run SAST scans during pipeline run

align with g/g and merge check and test steps into a verify step

.ci/pipeline_definitions

@@ -24,10 +24,10 @@ terminal-controller-manager:
                 integrity_requirement: 'high'
                 availability_requirement: 'low'
     steps:
-      check:
-        image: 'golang:1.23.2'
-      test:
+      verify:
         image: 'golang:1.23.2'
+        vars:
+          TEST_COV: '"yes"'
   jobs:
     head-update:
       traits:
@@ -46,6 +46,17 @@ terminal-controller-manager:
           ocm_repository: europe-docker.pkg.dev/gardener-project/releases
         release:
           nextversion: 'bump_minor'
+          assets:
+            - type: build-step-log
+              step_name: verify
+              purposes:
+                - lint
+                - sast
+                - gosec
+              comment: |
+                we use gosec (linter) for SAST scans
+                see: https://github.com/securego/gosec
+                enabled by https://github.com/gardener/terminal-controller-manager/pull/328
         slack:
           default_channel: 'internal_scp_workspace'
           channel_cfgs:

.ci/check → .ci/verify

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
 #
 # SPDX-License-Identifier: Apache-2.0
 
@@ -16,5 +16,12 @@ fi
 export SOURCE_PATH="$(readlink -f "$SOURCE_PATH")"
 
 export GOLANGCI_LINT_ADDITIONAL_FLAGS="--verbose --timeout 2m"
+export GO_TEST_ADDITIONAL_FLAGS="-race"
 
-"${SOURCE_PATH}"/hack/golangci-lint.sh
+if [ "${TEST_COV+yes}" = yes ] ; then
+  # supposed to be run in release jobs
+  make verify-extended
+else
+  # run test instead of test-cov to speed-up jobs, as coverage slows down tests significantly
+  make check-generate verify
+fi

Makefile

@@ -70,32 +70,50 @@ help: ## Display this help.
 
 ##@ Development
 
+.PHONY: tidy
+tidy: ## Clean up go.mod and go.sum by removing unused dependencies.
+	go mod tidy
+
+.PHONY: clean
+clean: ## Remove generated files and clean up directories.
+	@hack/clean.sh ./api/... ./charts/... ./controllers/... ./internal/... ./test/... ./webhooks/...
+
 .PHONY: manifests
-manifests: $(CONTROLLER_GEN) ## Generate ClusterRole object.
-	$(CONTROLLER_GEN) crd paths="./controllers/..." paths="./api/..." output:crd:dir=charts/terminal/charts/application/crd-gen
+manifests: $(CONTROLLER_GEN) ## Generate CustomResourceDefinition object.
+	$(CONTROLLER_GEN) crd paths="./api/..." output:crd:dir=charts/terminal/charts/application/crd-gen
 
 .PHONY: generate
-generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+generate: manifests $(CONTROLLER_GEN) fmt ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./controllers/..." paths="./api/..."
 
 .PHONY: fmt
 fmt: ## Run go fmt against code.
 	go fmt ./...
 
+.PHONY: check-generate
+check-generate: ## Verify if code generation is up-to-date by running generate and checking for changes.
+	@hack/check-generate.sh $(REPO_ROOT)
+
 .PHONY: lint
 lint: ## Run golangci-lint against code.
 	@./hack/golangci-lint.sh
 
 .PHONY: sast
-sast: $(GOSEC)
+sast: $(GOSEC) ## Run gosec against code
 	@./hack/sast.sh
 
 .PHONY: sast-report
-sast-report: $(GOSEC)
+sast-report: $(GOSEC) ## Run gosec against code and export report to SARIF.
 	@./hack/sast.sh --gosec-report true
 
 .PHONY: test
-test: manifests generate fmt lint go-test sast ## Run tests.
+test: generate lint go-test sast ## Run tests.
+
+.PHONY: verify ## Run basic verification including linting, tests, and static analysis.
+verify: lint go-test sast
+
+.PHONY: verify-extended ## Run extended verification including code generation check, linting, tests, and detailed static analysis report.
+verify-extended: check-generate lint go-test sast-report
 
 .PHONY: go-test
 go-test: ## Run go tests.
@@ -111,11 +129,11 @@ bootstrap-dev: ## Install example resources into a dev cluster
 ##@ Build
 
 .PHONY: build
-build: generate fmt lint ## Build manager binary.
+build: generate lint ## Build manager binary.
 	go build -o bin/manager main.go
 
