running acs-deploy-check

Step: acs-deploy-check
Results: /workspace/source/source/results/acs-deploy-check
Custom root CA variable is not set. Make sure CA trust is established
Running acs-deploy-check:rox-deploy-check
Using rox central endpoint central-rhacs-operator.apps.rosa.rhtap-services.xmdt.p3.openshiftapps.com:443
Using gitops repository: https://github.com/rhtap-rhdh-qe/e2e-tests-go-wtnuioea-gitops
Cloning into 'gitops'...
List of files in gitops repository root:
total 40
drwxr-sr-x.  8 root 1000960000 4096 Apr 30 12:15 .
drwxrwsr-x. 10 root 1000960000 4096 Apr 30 12:15 ..
drwxr-sr-x.  8 root 1000960000 4096 Apr 30 12:15 .git
drwxr-sr-x.  2 root 1000960000 4096 Apr 30 12:15 .tekton
drwxr-sr-x.  2 root 1000960000 4096 Apr 30 12:15 app-of-apps
-rw-r--r--.  1 root 1000960000  656 Apr 30 12:15 application.yaml
-rw-r--r--.  1 root 1000960000  679 Apr 30 12:15 catalog-info.yaml
drwxr-sr-x.  3 root 1000960000 4096 Apr 30 12:15 components
drwxr-sr-x.  2 root 1000960000 4096 Apr 30 12:15 docs
drwxr-sr-x.  2 root 1000960000 4096 Apr 30 12:15 tssc
List of components in the gitops repository:
total 4
drwxr-sr-x. 5 root 1000960000 4096 Apr 30 12:15 e2e-tests-go-wtnuioea
Download roxctl cli
Performing scan for e2e-tests-go-wtnuioea component
ROXCTL on components/e2e-tests-go-wtnuioea/base/deployment.yaml
Running acs-deploy-check:report
ACS_DEPLOY_EYECATCHER_BEGIN
{
  "results": [
    {
      "metadata": {
        "id": "9357fb69-8eb4-406d-b2c4-81313e1e8a90",
        "additionalInfo": {
          "name": "e2e-tests-go-wtnuioea",
          "namespace": "default",
          "type": "Deployment"
        }
      },
      "summary": {
        "CRITICAL": 0,
        "HIGH": 1,
        "LOW": 2,
        "MEDIUM": 2,
        "TOTAL": 5
      },
      "violatedPolicies": [
        {
          "name": "Fixable Severity at least Important",
          "severity": "HIGH",
          "description": "Alert on deployments with fixable vulnerabilities with a Severity Rating at least Important",
          "violation": [
            "Fixable CVE-2024-21626 (CVSS 8.6) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.1.12",
            "Fixable CVE-2024-23651 (CVSS 7.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5",
            "Fixable CVE-2024-23651 (CVSS 8.7) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5",
            "Fixable CVE-2024-23652 (CVSS 10) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5",
            "Fixable CVE-2024-23652 (CVSS 9.1) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5",
            "Fixable CVE-2024-23653 (CVSS 9.8) (severity Critical) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.12.5",
            "Fixable CVE-2024-24557 (CVSS 7.8) (severity Important) found in component 'github.com/docker/docker' (version v24.0.7+incompatible) in container 'container-image', resolved by version 24.0.9+incompatible",
            "Fixable CVE-2024-24786 (CVSS 7.5) (severity Important) found in component 'google.golang.org/protobuf' (version v1.31.0) in container 'container-image', resolved by version 1.33.0",
            "Fixable CVE-2024-24790 (CVSS 9.8) (severity Critical) found in component 'stdlib' (version 1.20.12) in container 'container-image', resolved by version 1.21.11",
            "Fixable CVE-2024-25621 (CVSS 7.3) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.29",
            "Fixable CVE-2024-25621 (CVSS 7.3) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.27) in container 'container-image', resolved by version 1.7.29",
            "Fixable CVE-2024-25621 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.29",
            "Fixable CVE-2024-25621 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.27) in container 'container-image', resolved by version 1.7.29",
            "Fixable CVE-2024-29903 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/cosign/v2' (version v2.0.0-20260203083305-11481f04a524+dirty) in container 'container-image', resolved by version 2.2.4",
            "Fixable CVE-2024-3727 (CVSS 8.3) (severity Important) found in component 'github.com/containers/image/v5' (version v5.29.0) in container 'container-image', resolved by version 5.29.3",
            "Fixable CVE-2024-40635 (CVSS 7.8) (severity Important) found in component 'github.com/containerd/containerd' (version v1.7.0) in container 'container-image', resolved by version 1.7.27",
