Sec-fixes

Dockerfile

@@ -1,7 +1,7 @@
 ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 
 ### Base
-FROM $BASE_IMAGE as base
+FROM $BASE_IMAGE AS base
 
 USER root
 
@@ -25,7 +25,7 @@ USER 999
 WORKDIR /home/autopilot
 
 ### Build
-FROM docker.io/library/golang:1.22 as build
+FROM docker.io/library/golang:1.23 AS build
 
 WORKDIR /go/src/github.com/argoproj-labs/argocd-autopilot
 

Makefile

@@ -163,4 +163,4 @@ $(GOBIN)/mockgen:
 $(GOBIN)/golangci-lint:
 	@mkdir dist || true
 	@echo installing: golangci-lint
-	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.55.2
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.61.0

build/ci.yml

@@ -19,7 +19,7 @@ steps:
   prepare_env_vars: &deps
     stage: Prepare
     title: prepare-env
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
       - cf_export GO111MODULE=on
       - cf_export GOCACHE=/codefresh/volume/gocache # change gopath to codefresh shared volume
@@ -86,7 +86,7 @@ steps:
 
   codecov-report:
     stage: Test
-    type: codecov-reporter
+    type: codecov-reporter:2.1.0
     title: report code coverage
     arguments:
       codecov_integration: ${{CODECOV_INTEGRATION}}
@@ -119,18 +119,12 @@ steps:
       - SNYK_TOKEN=${{SNYK_TOKEN}}
       - LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
     commands:
-      - |
-        snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
-        snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
-        if [ "$fail" == "1" ]; then exit 1; fi
+      - snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
     when:
       steps:
         - name: build
           on:
             - success
-        - name: codegen
-          on:
-            - success
 
   push_dev:
     stage: Push Dev

build/release.yml

@@ -20,7 +20,7 @@ steps:
   check_version: &deps
     stage: Prepare
     title: check version
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
     - cf_export GO111MODULE=on
     - cf_export GOCACHE=/codefresh/volume/gocache # change gopath to codefresh shared volume

build/sanity.yml

@@ -18,7 +18,7 @@ steps:
   prep: &deps
     stage: "prepare"
     title: "prepare env vars"
-    image: quay.io/codefresh/golang-ci-helper:1.22
+    image: quay.io/codefresh/golang-ci-helper:1.23
     commands:
     - cf_export GO111MODULE=on
     - cf_export NAMESPACE=${{KUBE_NAMESPACE}}-$(date "+%M-%S")

cmd/commands/app.go

@@ -476,7 +476,7 @@ func RunAppDelete(ctx context.Context, opts *AppDeleteOptions) error {
 	appDir := repofs.Join(store.Default.AppsDir, opts.AppName)
 	appExists := repofs.ExistsOrDie(appDir)
 	if !appExists {
-		return fmt.Errorf(util.Doc(fmt.Sprintf("application '%s' not found", opts.AppName)))
+		return errors.New(util.Doc(fmt.Sprintf("application '%s' not found", opts.AppName)))
 	}
 
 	var dirToRemove string
@@ -493,7 +493,7 @@ func RunAppDelete(ctx context.Context, opts *AppDeleteOptions) error {
 		appProjectDir := repofs.Join(appOverlaysDir, opts.ProjectName)
 		overlayExists := repofs.ExistsOrDie(appProjectDir)
 		if !overlayExists {
-			return fmt.Errorf(util.Doc(fmt.Sprintf("application '%s' not found in project '%s'", opts.AppName, opts.ProjectName)))
+			return errors.New(util.Doc(fmt.Sprintf("application '%s' not found in project '%s'", opts.AppName, opts.ProjectName)))
 		}
 
 		allOverlays, err := repofs.ReadDir(appOverlaysDir)

cmd/commands/common.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"context"
 	_ "embed"
+	"errors"
 	"fmt"
 	"os"
 	"time"
@@ -16,8 +17,8 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 // used for mocking
@@ -63,7 +64,7 @@ var (
 		if projectName != "" {
 			projExists := repofs.ExistsOrDie(repofs.Join(store.Default.ProjectsDir, projectName+".yaml"))
 			if !projExists {
-				return nil, nil, fmt.Errorf(util.Doc(fmt.Sprintf("project '%[1]s' not found, please execute `<BIN> project create %[1]s`", projectName)))
+				return nil, nil, errors.New(util.Doc(fmt.Sprintf("project '%[1]s' not found, please execute `<BIN> project create %[1]s`", projectName)))
 			}
 		}
 

cmd/commands/project.go

@@ -20,11 +20,11 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 type (
@@ -130,7 +130,7 @@ func NewProjectCreateCommand() *cobra.Command {
 	}
 
 	cmd.Flags().StringVar(&kubeServer, "dest-server", "", "The default destination kubernetes server for applications in this project")
-	cmd.Flags().StringVar(&kubeContext, "dest-kube-context", "", "The default destination kubernetes context for applications in this project (will be ignored if --dest-kube-server is supplied)")
+	cmd.Flags().StringVar(&kubeContext, "dest-kube-context", "", "The default destination kubernetes context for applications in this project (will be ignored if --dest-server is supplied)")
 	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "If true, print manifests instead of applying them to the cluster (nothing will be commited to git)")
 	cmd.Flags().StringToStringVar(&labels, "labels", nil, "Optional labels that will be set on the Application resource. (e.g. \"app.kubernetes.io/managed-by={{ placeholder }}\"")
 	cmd.Flags().StringToStringVar(&annotations, "annotations", nil, "Optional annotations that will be set on the Application resource. (e.g. \"argocd.argoproj.io/sync-wave={{ placeholder }}\"")

cmd/commands/project_test.go

@@ -20,13 +20,12 @@ import (
 	"github.com/argoproj-labs/argocd-autopilot/pkg/util"
 
