command with config yaml support

* Initial set of updated genai command with config yaml support-1

* Initial set of updated genai command with config yaml support-2
TODO: Add validation to check if valid parameters are supplied by the user

* First working implementation of genai with config YAML integration

* Implementation that accepts config yaml and CLI flags to interact with LLM

* Update genai command with config flag to accept YAML configuration

* Add new sample config files

* Add initial config

* Imcomplete code

* Initial code (working)

* initial working set TODO: move Model to Common

* Issue with No LLMParams read

* Added updated config file struture

* Updated structs aligning YAML structure

* Built with no errors (Needs fixes and refactor)

* First iteration of working LLM implementation with updated config file.
- TODO: Refactor redundant code
- TODO: Test with multiple models from same vendor
- TODO: Test Ollama backend

* Add TODOs

* Add spinner and wait message to users, Add SelectActiveAssistant()

* Prioritize assistant defined in LLMSpec over Common

* Fix conflicts

* Fix lint errors

* Fix lint errors

---------

Signed-off-by: Santosh <ksantosh@intelops.dev>
@dependabot
Upgrade: Bump github.com/hashicorp/hcl/v2 from 2.21.0 to 2.23.0 (#224)
8643fb2 
Bumps [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) from 2.21.0 to 2.23.0.
- [Release notes](https://github.com/hashicorp/hcl/releases)
- [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md)
- [Commits](hashicorp/hcl@v2.21.0...v2.23.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/hcl/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github/codeql-action from 3.27.0 to 3.27.4 (#223)
8c9aba6 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.0 to 3.27.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@6624720...ea9e4e3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump golang.org/x/oauth2 from 0.22.0 to 0.24.0 (#212)
1a95274 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.22.0 to 0.24.0.
- [Commits](golang/oauth2@v0.22.0...v0.24.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump anchore/sbom-action from 0.17.5 to 0.17.7 (#210)
6b9c9d8 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.5 to 0.17.7.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@1ca97d9...fc46e51)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (#209)
a27aeda 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@286f3b1...9ed2f89)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/sigstore/cosign/v2 from 2.4.0 to 2.4.1 (#205)
9917bba 
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.4.0...v2.4.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump cuelang.org/go from 0.10.0 to 0.10.1 (#203)
890b40d 
Bumps cuelang.org/go from 0.10.0 to 0.10.1.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@santoshkal
Update printresults.go (#246)
8286bba 
Signed-off-by: Santosh Kaluskar <141515226+santoshkal@users.noreply.github.com>
@santoshkal
WIP: on integrating Ai with validation workflow for remediation actions:
75dde5d 
- Extracted passed and failed result counts from ValidateWithRego()
- Added a new bool flag --takeaction, if set to true will skip printing results and pass the results to cfg.GenerateOpenAIResponse()
- Extracted []Results from ValidateWithRego() for passing it to cfg.GenrerateOpenAIResponse() as userPrompt combining it with reqinput
@santoshkal
WIP: All required parameters for GenerateChatResponse extracted.
5c1ac79 
- Need to integrate the LLM Config with other Genval Commands when interadcting with AI
@santoshkal
WIP: First working code for remediating Dockerfiles for errors thrown…
3808123 
… by genval Rego workflow.

- As there is no config passed by the user currently, the config for AI is included in the cmd func.
- Need to only extract Dockerfile from the LLM response, so that it be passed back to Validator for final validation with Rego
@santoshkal
WIP: First working code for remediating Dockerfiles for errors thrown…
4dbfea8 
… by genval Rego workflow.

- As there is no config passed by the user currently, the config for AI is included in the cmd func.
- Now, the Final Dockerfile is written to the pre-defined path provided in
@santoshkal
WIP: First cut with reading config file with viper
470baa4 
- TODO: provide the updated Dockerfile and only the failed results as userPromt at each iteration.
- Print Final Dockerfile on the terminal in addition to writing that to the output path provided
- Print the diff of original and the Final Dockerfile
santoshkal and others added 22 commits December 27, 2024 14:39
@santoshkal
WIP: Updated to pass only the failed results and updated Dockerfile
baa4ade
@santoshkal
WIP: Now every iteration get updated Dockerfile with resultsFailed --…
eb6b12c 
…no-verify
@santoshkal
WIP: Only Failed results are passed to LLM
b64c540
@santoshkal
WIP: passing args by flags bug fixed. Add LLM integration for infrafi…
d8631dc 
…le validation
@santoshkal
Refactor to move all the LLM logic to LLM package.
7ca9898 
TODO: Remove all the debug print lines of traces in rego.Evan()
TODO: Refactor the flag parsing with viper.BindFlg wrapper funcs
@santoshkal
WIP: Validation remediated implemented in all regoval commands.
00c7e98 
TODO: Merege the YAML config from CEL and Regex polcy to the existing for consistancy
TODO: Make PrintResults func consistant across all techs validation
TODO: Impletement validation remediation for regex and CEL
@santoshkal
remediation changes
34f56c0
@santoshkal
WIP: remediation implemented on CEL dockerfileval cmd.
a11026a 
TODO: Add remediation to Infrafile and TErrqaform
@santoshkal
Add printing errors and verbose success logs for successful validatio…
26ca29b 
…n of Cue validation and generation Update examples in Cmds
@santoshkal
Fix CI Lint errors
609e0dc
@santoshkal
Fix CI Lint errors
0ad31e0
@santoshkal
Add example for cue init in cue command
3ffc0a1
@devopstoday11
Merge pull request #252 from intelops/validate-with-ai
da83e0b
@dependabot
Upgrade: Bump anchore/sbom-action from 0.17.7 to 0.18.0 (#260)
73f62ab 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.7 to 0.18.0.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@fc46e51...f325610)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github/codeql-action from 3.27.4 to 3.28.5 (#259)
b4cd496 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.4 to 3.28.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ea9e4e3...f6091c0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump actions/setup-go from 5.1.0 to 5.3.0 (#258)
af74eef 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.1.0 to 5.3.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@41dfa10...f111f33)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/google/cel-go from 0.21.0 to 0.23.0 (#257)
c804cb2 
Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.21.0 to 0.23.0.
- [Release notes](https://github.com/google/cel-go/releases)
- [Commits](google/cel-go@v0.21.0...v0.23.0)