            "Fixable CVE-2024-41110 (CVSS 9.9) (severity Critical) found in component 'github.com/docker/docker' (version v24.0.7+incompatible) in container 'container-image', resolved by version 25.0.6",
            "Fixable CVE-2024-45337 (CVSS 9.1) (severity Critical) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.31.0",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.2.2+incompatible) in container 'container-image', resolved by version 29.2.0",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.2.2+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.3.0+incompatible) in container 'container-image', resolved by version 29.2.0",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v28.3.0+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v29.0.3+incompatible) in container 'container-image', resolved by version 29.2.0",
            "Fixable CVE-2025-15558 (CVSS 8) (severity Important) found in component 'github.com/docker/cli' (version v29.0.3+incompatible) in container 'container-image', resolved by version 29.2.0+incompatible",
            "Fixable CVE-2025-21613 (CVSS 9.8) (severity Critical) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0",
            "Fixable CVE-2025-21614 (CVSS 7.5) (severity Important) found in component 'github.com/go-git/go-git/v5' (version v5.11.0) in container 'container-image', resolved by version 5.13.0",
            "Fixable CVE-2025-22868 (CVSS 7.5) (severity Important) found in component 'golang.org/x/oauth2' (version v0.16.0) in container 'container-image', resolved by version 0.27.0",
            "Fixable CVE-2025-22869 (CVSS 7.5) (severity Important) found in component 'golang.org/x/crypto' (version v0.18.0) in container 'container-image', resolved by version 0.35.0",
            "Fixable CVE-2025-31133 (CVSS 7.8) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8",
            "Fixable CVE-2025-46569 (CVSS 0) (severity Important) found in component 'github.com/open-policy-agent/opa' (version v1.1.0) in container 'container-image', resolved by version 1.4.0",
            "Fixable CVE-2025-52565 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8",
            "Fixable CVE-2025-52881 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/runc' (version v1.1.10) in container 'container-image', resolved by version 1.2.8",
            "Fixable CVE-2025-52881 (CVSS 7.5) (severity Important) found in component 'github.com/opencontainers/selinux' (version v1.11.0) in container 'container-image', resolved by version 1.13.0",
            "Fixable CVE-2025-66506 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/fulcio' (version v1.4.3) in container 'container-image', resolved by version 1.8.3",
            "Fixable CVE-2025-66506 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/fulcio' (version v1.6.3) in container 'container-image', resolved by version 1.8.3",
            "Fixable CVE-2025-66564 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/timestamp-authority' (version v1.2.2) in container 'container-image', resolved by version 2.0.3",
            "Fixable CVE-2025-66564 (CVSS 7.5) (severity Important) found in component 'github.com/sigstore/timestamp-authority' (version v1.2.7) in container 'container-image', resolved by version 2.0.3",
            "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.20.12) in container 'container-image', resolved by version 1.24.13",
            "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.24.4) in container 'container-image', resolved by version 1.24.13",
            "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.24.6) in container 'container-image', resolved by version 1.24.13",
            "Fixable CVE-2025-68121 (CVSS 10) (severity Critical) found in component 'stdlib' (version 1.25.5) in container 'container-image', resolved by version 1.25.7",
            "Fixable CVE-2025-8959 (CVSS 7.5) (severity Important) found in component 'github.com/hashicorp/go-getter' (version v1.7.8) in container 'container-image', resolved by version 1.7.9",
            "Fixable CVE-2026-1229 (CVSS 9.8) (severity Critical) found in component 'github.com/cloudflare/circl' (version v1.3.7) in container 'container-image', resolved by version 1.6.3",
            "Fixable CVE-2026-1229 (CVSS 9.8) (severity Critical) found in component 'github.com/cloudflare/circl' (version v1.6.1) in container 'container-image', resolved by version 1.6.3",
