feat(Conftest): Upgrade Conftest from v0.23.0 to v0.25.0 and use --no…

…-fail flag

Resolves: #512

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

deploy/helm/values.yaml

@@ -271,7 +271,7 @@ polaris:
 
 conftest:
   # imageRef the image reference
-  imageRef: docker.io/openpolicyagent/conftest:v0.23.0
+  imageRef: docker.io/openpolicyagent/conftest:v0.25.0
 
 rbac:
   create: true

deploy/static/05-starboard-operator.config.yaml

@@ -12,7 +12,7 @@ data:
   trivy.mode: Standalone
   trivy.serverURL: http://trivy-server.trivy-server:4954
   polaris.imageRef: quay.io/fairwinds/polaris:3.2
-  conftest.imageRef: openpolicyagent/conftest:v0.23.0
+  conftest.imageRef: openpolicyagent/conftest:v0.25.0
   kube-bench.imageRef: docker.io/aquasec/kube-bench:0.5.0
 ---
 apiVersion: v1

docs/settings.md

@@ -75,7 +75,7 @@ The following tables list available configuration settings with their default va
 | `kube-hunter.quick`            | `"false"`                                              | Whether to use kube-hunter's "quick" scanning mode (subnet 24). Set to `"true"` to enable. |
 | `polaris.imageRef`             | `quay.io/fairwinds/polaris:3.2`                        | Polaris image reference |
 | `polaris.config.yaml`          | [Check the default value here][default-polaris-config] | Polaris configuration file |
-| `conftest.imageRef`            | `docker.io/openpolicyagent/conftest:v0.23.0`           | Conftest image reference |
+| `conftest.imageRef`            | `docker.io/openpolicyagent/conftest:v0.25.0`           | Conftest image reference |
 
 | SECRET KEY                  | DESCRIPTION |
 | --------------------------- | ----------- |

itest/matcher/matcher.go

@@ -29,7 +29,7 @@ var (
 	conftestScanner = v1alpha1.Scanner{
 		Name:    "Conftest",
 		Vendor:  "Open Policy Agent",
-		Version: "v0.23.0",
+		Version: "v0.25.0",
 	}
 )
 

itest/starboard-operator/configauditreport/conftest/suite_test.go

@@ -94,7 +94,7 @@ var _ = BeforeSuite(func() {
 		},
 		Data: map[string]string{
 			"configAuditReports.scanner": "Conftest",
-			"conftest.imageRef":          "docker.io/openpolicyagent/conftest:v0.23.0",
+			"conftest.imageRef":          "docker.io/openpolicyagent/conftest:v0.25.0",
 		},
 	}
 	err = kubeClient.Create(context.Background(), starboardCM)

pkg/plugin/conftest/plugin.go

@@ -152,7 +152,7 @@ func (p *plugin) GetScanJobSpec(ctx starboard.PluginContext, obj client.Object)
 					// TODO Follow up with Conftest maintainers to allow returning 0 exit code in case of failures
 					Args: []string{
 						"-c",
-						"conftest test --output json --all-namespaces --policy /project/policy /project/workload.yaml || true",
+						"conftest test --no-fail --output json --all-namespaces --policy /project/policy /project/workload.yaml",
 					},
 					SecurityContext: &corev1.SecurityContext{
 						Privileged:               pointer.BoolPtr(false),

pkg/plugin/conftest/plugin_test.go

@@ -134,7 +134,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 				}),
 				"Args": Equal([]string{
 					"-c",
-					"conftest test --output json --all-namespaces --policy /project/policy /project/workload.yaml || true",
+					"conftest test --no-fail --output json --all-namespaces --policy /project/policy /project/workload.yaml",
 				}),
 				"SecurityContext": Equal(&corev1.SecurityContext{
 					Privileged:               pointer.BoolPtr(false),

pkg/starboard/config.go

@@ -279,7 +279,7 @@ func GetDefaultConfig() ConfigData {
 
 		"polaris.imageRef": "quay.io/fairwinds/polaris:3.2",
 
-		"conftest.imageRef": "openpolicyagent/conftest:v0.23.0",
+		"conftest.imageRef": "openpolicyagent/conftest:v0.25.0",
 	}
 }