feat(sast): configure sast-snyk-check task

[mpapadopoullos]

• simplify konflux task
• org: layered-services

Pre-check

Before submitting a Pull Request, please ensure you've done the following:

• 📖 Read the Bpfman Contributing Guide: https://github.com/bpfman/bpfman/blob/main/CONTRIBUTING.md
• 📖 Read the Bpfman Code of Conduct: https://github.com/bpfman/bpfman/blob/main/CODE_OF_CONDUCT.md
• ✅ Add tests according to our Test Policy: https://github.com/bpfman/bpfman/blob/main/CONTRIBUTING.md#test-policy
• 📝 Use descriptive commit messages: https://cbea.ms/git-commit/
• 📗 Update any related documentation.

Summary

Related Issues

Added/updated tests?

We strongly encourage you to add a test for your changes.

• Yes
• No, and this is why: please replace this line with details on why tests
  have not been included
• I need help with writing tests

Checklist

• 📎 All clippy lints have been fixed:

cd bpfman/
cargo +nightly clippy --all -- --deny warnings

• 🦀 Rust code has been formatted and linted:

cargo +nightly fmt --all -- --check

• 📝 Yaml files have been formatted (see Install Yaml Formatter):

prettier -l "*.yaml"

• 🐚 Bash scripts have been linted using shellcheck:

cargo xtask lint

• ✅ Unit tests are passing locally (see Unit Testing):

cargo xtask unit-test

• ✅ Integration tests are passing locally (see Basic Integration Tests):

cargo xtask integration-test

(Optional) What emojis best describe this PR or how it makes you feel?

Summary by CodeRabbit

• Chores
  • Updated build pipeline security scanning configuration to include fixed Snyk scan parameters for consistent project naming, reporting, and organization-scoped vulnerability reporting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: af0e8f98-6c8a-4d06-8f43-5c9f26a0384e

📥 Commits

Reviewing files that changed from the base of the PR and between 3b5adfa and cc450dc.

📒 Files selected for processing (1)

• .tekton/multi-arch-build-pipeline.yaml

---

Walkthrough

The Tekton multi-arch build pipeline is updated with a new ARGS parameter in the sast-snyk-check task. The parameter provides fixed Snyk CLI options to specify the project name as bpfman, include a report flag, and set the organization UUID.

Changes

Snyk Task Configuration

Layer / File(s)	Summary
Snyk check task ARGS parameter .tekton/multi-arch-build-pipeline.yaml	ARGS parameter added to sast-snyk-check task with Snyk CLI flags: project name (bpfman), report generation, and organization context (b6dda4fc-c9ea-48da-ac45-67f75f258e5a).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: configuring the sast-snyk-check task in the Tekton build pipeline with new ARGS parameters.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Tekton pipeline YAML configuration (.tekton/multi-arch-build-pipeline.yaml). No Ginkgo tests present; custom check for Ginkgo test name stability is not applicable.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test quality is not applicable. This PR modifies Tekton pipeline YAML configuration files, not test code. The repository uses Rust for integration tests, not Go/Ginkgo.
Microshift Test Compatibility	✅ Passed	This PR only modifies Tekton pipeline configuration. No Ginkgo e2e tests are added or changed, so the MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only Tekton pipeline YAML configuration (.tekton/multi-arch-build-pipeline.yaml) to add Snyk CLI options. No Ginkgo e2e tests are added, so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a Tekton CI/CD pipeline file, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only Tekton pipeline YAML configuration (adds Snyk CLI args). OTE Stdout Contract check applies only to Go code in process-level functions. Not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies Tekton pipeline config, not Ginkgo e2e tests. The custom check for IPv4/disconnected network compatibility applies only to new e2e tests, which are not present here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @mpapadopoullos. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[frobware]

/ok-to-test

[frobware]

Needs #633.

[frobware]

/retest

[frobware]

#633

This needs rebasing now that 633 has merged.

[frobware]

/ok-to-test
/lgtm
/approve

[frobware]

/retest

[frobware]

/retest

[red-hat-konflux]

All PipelineRuns for this commit have already succeeded. Use /retest <pipeline-name> to re-run a specific pipeline or /test to re-run all pipelines.

[frobware]

Ditto for operator: openshift/bpfman-operator#1903

[frobware]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: frobware, mpapadopoullos

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [frobware]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[frobware]

/ok-to-test