stackrox
diff --git a/‎.github/workflows/style.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/style.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 5 additions & 3 deletions b/‎Dockerfile‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎charts/stackrox-mcp/.helmignore‎
Lines changed: 7 additions & 0 deletions b/‎charts/stackrox-mcp/.helmignore‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎charts/stackrox-mcp/Chart.yaml‎
Lines changed: 14 additions & 0 deletions b/‎charts/stackrox-mcp/Chart.yaml‎
Lines changed: 14 additions & 0 deletions
@@ -36,3 +36,33 @@ jobs:
         uses: hadolint/hadolint-action@v3.3.0
         with:
           dockerfile: Dockerfile
+
+      - name: Create ../results directory for SARIF report files
+        shell: bash
+        run: mkdir -p ../results
+
+      - name: Scan Helm with kube-linter
+        uses: stackrox/kube-linter-action@v1.0.7
+        id: kube-linter-helm-scan
+        with:
+          directory: charts/stackrox-mcp
+          format: sarif
+          output-file: ../results/kube-linter.sarif
+        # This allows the following upload-sarif action to still upload the results to your GitHub repo.
+        continue-on-error: true
+
+      - name: Upload SARIF report files to GitHub
+        uses: github/codeql-action/upload-sarif@v4
+
+      # Ensure the workflow eventually fails if files did not pass kube-linter checks.
+      - name: Verify kube-linter-action succeeded
+        shell: bash
+        run: |
+          echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
+          [[ "${{ steps.kube-linter-helm-scan.outcome }}" == "success" ]]
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.8.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint charts/stackrox-mcp --validate-maintainers=false --all
@@ -50,10 +50,12 @@ WORKDIR /app
 # Copy binary from builder
 COPY --from=builder /tmp/stackrox-mcp /app/stackrox-mcp
 
-# Set ownership to non-root user
-RUN chown -R 4000:4000 /app
+# Set ownership for OpenShift arbitrary UID support
+# Files owned by 4000, group 0 (root), with group permissions matching user
+RUN chown -R 4000:0 /app && \
+    chmod -R g=u /app
 
-# Switch to non-root user
+# Switch to non-root user (can be overridden by OpenShift SCC)
 USER 4000
 
 # Expose port for MCP server
 
@@ -0,0 +1,7 @@
+# Patterns to ignore when packaging
+.git/
+.gitignore
+*.swp
+*.bak
+*.tmp
+.DS_Store
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: stackrox-mcp
+description: A Helm chart for StackRox Model Context Protocol (MCP) Server
+type: application
+version: 0.1.0
+appVersion: "dev"
+home: https://github.com/stackrox/stackrox-mcp
+sources:
+  - https://github.com/stackrox/stackrox-mcp
+keywords:
+  - stackrox
+  - mcp
+  - security
+  - vulnerability