[HCMSEC-3392] May 2026 scan updates

[dem4gus]

The Go and Boilerplate versions are updated to address scan findings in this repository. Also updates references the newest SFI and SAE images to deploy their updates to production.

Supersedes #430

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to version 1.25.9
  • Updated base container images to latest versions for improved security and stability
  • Added pre-commit workflow with security scanning, code linting, and format validation
  • Updated code coverage targets (project: 35%, patch: 50%)
  • Updated team member access configuration

[coderabbitai]

Warning

Review limit reached

@dem4gus, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 44 minutes and 35 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4bd7dda0-4ddf-4495-b3e1-fda595bf7a45

📥 Commits

Reviewing files that changed from the base of the PR and between 47e6dea and b1d3f8d.

⛔ Files ignored due to path filters (5)

• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**

📒 Files selected for processing (7)

• .pre-commit-config.yaml
• build/Dockerfile
• build/Dockerfile.olm-registry
• deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml
• deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml
• go.mod
• hack/pko/clusterpackage.yaml

Walkthrough

This PR coordinates a multi-faceted infrastructure and deployment update. It bumps base image tags and Go toolchain versions, introduces a pre-commit workflow for developer quality gates, updates team ownership metadata, reformats CRD schema descriptions, and pins new image digests for SplunkForwarder and audit-exporter across all deployment environments.

Changes

Infrastructure, workflow, and deployment coordination

Layer / File(s)	Summary
Build infrastructure and toolchain upgrade \.ci-operator.yaml`, build/Dockerfile, build/Dockerfile.olm-registry, go.mod`	CI operator root image tag and Docker base images (builder and runtime) updated from v8.3.4 to v8.3.6 and v9.7 to v9.8 respectively. Go toolchain version bumped from 1.24.4 to 1.25.9.
Developer workflow and quality gates \.pre-commit-config.yaml`, `.codecov.yml``	New pre-commit configuration defines tiered workflow with merge-conflict checks, secrets detection via gitleaks, Go static analysis, and local compile/tidy/RBAC validation hooks. Coverage status rules enable 35% project and 50% patch targets with 1% threshold.
Team and ownership updates OWNERS_ALIASES	Team membership updated: BATMAN-JD and geowa4 added to srep-functional-team-aurora; abyrne55 and luis-falcon removed from same team and srep-functional-leads; jharrington22 removed from srep-architects.
CRD schema description formatting deploy_pko/.test-fixtures/default/CustomResourceDefinition-...yaml, deploy_pko/CustomResourceDefinition-...yaml	OpenAPI v3 schema descriptions reformatted from quoted multiline strings to YAML block scalars in both fixture and production CRD files; schema structure and validation rules unchanged.
Deployment image digest updates across all environments hack/pko/clusterpackage.yaml	SplunkForwarder image digest pinned to new SHA256 across eight SelectorSyncSet targets: production, staging, HyperShift management staging/production, and FedRAMP variants (HyperShift/non-HyperShift, staging/production). Audit-exporter image updated to new quay.io/redhat-services-prod registry with new digest pin.

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fips.go contains fmt.Println() in init() function (line 15), which writes non-JSON text to stdout, corrupting the OTE binary stdout contract required by openshift-tests.	Change fmt.Println in fips.go init() to log.Info() or redirect to stderr using log output configuration. Alternatively, remove the startup message or use structured logging only.
Test Structure And Quality	⚠️ Warning	Test code has 7 assertions without meaningful failure messages (e.g., Expect(err).NotTo(HaveOccurred()) lacking descriptive context), violating the assertion message quality requirement.	Add descriptive failure messages to all 7 assertions: 4 in "admin should be able to create/delete" test, 1 in "handles CR updates" test, 1 in "validates HEC" test, 1 in "validates missing secrets" test.
Title check	❓ Inconclusive	The title 'HCMSEC-3392 May 2026 scan updates' is vague and generic, using 'scan updates' without specifying what actual changes are being made to the codebase.	Make the title more specific by describing the main changes, such as 'Update Go version, base images, and SFI/SAE image references for May 2026 scan' to better convey the primary changes.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not modify any test files. Existing Ginkgo test names are stable and deterministic with no dynamic content, following all best practices.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; it only updates configuration files, Docker images, YAML manifests, and Go version. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are to configuration files, Dockerfiles, manifests, and build dependencies. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates container base images, Go toolchain, and CI configuration files. No new scheduling constraints are introduced in any deployment manifests or controller code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added or modified in this PR. All changes are configuration, Docker, YAML manifests, and Go module updates. The custom check is inapplicable.
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret comparisons. Changes are configuration and dependency updates only.
Container-Privileges	✅ Passed	audit-exporter uses privileged: true and runAsUser: 0 with legitimate justification: system security audit logging component requires root access and hostPath mounts.
No-Sensitive-Data-In-Logs	✅ Passed	No new logging code was added in this PR. Changes are limited to configuration, Dockerfiles, manifests, and Go module version updates; no logging statements introduce sensitive data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.44%. Comparing base (5726253) to head (b1d3f8d).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #436   +/-   ##
=======================================
  Coverage   72.44%   72.44%           
=======================================
  Files          11       11           
  Lines         704      704           
=======================================
  Hits          510      510           
  Misses        173      173           
  Partials       21       21           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build/Dockerfile (1)

