Start fixing the gh action warnings

Author: mbaldessari

.github/linters/trivy.yaml

@@ -0,0 +1,13 @@
+scan:
+  scanners:
+    - vuln
+    - secret
+    - config
+  severities:
+    - MEDIUM
+    - CRITICAL
+    - HIGH
+ignore:
+  # List of check IDs or vulnerability IDs to skip
+  # deployment in default namespace should set metadata.namespace to a non-default namespace. This is silly in argo
+  - AVD-KSV-0110 

charts/all/config-demo/templates/config-demo-deployment.yaml

@@ -18,6 +18,12 @@ spec:
         deploymentconfig: config-demo
       name: config-demo
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: apache
         image: registry.access.redhat.com/ubi8/httpd-24:1-226
@@ -32,7 +38,32 @@ spec:
         - mountPath: /var/www/html/secret
           readOnly: true
           name: config-demo-secret
-        resources: {}
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /var/cache/httpd
+          name: cache-volume
+        - mountPath: /var/run/httpd
+          name: run-volume
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         livenessProbe:
@@ -63,3 +94,9 @@ spec:
       - name: config-demo-secret
         secret:
           secretName: config-demo-secret
+      - name: tmp-volume
+        emptyDir: {}
+      - name: cache-volume
+        emptyDir: {}
+      - name: run-volume
+        emptyDir: {}

charts/all/hello-world/templates/hello-world-deployment.yaml

@@ -17,6 +17,12 @@ spec:
         deploymentconfig: hello-world
       name: hello-world
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: apache
         image: registry.access.redhat.com/ubi8/httpd-24:1-226
@@ -28,7 +34,32 @@ spec:
         volumeMounts:
         - mountPath: /var/www/html
           name: hello-world-configmap
-        resources: {}
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /var/cache/httpd
+          name: cache-volume
+        - mountPath: /var/run/httpd
+          name: run-volume
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         livenessProbe:
@@ -56,3 +87,9 @@ spec:
         configMap:
           defaultMode: 438
           name: hello-world-configmap
+      - name: tmp-volume
+        emptyDir: {}
+      - name: cache-volume
+        emptyDir: {}
+      - name: run-volume
+        emptyDir: {}