---
updated-dependencies:
- dependency-name: github.com/google/cel-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump cuelang.org/go from 0.11.1 to 0.11.2 (#256)
9ed050a 
Bumps cuelang.org/go from 0.11.1 to 0.11.2.

---
updated-dependencies:
- dependency-name: cuelang.org/go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/zclconf/go-cty from 1.15.0 to 1.16.2 (#254)
2b634b5 
Bumps [github.com/zclconf/go-cty](https://github.com/zclconf/go-cty) from 1.15.0 to 1.16.2.
- [Release notes](https://github.com/zclconf/go-cty/releases)
- [Changelog](https://github.com/zclconf/go-cty/blob/main/CHANGELOG.md)
- [Commits](zclconf/go-cty@v1.15.0...v1.16.2)

---
updated-dependencies:
- dependency-name: github.com/zclconf/go-cty
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Upgrade: Bump github.com/briandowns/spinner from 1.23.1 to 1.23.2 (#255)
922436a 
Bumps [github.com/briandowns/spinner](https://github.com/briandowns/spinner) from 1.23.1 to 1.23.2.
- [Release notes](https://github.com/briandowns/spinner/releases)
- [Commits](briandowns/spinner@v1.23.1...v1.23.2)

---
updated-dependencies:
- dependency-name: github.com/briandowns/spinner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@santoshkal
Migrate from sasahasarabonov/openai-go to tml/langchaingo (#262)
5e67f1a 
* WIP: Migrate from sashasarabanov/openai-go to langchaingo

* Refactor LLM client and update remediation logic with Langchaingo

* Fix Stylecheck lint errors

* Fix Stylecheck lint errors

* Fix Stylecheck lint errors

* Fix: Print infrafile output in YAML formt

* Fix method name style check

* Fix method name style check
@santoshkal
Update go.mod dependencies
47230ab
@santoshkal santoshkal closed this Mar 25, 2025
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Mar 25, 2025

DryRun Security Summary

The security review reveals multiple vulnerabilities across the repository, including potential credential exposure, file permission risks, input validation concerns, AI remediation security risks, and deployment configuration weaknesses.

Expand for full summary

Here's the security review based on the provided changes:

PR Summary: Multiple updates across the repository, including dependency updates, new CLI commands, configuration enhancements, and workflow modifications for the GenAI validation tool.

Security Findings:

  1. Critical Security Issue in demos/notes.md:

    • Shell command retrieving an OpenAI API key and copying it to clipboard
    • Potential credential exposure and clipboard security risk

  2. Potential Sensitive Information Exposure:

    • Multiple files (cmd/celval_dockerfileval.go, cmd/regoval_terraform.go, etc.) reference hardcoded or configuration-based API keys
    • Risk of credential leakage if configuration files are not properly secured

  3. File Permission Vulnerabilities:

    • Multiple files write output with 0o644 permissions
    • Potential information disclosure through readable files
    • Examples in cmd/celval_dockerfileval.go, cmd/regoval_terraform.go

  4. Input Validation Concerns:

    • Limited input validation for file paths and URLs in several commands
    • Potential path traversal or injection attack risks
    • Found in files like cmd/regx.go, cmd/celval_infrafile.go

  5. AI Remediation Security Risks:

    • Several commands introduce AI-powered remediation features
    • Potential security concerns with sending sensitive content to external AI services
    • Found in cmd/regoval_dockerfileval.go, cmd/celval_terraform.go

  6. Error Handling Information Disclosure:

    • Some commands use log.Fatalf() which might expose sensitive error details
    • Potential for unintended information leakage
    • Observed in cmd/regx.go

  7. Deployment Configuration Weaknesses:

    • Kubernetes deployment manifests lack security context and resource constraints
    • No network policies or pod security policies defined
    • Found in deploy.json, finalDeployment.json, finalDeployment.yaml

  8. Dependency Update Considerations:

    • New dependencies like github.com/ollama/ollama and github.com/tmc/langchaingo introduce potential new attack surfaces

These findings highlight the need for careful security review and implementation of best practices across the project.

View PR in the DryRun Dashboard.

@santoshkal santoshkal deleted the update-deps branch March 25, 2025 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@santoshkal @devopstoday11