6-14: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as a non-root user.

The final stage still runs as root, which weakens container isolation.

Suggested patch

 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423
 ENV OPERATOR_PATH=/go/src/github.com/openshift/splunk-forwarder-operator \
     OPERATOR_BIN=splunk-forwarder-operator

-WORKDIR /root/
+WORKDIR /tmp
 COPY --from=builder /go/src/github.com/openshift/splunk-forwarder-operator/build/_output/bin/${OPERATOR_BIN} /usr/local/bin/${OPERATOR_BIN}
+USER 1001
 LABEL io.openshift.managed.name="splunk-forwarder-operator" \
       io.openshift.managed.description="This operator will be responsible for deploying the splunk forwarder."

As per coding guidelines, **/{Dockerfile,Containerfile}*: USER non-root; never run as root.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 6 - 14, The final image is left running as
root; create and switch to a non-root user in the Dockerfile to comply with the
guideline. Add steps in the final stage to create a non-root user/group (e.g.,
"splunk" or "nonroot"), chown the runtime WORKDIR (/root/) and the copied binary
(/usr/local/bin/${OPERATOR_BIN}) to that user, and set USER to that non-root
account so the container does not run as root; update any file ownerships
referencing OPERATOR_BIN and WORKDIR accordingly and ensure ENTRYPOINT/CMD still
work under the new user.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Around line 67-68: Update the manifest hook file-matching regex so it also
matches deploy_pko manifests: replace occurrences of the pattern "files:
^deploy/.*\.ya?ml$" (there are two occurrences) with a regex that includes the
deploy_pko directory, e.g. "files: ^deploy(_pko)?/.*\.ya?ml$" or "files:
^(deploy|deploy_pko)/.*\.ya?ml$" so changed deployment manifests in deploy_pko/
are checked locally.

In `@build/Dockerfile`:
- Line 1: Update the Dockerfile to follow the repository tag/digest policy: for
the builder stage replace the tagged quay image reference
"quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6" with a
digest-pinned reference (sha256@...) to lock the exact image, and for the
runtime stage replace the specific UBI tag
"registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423" with the floating
Red Hat UBI tag (e.g., "registry.access.redhat.com/ubi9/ubi-minimal:9") so
runtime images use floating tags; apply the same changes wherever the same image
refs appear later in the file.

In `@build/Dockerfile.olm-registry`:
- Line 7: The base image in the Dockerfile is pinned to a build-specific Red Hat
tag ("registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423") which
violates the floating-tag policy; update the FROM line in
build/Dockerfile.olm-registry to use the floating Red Hat tag (e.g. change the
image reference to "registry.access.redhat.com/ubi9/ubi-minimal:latest") so the
runtime base image matches other Dockerfiles and adheres to Red Hat floating-tag
guidance.