            "Fixable CVE-2026-23991 (CVSS 7.5) (severity Important) found in component 'github.com/theupdateframework/go-tuf/v2' (version v2.0.2) in container 'container-image', resolved by version 2.3.1",
            "Fixable CVE-2026-23992 (CVSS 7.5) (severity Important) found in component 'github.com/theupdateframework/go-tuf/v2' (version v2.0.2) in container 'container-image', resolved by version 2.3.1",
            "Fixable CVE-2026-24051 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.37.0) in container 'container-image', resolved by version 1.40.0",
            "Fixable CVE-2026-24051 (CVSS 7) (severity Important) found in component 'go.opentelemetry.io/otel/sdk' (version v1.38.0) in container 'container-image', resolved by version 1.40.0",
            "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.67.3) in container 'container-image', resolved by version 1.79.3",
            "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.70.0) in container 'container-image', resolved by version 1.79.3",
            "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.76.0) in container 'container-image', resolved by version 1.79.3",
            "Fixable CVE-2026-33186 (CVSS 9.1) (severity Critical) found in component 'google.golang.org/grpc' (version v1.78.0) in container 'container-image', resolved by version 1.79.3",
            "Fixable CVE-2026-33747 (CVSS 8.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.28.1",
            "Fixable CVE-2026-33747 (CVSS 8.4) (severity Important) found in component 'github.com/moby/buildkit' (version v0.23.2) in container 'container-image', resolved by version 0.28.1",
            "Fixable CVE-2026-33748 (CVSS 0) (severity Important) found in component 'github.com/moby/buildkit' (version v0.0.0-20181107081847-c3a857e3fca0) in container 'container-image', resolved by version 0.28.1",
            "Fixable CVE-2026-33748 (CVSS 0) (severity Important) found in component 'github.com/moby/buildkit' (version v0.23.2) in container 'container-image', resolved by version 0.28.1",
            "Fixable CVE-2026-4111 (CVSS 7.5) (severity Important) found in component 'libarchive' (version 3.5.3-6.el9_6) in container 'container-image', resolved by version 0:3.5.3-7.el9_7"
          ],
          "remediation": "Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.",
          "failingCheck": false
        },
        {
          "name": "30-Day Scan Age",
          "severity": "MEDIUM",
          "description": "Alert on deployments with images that haven't been scanned in 30 days",
          "violation": [
            "Container 'container-image' has image last scanned at 2026-03-31 04:12:53 (UTC)"
          ],
          "remediation": "Integrate a scanner with the StackRox Kubernetes Security Platform to trigger scans automatically.",
          "failingCheck": false
        },
        {
          "name": "Pod Service Account Token Automatically Mounted",
          "severity": "MEDIUM",
          "description": "Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.",
          "violation": [
            "Deployment mounts the service account tokens.",
            "Namespace has name 'default'",
            "Service Account is set to 'default'"
          ],
          "remediation": "Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.",
          "failingCheck": false
        },
        {
          "name": "Docker CIS 4.1: Ensure That a User for the Container Has Been Created",
          "severity": "LOW",
          "description": "Containers should run as a non-root user",
          "violation": [
            "Container 'container-image' has image with user 'root'"
          ],
          "remediation": "Ensure that the Dockerfile for each container switches from the root user",
          "failingCheck": false
        },
        {
          "name": "Red Hat Package Manager in Image",
          "severity": "LOW",
          "description": "Alert on deployments with components of the Red Hat/Fedora/CentOS package management system.",
          "violation": [
            "Container 'container-image' includes component 'microdnf' (version 3.9.1-3.el9)",
            "Container 'container-image' includes component 'rpm' (version 4.16.1.3-39.el9)"
          ],
          "remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers.",
          "failingCheck": false
        }
      ]
    }
  ],
  "summary": {
    "CRITICAL": 0,
    "HIGH": 1,
    "LOW": 2,
    "MEDIUM": 2,
    "TOTAL": 5
  }
}
ACS_DEPLOY_EYECATCHER_END