Merge branch 'main' into release-please--branches--main

kayman-mk · web-flow · commit af37be85c7da · 2025-10-09T10:31:25.000+02:00
diff --git a/.cspell.json b/.cspell.json
@@ -93,6 +93,7 @@
     "cpu",
     "cpus",
     "cpuset",
+    "exfiltration",
     "gitter",
     "imds",
     "netsh",
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -59,7 +59,7 @@ jobs:
   kics:
     runs-on: ubuntu-latest
     container:
-      image: checkmarx/kics:v2.1.13-debian@sha256:5dcabefe00678cdb539f6ddbc60e47304d7f7c4ee35b21e183156ec69c0bbafc
+      image: checkmarx/kics:v2.1.14-debian@sha256:65bbc05cc9531e3cd6485c407c2f07f04516bb8fb7a6cfeb5f84bc6b78598e2f
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       # ignore: "tags not used", "access analyzer not used", "shield advanced not used"
@@ -72,13 +72,13 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         name: Checkout source code
 
-      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         name: Cache plugin dir
         with:
           path: ~/.tflint.d/plugins
           key: tflint-${{ hashFiles('.tflint.hcl') }}
 
-      - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6 # v5
+      - uses: terraform-linters/setup-tflint@acd1575d3c037258ce5b2dd01379dc49ce24c6b7 # v6
         name: Setup TFLint
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/feature_branch-megalinter.yml b/.github/workflows/feature_branch-megalinter.yml
@@ -30,7 +30,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0
+        uses: oxsecurity/megalinter@62c799d895af9bcbca5eacfebca29d527f125a57 # v9.1.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -14,7 +14,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.'
           stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.'
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -34,7 +34,7 @@ jobs:
           sarif_file: tfsec.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: tfsec.sarif
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -5,6 +5,6 @@ plugin "terraform" {
 
 plugin "aws" {
     enabled = true
-    version = "0.42.0"
+    version = "0.43.0"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
diff --git a/main.tf b/main.tf
@@ -357,8 +357,11 @@ resource "aws_iam_instance_profile" "instance" {
   tags = local.tags
 }
 
+# "AWS EIP not attached to any instance": we attach it via user-data script
+# kics-scan ignore-block
 resource "aws_eip" "gitlab_runner" {
   # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside.
+  # checkov:skip=CKV2_AWS_20:We can't use NAT gateway here as we are contacted from the outside.
   count = var.runner_instance.use_eip ? 1 : 0
 
   tags = local.tags
diff --git a/modules/cache/main.tf b/modules/cache/main.tf
@@ -132,6 +132,8 @@ data "aws_iam_policy_document" "docker_machine_cache_policy" {
     sid       = "allowGitLabRunnersAccessCache"
     effect    = "Allow"
     resources = ["${aws_s3_bucket.build_cache.arn}/*"] # tfsec:ignore:aws-iam-no-policy-wildcards # allows full access to the own bucket
+    # "IAM policy allows for data exfiltration": resources are specified below, so we can't access any other objects
+    # kics-scan ignore-line
     actions = [
       "s3:PutObject",
       "s3:PutObjectAcl",
diff --git a/modules/terminate-agent-hook/lambda/requirements.txt b/modules/terminate-agent-hook/lambda/requirements.txt
@@ -1,2 +1,2 @@
-boto3 == 1.40.30
-botocore == 1.40.30
+boto3 ==1.40.48
+botocore ==1.40.48
diff --git a/runner_policy.tf b/runner_policy.tf
@@ -111,6 +111,8 @@ resource "aws_iam_role_policy_attachment" "service_linked_role" {
 ################################################################################
 data "aws_iam_policy_document" "ssm" {
   statement {
+    # "IAM policy allows for data exfiltration": resources are specified below, so we can't access any other parameters
+    # kics-scan ignore-line
     actions = [
       "ssm:GetParameter",
       "ssm:GetParameters",

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,6 @@ plugin "terraform" {`
`5`	`5`
`6`	`6`	`plugin "aws" {`
`7`	`7`	`enabled = true`
`8`		`- version = "0.42.0"`
	`8`	`+ version = "0.43.0"`
`9`	`9`	`source = "github.com/terraform-linters/tflint-ruleset-aws"`
`10`	`10`	`}`