In `@hack/pko/clusterpackage.yaml`:
- Line 829: The OLM template hack/olm-registry/olm-artifacts-template.yaml still
references the old image
quay.io/app-sre/splunk-audit-exporter@sha256:798113f5c79248bc24418ff0d149058c04e5eaa35ea7b4ff42a1e6983a37d24a,
causing an inconsistency with hack/pko/clusterpackage.yaml which uses
quay.io/redhat-services-prod/splunk-audit-exporter-tenant/splunk-audit-exporter/splunk-audit-exporter@sha256:8d45f6580bfebb742a669cb1930578a0aaf28091f54ff4755460811054b2480a;
update the image reference in hack/olm-registry/olm-artifacts-template.yaml to
the exact same quay.io/redhat-services-prod...sha256:8d45f6580b...2480a value
(or, if the divergence is intentional, add an explicit comment documenting why
the OLM template should point to quay.io/app-sre/...@sha256:7981...24a instead).

---

Outside diff comments:
In `@build/Dockerfile`:
- Around line 6-14: The final image is left running as root; create and switch
to a non-root user in the Dockerfile to comply with the guideline. Add steps in
the final stage to create a non-root user/group (e.g., "splunk" or "nonroot"),
chown the runtime WORKDIR (/root/) and the copied binary
(/usr/local/bin/${OPERATOR_BIN}) to that user, and set USER to that non-root
account so the container does not run as root; update any file ownerships
referencing OPERATOR_BIN and WORKDIR accordingly and ensure ENTRYPOINT/CMD still
work under the new user.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: db2983b4-4401-4883-beef-3100ba0e533c

📥 Commits

Reviewing files that changed from the base of the PR and between 5726253 and 47e6dea.

⛔ Files ignored due to path filters (10)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (10)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• deploy_pko/.test-fixtures/default/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml
• deploy_pko/CustomResourceDefinition-splunkforwarders.splunkforwarder.managed.openshift.io.yaml
• go.mod
• hack/pko/clusterpackage.yaml

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Expand manifest hook scope to include deploy_pko/.

Both manifest-oriented hooks currently skip deploy_pko/, so changed deployment manifests there won’t be checked locally.

Suggested patch

       - id: check-yaml
         name: YAML syntax (deploy/)
-        files: ^deploy/.*\.ya?ml$
+        files: ^(deploy|deploy_pko)/.*\.ya?ml$
         args: [--allow-multiple-documents]
@@
       - id: rbac-wildcard-check
         name: RBAC wildcard permissions
         language: system
         entry: bash -c 'make rbac-wildcard-check'
-        files: ^deploy/.*\.ya?ml$
+        files: ^(deploy|deploy_pko)/.*\.ya?ml$
         pass_filenames: false

Also applies to: 140-140

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 67 - 68, Update the manifest hook
file-matching regex so it also matches deploy_pko manifests: replace occurrences
of the pattern "files: ^deploy/.*\.ya?ml$" (there are two occurrences) with a
regex that includes the deploy_pko directory, e.g. "files:
^deploy(_pko)?/.*\.ya?ml$" or "files: ^(deploy|deploy_pko)/.*\.ya?ml$" so
changed deployment manifests in deploy_pko/ are checked locally.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# List relevant container build files
echo "== Files =="
fd -t f -e Dockerfile -e Containerfile . || true
fd . '**/Dockerfile' . || true
fd . '**/Containerfile*' . || true

# Show all Dockerfile/Containerfile paths found by filename patterns
echo "== Matching paths (Dockerfile/Containerfile*) =="
paths=$(fd -t f --full-path --hidden --exclude .git '**/Dockerfile*' '**/Containerfile*' . || true)
echo "$paths"

# For build/Dockerfile specifically, show first ~200 lines with numbers
if [ -f build/Dockerfile ]; then
  echo "== build/Dockerfile (first 200 lines) =="
  nl -ba build/Dockerfile | head -n 200
fi

# Extract all FROM lines from matching Dockerfile/Containerfile* files
echo "== All FROM lines in matching files =="
for f in $(fd -t f --hidden --exclude .git '**/Dockerfile*' '**/Containerfile*' . || true); do
  echo "--- $f ---"
  rg -n --no-heading '^FROM ' "$f" || true
done

Repository: openshift/splunk-forwarder-operator

Length of output: 12530

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Dockerfile/Containerfile files =="

