Skip to content

feat: add renderer pipeline support to manifest generation in #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Merge branch 'main' into john/prod-3699-add-renderer-pipeline-support…

2fdeb2d
Select commit
Loading
Failed to load commit list.
Open

feat: add renderer pipeline support to manifest generation in #483

Merge branch 'main' into john/prod-3699-add-renderer-pipeline-support…
2fdeb2d
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Aug 27, 2025 in 5s

65 new alerts including 10 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 10 high
  • 13 medium
  • 42 low

See annotations below for details.

View all branch alerts.

Annotations

Check notice on line 7 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Workloads in the default namespace Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV110
Severity: LOW
Message: job pi in default namespace should set metadata.namespace to a non-default namespace
Link: KSV110

Check failure on line 15 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default security context configured High test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV118
Severity: HIGH
Message: job pi in default namespace is using the default security context, which allows root privileges
Link: KSV118

Check warning on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Can elevate its own privileges Medium test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'pi' of Job 'pi' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop all Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV003
Severity: LOW
Message: Container 'pi' of Job 'pi' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop any Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV004
Severity: LOW
Message: Container 'pi' of 'job' 'pi' in 'default' namespace should set securityContext.capabilities.drop
Link: KSV004

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

CPU not limited Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV011
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'resources.limits.cpu'
Link: KSV011

Check warning on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs as root user Medium test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'pi' of Job 'pi' should set 'securityContext.runAsNonRoot' to true
Link: KSV012

Check failure on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Root file system is not read-only High test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV014
Severity: HIGH
Message: Container 'pi' of Job 'pi' should set 'securityContext.readOnlyRootFilesystem' to true
Link: KSV014

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

CPU requests not specified Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV015
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'resources.requests.cpu'
Link: KSV015

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Memory requests not specified Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV016
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'resources.requests.memory'
Link: KSV016

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Memory not limited Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV018
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'resources.limits.memory'
Link: KSV018

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with UID <= 10000 Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV020
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'securityContext.runAsUser' > 10000
Link: KSV020

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs with GID <= 10000 Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV021
Severity: LOW
Message: Container 'pi' of Job 'pi' should set 'securityContext.runAsGroup' > 10000
Link: KSV021

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runtime/Default Seccomp profile not set Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV030
Severity: LOW
Message: Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Link: KSV030

Check warning on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Seccomp policies disabled Medium test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV104
Severity: MEDIUM
Message: container "pi" of job "pi" in "default" namespace should specify a seccomp profile
Link: KSV104

Check notice on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Container capabilities must only include NET_BIND_SERVICE Low test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV106
Severity: LOW
Message: container should drop all
Link: KSV106

Check failure on line 14 in test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default security context configured High test

Artifact: test/mixed/helm/yet-another-cloudwatch-exporter/templates/job.yaml
Type: kubernetes
Vulnerability KSV118
Severity: HIGH
Message: container pi in default namespace is using the default security context
Link: KSV118

Check notice on line 4 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Workloads in the default namespace Low test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV110
Severity: LOW
Message: deployment my-app in default namespace should set metadata.namespace to a non-default namespace
Link: KSV110

Check failure on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default security context configured High test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV118
Severity: HIGH
Message: deployment my-app in default namespace is using the default security context, which allows root privileges
Link: KSV118

Check warning on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Can elevate its own privileges Medium test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001

Check notice on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop all Low test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV003
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003

Check notice on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Default capabilities: some containers do not drop any Low test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV004
Severity: LOW
Message: Container 'my-app' of 'deployment' 'my-app' in 'default' namespace should set securityContext.capabilities.drop
Link: KSV004

Check warning on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Runs as root user Medium test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.runAsNonRoot' to true
Link: KSV012

Check failure on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

Root file system is not read-only High test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV014
Severity: HIGH
Message: Container 'my-app' of Deployment 'my-app' should set 'securityContext.readOnlyRootFilesystem' to true
Link: KSV014

Check notice on line 26 in test/mixed/kustomize/base/deployment.yaml

See this annotation in the file changed.

Code scanning / Trivy

CPU requests not specified Low test

Artifact: test/mixed/kustomize/base/deployment.yaml
Type: kubernetes
Vulnerability KSV015
Severity: LOW
Message: Container 'my-app' of Deployment 'my-app' should set 'resources.requests.cpu'
Link: KSV015