 .PHONY: run
-run: manifests generate fmt lint ## Run a controller from your host.
+run: generate lint ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build

hack/check-generate.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+echo "> Generate"
+
+makefile="$1/Makefile"
+check_branch="__check"
+initialized_git=false
+stashed=false
+checked_out=false
+generated=false
+
+function delete-check-branch {
+  git rev-parse --verify "$check_branch" &>/dev/null && git branch -q -D "$check_branch" || :
+}
+
+function cleanup {
+  if [[ "$generated" == true ]]; then
+    if ! clean_err="$(make -f "$makefile" clean && git reset --hard -q && git clean -qdf)"; then
+      echo "Could not clean: $clean_err"
+    fi
+  fi
+
+  if [[ "$checked_out" == true ]]; then
+    if ! checkout_err="$(git checkout -q -)"; then
+      echo "Could not checkout to previous branch: $checkout_err"
+    fi
+  fi
+
+  if [[ "$stashed" == true ]]; then
+    if ! stash_err="$(git stash pop -q)"; then
+      echo "Could not pop stash: $stash_err"
+    fi
+  fi
+
+  if [[ "$initialized_git" == true ]]; then
+    if ! rm_err="$(rm -rf .git)"; then
+      echo "Could not delete git directory: $rm_err"
+    fi
+  fi
+
+  delete-check-branch
+}
+
+trap cleanup EXIT SIGINT SIGTERM
+
+if which git &>/dev/null; then
+  if ! git rev-parse --git-dir &>/dev/null; then
+    initialized_git=true
+    git init -q
+    git add --all
+    git config --global user.name 'Gardener'
+    git config --global user.email 'gardener@cloud'
+    git commit -q --allow-empty -m 'initial commit'
+  fi
+
+  if [[ "$(git rev-parse --abbrev-ref HEAD)" == "$check_branch" ]]; then
+    echo "Already on check branch, aborting"
+    exit 1
+  fi
+  delete-check-branch
+
+  if [[ "$(git status -s)" != "" ]]; then
+    stashed=true
+    git stash --include-untracked -q
+    git stash apply -q &>/dev/null
+  fi
+
+  checked_out=true
+  git checkout -q -b "$check_branch"
+  git add --all
+  git commit -q --allow-empty -m 'checkpoint'
+
+  old_status="$(git status -s)"
+  if ! out=$(make -f "$makefile" clean 2>&1); then
+    echo "Error during calling make clean: $out"
+    exit 1
+  fi
+
+  echo ">> make generate"
+  generated=true
+  if ! out=$(make -f "$makefile" generate 2>&1); then
+    echo "Error during calling make generate: $out"
+    exit 1
+  fi
+  new_status="$(git status -s)"
+
+  if [[ "$old_status" != "$new_status" ]]; then
+    echo "make generate needs to be run:"
+    echo "$new_status"
+    exit 1
+  fi
+
+  repo_root="$(git rev-parse --show-toplevel)"
+  if [[ -d "$repo_root/vendor" ]]; then
+    echo ">> make revendor"
+    if ! out=$(make -f "$makefile" revendor 2>&1); then
+      echo "Error during calling make revendor: $out"
+      exit 1
+    fi
+    new_status="$(git status -s)"
+
+    if [[ "$old_status" != "$new_status" ]]; then
+      echo "make revendor needs to be run:"
+      echo "$new_status"
+      exit 1
+    fi
+  else
+    echo ">> make tidy"
+    if ! out=$(make -f "$makefile" tidy 2>&1); then
+      echo "Error during calling make tidy: $out"
+      exit 1
+    fi
+    new_status="$(git status -s)"
+
+    if [[ "$old_status" != "$new_status" ]]; then
+      echo "make tidy needs to be run:"
+      echo "$new_status"
+      exit 1
+    fi
+  fi
+else
+  echo "No git detected, cannot run make check-generate"
+fi
+exit 0

hack/clean.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+echo "> Clean"
+
+for source_tree in $@; do
+  find "$(dirname "$source_tree")" -type f -name "zz_*.go" -exec rm '{}' \;
+  find "$(dirname "$source_tree")" -type f -name "generated.proto" -exec rm '{}' \;
+  find "$(dirname "$source_tree")" -type f -name "generated.pb.go" -exec rm '{}' \;
+  find "$(dirname "$source_tree")" -type f -name "openapi_generated.go" -exec rm '{}' \;
+  grep -lr '// Code generated by MockGen. DO NOT EDIT' "$(dirname "$source_tree")" | xargs rm -f
+  grep -lr '// Code generated by client-gen. DO NOT EDIT' "$(dirname "$source_tree")" | xargs rm -f
+  grep -lr '// Code generated by informer-gen. DO NOT EDIT' "$(dirname "$source_tree")" | xargs rm -f
+  grep -lr '// Code generated by lister-gen. DO NOT EDIT' "$(dirname "$source_tree")" | xargs rm -f
+done
+
+if [ -d "$PWD/docs/api-reference" ]; then
+  find ./docs/api-reference/ -type f -name "*.md" ! -name "README.md" -exec rm '{}' \;
+fi