fixup! test(e2e): Use trivy-operator for CIS benchmark

Author: jimmidyson

.github/workflows/e2e.yml

@@ -105,10 +105,15 @@ jobs:
           RUN_CIS_BENCHMARK: ${{ inputs.run-cis-benchmark }}
 
       - name: Add job summary for CIS benchmark
-        if: inputs.run-cis-benchmark
+        if: failure() && inputs.run-cis-benchmark
         run: |
-          echo "## CIS Benchmark" >>"${GITHUB_STEP_SUMMARY}"
-          cat test/e2e/cis-benchmark-report.txt >>"${GITHUB_STEP_SUMMARY}"
+          {
+            echo '## CIS Benchmark';
+            echo;
+            echo '```plain';
+            cat test/e2e/cis-benchmark-report.txt;
+            echo '```';
+          } >>"${GITHUB_STEP_SUMMARY}"
 
       - if: success() || failure() # always run even if the previous step fails
         name: Publish e2e test report

.gitignore

@@ -50,3 +50,4 @@ test/e2e/config/caren-envsubst.yaml
 hack/tools/fetch-images/fetch-images
 caren-images.txt
 hack/examples/release/*-cluster-class.yaml
+test/e2e/cis-benchmark-report.txt

devbox.json

@@ -31,13 +31,13 @@
     "rsync@latest",
     "setup-envtest@latest",
     "shfmt@latest",
-    "trivy@latest",
     "yamale@latest",
     "yamllint@latest",
     "yq-go@latest",
     "path:./hack/flakes#clusterctl-aws",
     "path:./hack/flakes#goprintconst",
     "path:./hack/flakes#helm-with-plugins",
+    "path:./hack/flakes#kubescape",
     "path:./hack/flakes#release-please"
   ],
   "shell": {

devbox.lock

@@ -1720,54 +1720,6 @@
         }
       }
     },
-    "trivy@latest": {
-      "last_modified": "2025-04-28T01:45:31Z",
-      "resolved": "github:NixOS/nixpkgs/29335f23bea5e34228349ea739f31ee79e267b88#trivy",
-      "source": "devbox-search",
-      "version": "0.61.1",
-      "systems": {
-        "aarch64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/4s34i0ml8hxficr4v7csyigg4dy2pxhp-trivy-0.61.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/4s34i0ml8hxficr4v7csyigg4dy2pxhp-trivy-0.61.1"
-        },
-        "aarch64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/7ggs35rbylfxapxswngs0pvpisqj3cjz-trivy-0.61.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/7ggs35rbylfxapxswngs0pvpisqj3cjz-trivy-0.61.1"
-        },
-        "x86_64-darwin": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/fs9lzjqj925m9kqvlgvvrs4q4lq6f0ps-trivy-0.61.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/fs9lzjqj925m9kqvlgvvrs4q4lq6f0ps-trivy-0.61.1"
-        },
-        "x86_64-linux": {
-          "outputs": [
-            {
-              "name": "out",
-              "path": "/nix/store/vcqkzvwxzxij69i2jaxmfkx4zl0ywlv6-trivy-0.61.1",
-              "default": true
-            }
-          ],
-          "store_path": "/nix/store/vcqkzvwxzxij69i2jaxmfkx4zl0ywlv6-trivy-0.61.1"
-        }
-      }
-    },
     "yamale@latest": {
       "last_modified": "2025-03-11T17:52:14Z",
       "resolved": "github:NixOS/nixpkgs/0d534853a55b5d02a4ababa1d71921ce8f0aee4c#yamale",

hack/flakes/flake.nix

@@ -106,6 +106,23 @@
               helm-schema
             ];
           };
+
+          kubescape = buildGo124Module rec {
+            name = "kubescape";
+            version = "3.0.34";
+            src = fetchFromGitHub {
+              owner = "kubescape";
+              repo = "kubescape";
+              tag = "v${version}";
+              hash = "sha256-dZPSnq2kLbgD/QxdDpYnAiIvXOXAgO2dXWWG6ijRUsQ=";
+              fetchSubmodules = true;
+            };
+            doCheck = false;
+            subPackages = [ "." ];
+            proxyVendor = true;
+            vendorHash = "sha256-+HMT8MnBc5N/19+hYtY8A4mw3IaXyvjx2a2+GnksV/4=";
+            ldflags = [ "-s" "-w" "-X=github.com/kubescape/kubescape/v3/core/cautils.BuildNumber=v${version}" ];
+          };
         };
 
         formatter = alejandra;

test/e2e/quick_start_test.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
@@ -313,29 +312,43 @@ var _ = Describe("Quick start", func() {
 												if os.Getenv("RUN_CIS_BENCHMARK") == "true" {
 													By("Running CIS benchmark against workload cluster")
 
-													trivyCmd := exec.Command( //nolint:gosec // Only used for testing so safe here.
-														"trivy",
-														"k8s",
-														"--compliance=k8s-cis-1.23",
-														"--disable-node-collector",
-														"--report=summary",
-														fmt.Sprintf(
-															"--output=%s",
-															filepath.Join(
-																os.Getenv("GIT_REPO_ROOT"),
-																"cis-benchmark-report.txt",
-															),
-														),
+													kubescapeInstallCmd := exec.Command( //nolint:gosec // Only used for testing so safe here.
+														"helm",
+														"upgrade",
+														"--install",
+														"kubescape",
+														"--repo=https://kubescape.github.io/helm-charts/",
+														"kubescape-operator",
+														"--namespace=kubescape",
+														"--create-namespace",
+														"--wait",
+														"--wait-for-jobs",
 														fmt.Sprintf(
 															"--kubeconfig=%s",
 															workloadProxy.GetKubeconfigPath(),
 														),
 													)
+													kubescapeInstallCmd.Stdout = GinkgoWriter
+													kubescapeInstallCmd.Stderr = GinkgoWriter
+													Expect(
+														kubescapeInstallCmd.Run(),
+													).To(Succeed(), "kubescape operator installation failed")
 
-													trivyCmd.Stdout = GinkgoWriter
-													trivyCmd.Stderr = GinkgoWriter
+													kubescapeScanCmd := exec.Command( //nolint:gosec // Only used for testing so safe here.
+														"kubescape",
+														"scan",
+														"framework",
+														"cis-v1.10.0",
+														"--output=test/e2e/cis-benchmark-results.txt",
+														"--kubeconfig",
+														workloadProxy.GetKubeconfigPath(),
+													)
+													kubescapeScanCmd.Stdout = GinkgoWriter
+													kubescapeScanCmd.Stderr = GinkgoWriter
 
-													Expect(trivyCmd.Run()).To(Succeed(), "CIS benchmark failed")
+													Expect(
+														kubescapeScanCmd.Run(),
+													).To(Succeed(), "CIS benchmark scan failed")
 												}
 											},
 										}