# Use find (more reliable than fd patterns here)
mapfile -t files < <(find . -type f \( -name 'Dockerfile*' -o -name 'Containerfile*' \) -not -path './.git/*' | sort)

printf '%s\n' "${files[@]}"

echo
echo "== All FROM lines (first ~20 matches per file) =="

for f in "${files[@]}"; do
  echo "--- $f ---"
  # Print up to 20 FROM lines to keep output bounded
  rg -n --no-heading '^FROM[[:space:]]+' "$f" | head -n 20 || true
done

echo
echo "== build/Dockerfile (first 200 lines w/ numbers) =="
if [ -f build/Dockerfile ]; then
  awk '{printf "%6d\t%s\n", NR, $0}' build/Dockerfile | head -n 200
else
  echo "build/Dockerfile not found"
fi

Repository: openshift/splunk-forwarder-operator

Length of output: 191

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmp="/tmp/dockerfiles.txt"
rm -f "$tmp"

find . -type f \( -name 'Dockerfile*' -o -name 'Containerfile*' \) -not -path './.git/*' | sort > "$tmp"

echo "== Dockerfile/Containerfile files =="
cat "$tmp"

echo
echo "== All FROM lines (up to 30 per file) =="
while IFS= read -r f; do
  [ -n "$f" ] || continue
  echo "--- $f ---"
  # Use grep to avoid rg issues if ripgrep missing in sandbox
  if command -v rg >/dev/null 2>&1; then
    rg -n --no-heading '^FROM[[:space:]]+' "$f" | head -n 30 || true
  else
    grep -n '^FROM[[:space:]]\+' "$f" | head -n 30 || true
  fi
done < "$tmp"

echo
echo "== build/Dockerfile (first 120 lines with line numbers) =="
if [ -f build/Dockerfile ]; then
  # Avoid nl (not available); use awk for numbering
  awk '{print NR "\t" $0}' build/Dockerfile | head -n 120
else
  echo "build/Dockerfile not found"
fi

Repository: openshift/splunk-forwarder-operator

Length of output: 1947

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for image-v8.3.6 occurrences =="

rg -n --no-heading "image-v8\.3\.6" . || true

echo
echo "== Inspect hack/populate-image-digests.sh if present =="

if [ -f hack/populate-image-digests.sh ]; then
  sed -n '1,200p' hack/populate-image-digests.sh
fi

echo
echo "== Search for 'backing-image-tag' usage =="

rg -n --no-heading "backing-image-tag" . || true

echo
echo "== Search for 'registry.access.redhat.com/ubi9/ubi-minimal' usage =="

rg -n --no-heading "registry\.access\.redhat\.com/ubi9/ubi-minimal" . || true

echo
echo "== Show build/Dockerfile.olm-registry and build/Dockerfile.pko FROM lines context (first 40 lines) =="

for f in build/Dockerfile build/Dockerfile.olm-registry build/Dockerfile.pko; do
  echo "--- $f ---"
  sed -n '1,80p' "$f"
done

Repository: openshift/splunk-forwarder-operator

Length of output: 3872

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for image-v8.3.6 occurrences =="
rg -n --no-heading "image-v8\.3\.6" . || true

echo
echo "== Inspect hack/populate-image-digests.sh (if present) =="
if [ -f hack/populate-image-digests.sh ]; then
  sed -n '1,200p' hack/populate-image-digests.sh
else
  echo "hack/populate-image-digests.sh not found"
fi

echo
echo "== Search for backing-image-tag usage =="
rg -n --no-heading "backing-image-tag" . || true

echo
echo "== Search for ubi9/ubi-minimal usage =="
rg -n --no-heading "registry\.access\.redhat\.com/ubi9/ubi-minimal" . || true

echo
echo "== Show relevant Dockerfile headers (first 80 lines) =="
for f in build/Dockerfile build/Dockerfile.olm-registry build/Dockerfile.pko; do
  if [ -f "$f" ]; then
    echo "--- $f ---"
    sed -n '1,80p' "$f"
  fi
done

Repository: openshift/splunk-forwarder-operator

Length of output: 3797

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for 'ose-operator-registry-rhel9' usage =="
rg -n --no-heading "ose-operator-registry-rhel9" . || true

echo
echo "== Search for 'registry.redhat.io/openshift4/ose-operator-registry-rhel9' =="
rg -n --no-heading "registry\.redhat\.io/openshift4/ose-operator-registry-rhel9" . || true

echo
echo "== Show any Dockerfile FROM lines for ose-operator-registry-rhel9 (all matches) =="
rg -n --no-heading "^FROM .*ose-operator-registry-rhel9" . || true

Repository: openshift/splunk-forwarder-operator

Length of output: 1086

---

Align base image references with the repository tag/digest policy

• build/Dockerfile builder stage uses a non-Red Hat registry tag (quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6) but should be digest-pinned.
• build/Dockerfile runtime stage uses a Red Hat UBI image pinned to a specific version tag (registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423), but Red Hat images should use floating tags.