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
-	"github.com/golang/mock/gomock"
-
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
+	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 )
 
 func TestRunProjectCreate(t *testing.T) {
@@ -195,7 +194,7 @@ func Test_generateProjectManifests(t *testing.T) {
 				store.Default.LabelKeyAppName:      "{{ appName }}",
 			},
 			wantAnnotations: map[string]string{
-				"some-key":                         "some-value",
+				"some-key": "some-value",
 			},
 		},
 	}
@@ -277,7 +276,7 @@ func Test_getInstallationNamespace(t *testing.T) {
 				_ = billyUtils.WriteFile(repofs, filepath.Join(store.Default.BootsrtrapDir, store.Default.ArgoCDName+".yaml"), []byte("some string"), 0666)
 				return repofs
 			},
-			wantErr: "failed to unmarshal namespace: error unmarshaling JSON: json: cannot unmarshal string into Go value of type v1alpha1.Application",
+			wantErr: "failed to unmarshal namespace: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type v1alpha1.Application",
 		},
 	}
 	for ttName, tt := range tests {

cmd/commands/repo.go

@@ -24,14 +24,14 @@ import (
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argocdsettings "github.com/argoproj/argo-cd/v2/util/settings"
-	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kusttypes "sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
 )
 
 const (
@@ -757,13 +757,12 @@ func createBootstrapKustomization(namespace, appSpecifier string, cloneOpts *git
 		})
 	}
 
-	k.FixKustomizationPostUnmarshalling()
 	errs := k.EnforceFields()
 	if len(errs) > 0 {
 		return nil, fmt.Errorf("kustomization errors: %s", strings.Join(errs, "\n"))
 	}
 
-	return k, k.FixKustomizationPreMarshalling()
+	return k, nil
 }
 
 func createCreds(repoUrl string) ([]byte, error) {

cmd/commands/repo_test.go

@@ -17,16 +17,15 @@ import (
 
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/ghodss/yaml"
+	"github.com/go-git/go-billy/v5/memfs"
+	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
 	kusttypes "sigs.k8s.io/kustomize/api/types"
-
-	"github.com/go-git/go-billy/v5/memfs"
-	billyUtils "github.com/go-git/go-billy/v5/util"
-	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/yaml"
 )
 
 func Test_setBootstrapOptsDefaults(t *testing.T) {

docs/commands/argocd-autopilot_project_create.md

@@ -31,8 +31,10 @@ argocd-autopilot project create [PROJECT] [flags]
 ```
       --annotation stringArray             Set metadata annotations (e.g. --annotation key=value)
       --annotations stringToString         Optional annotations that will be set on the Application resource. (e.g. "argocd.argoproj.io/sync-wave={{ placeholder }}" (default [])
+      --argocd-context string              The name of the Argo-CD server context to use
       --auth-token string                  Authentication token
       --aws-cluster-name string            AWS Cluster name if set then aws cli eks token command will be used to access cluster
+      --aws-profile string                 Optional AWS profile. If set then AWS IAM Authenticator uses this profile to perform cluster operations instead of the default AWS credential provider chain.
       --aws-role-arn string                Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.
       --client-crt string                  Client certificate file
       --client-crt-key string              Client certificate key file
@@ -41,7 +43,7 @@ argocd-autopilot project create [PROJECT] [flags]
       --config string                      Path to Argo CD config (default "/home/user/.config/argocd/config")
       --controller-name string             Name of the Argo CD Application controller; set this or the ARGOCD_APPLICATION_CONTROLLER_NAME environment variable when the controller's name label differs from the default, for example when installing via the Helm chart (default "argocd-application-controller")
       --core                               If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server
-      --dest-kube-context string           The default destination kubernetes context for applications in this project (will be ignored if --dest-kube-server is supplied)
+      --dest-kube-context string           The default destination kubernetes context for applications in this project (will be ignored if --dest-server is supplied)
       --dest-server string                 The default destination kubernetes server for applications in this project
       --dry-run                            If true, print manifests instead of applying them to the cluster (nothing will be commited to git)
       --exec-command string                Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.

docs/requirements.txt

@@ -1,3 +1,6 @@
 mkdocs-material
 markdown_include
-pygments==2.15.0
+pygments==2.15.0
+
+urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
+requests>=2.32.0 # not directly required, pinned by Snyk to avoid a vulnerability