Also applies to line 6.

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 1, Update the Dockerfile to follow the repository
tag/digest policy: for the builder stage replace the tagged quay image reference
"quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6" with a
digest-pinned reference (sha256@...) to lock the exact image, and for the
runtime stage replace the specific UBI tag
"registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423" with the floating
Red Hat UBI tag (e.g., "registry.access.redhat.com/ubi9/ubi-minimal:9") so
runtime images use floating tags; apply the same changes wherever the same image
refs appear later in the file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la
# Show the Dockerfile with line numbers around the base image
if [ -f build/Dockerfile.olm-registry ]; then
  echo "---- build/Dockerfile.olm-registry (head) ----"
  sed -n '1,120p' build/Dockerfile.olm-registry | nl -ba | sed -n '1,80p'
else
  echo "Missing build/Dockerfile.olm-registry"
  exit 1
fi

echo "---- Search for other Red Hat base images/tags ----"
# Find other Dockerfile/Containerfile references to registry.access.redhat.com/ubi
rg -n --hidden --no-ignore-vcs 'registry\.access\.redhat\.com/.+ubi' --glob '**/Dockerfile*' --glob '**/Containerfile*' || true

echo "---- Search for floating tag usage for ubi-minimal ----"
rg -n --hidden --no-ignore-vcs 'ubi-minimal:9(\b|\.|\-)' --glob '**/Dockerfile*' --glob '**/Containerfile*' || true

echo "---- Search for Red Hat policy mentions in repo ----"
rg -n --hidden --no-ignore-vcs 'floating tag|Red Hat.*floating|ubi-minimal:' . || true

Repository: openshift/splunk-forwarder-operator

Length of output: 2371

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- build/Dockerfile.olm-registry (with line numbers) ----"
if [ -f build/Dockerfile.olm-registry ]; then
  sed -n '1,120p' build/Dockerfile.olm-registry | awk '{printf "%4d\t%s\n", NR, $0}'
else
  echo "Missing build/Dockerfile.olm-registry"
  exit 1
fi

echo "---- Search for other Red Hat base images/tags (registry.access.redhat.com/...ubi) ----"
rg -n --hidden --no-ignore-vcs 'registry\.access\.redhat\.com/.+ubi' --glob '**/Dockerfile*' --glob '**/Containerfile*' || true

echo "---- Search for ubi-minimal tags patterns ----"
rg -n --hidden --no-ignore-vcs 'ubi-minimal:[0-9]+(\.|-|\b)' --glob '**/Dockerfile*' --glob '**/Containerfile*' || true

echo "---- Search for floating tag policy mentions in repo ----"
rg -n --hidden --no-ignore-vcs 'floating tag|Red Hat.*floating|ubi-minimal:' . || true

Repository: openshift/splunk-forwarder-operator

Length of output: 2361

---

Use a floating Red Hat tag for the runtime base image.

build/Dockerfile.olm-registry pins the Red Hat runtime image to a build-specific tag (registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423), which conflicts with the Red Hat “floating tag” policy; other Dockerfiles in this repo use ubi-minimal:latest instead.

As per coding guidelines, **/{Dockerfile,Containerfile}*: Red Hat images should use floating tags (Red Hat manages updates).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.olm-registry` at line 7, The base image in the Dockerfile is
pinned to a build-specific Red Hat tag
("registry.access.redhat.com/ubi9/ubi-minimal:9.8-1779809423") which violates
the floating-tag policy; update the FROM line in build/Dockerfile.olm-registry
to use the floating Red Hat tag (e.g. change the image reference to
"registry.access.redhat.com/ubi9/ubi-minimal:latest") so the runtime base image
matches other Dockerfiles and adheres to Red Hat floating-tag guidance.

[openshift-ci]

@dem4gus: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[npecka]

/lgtm

[geowa4]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dem4gus, geowa4, npecka

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dem4gus,npecka]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment