stackrox
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 10 deletions b/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎.github/workflows/e2e.yml‎
Lines changed: 19 additions & 13 deletions b/‎.github/workflows/e2e.yml‎
Lines changed: 19 additions & 13 deletions
diff --git a/‎.github/workflows/style.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/style.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/test.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.shellcheckrc‎
Lines changed: 9 additions & 0 deletions b/‎.shellcheckrc‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 11 additions & 0 deletions b/‎Makefile‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 20 additions & 0 deletions b/‎README.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎e2e-tests/scripts/build-mcpchecker.sh‎
Lines changed: 2 additions & 2 deletions b/‎e2e-tests/scripts/build-mcpchecker.sh‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎e2e-tests/scripts/run-tests.sh‎
Lines changed: 20 additions & 20 deletions b/‎e2e-tests/scripts/run-tests.sh‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎e2e-tests/scripts/smoke-test-mock.sh‎
Lines changed: 10 additions & 10 deletions b/‎e2e-tests/scripts/smoke-test-mock.sh‎
Lines changed: 10 additions & 10 deletions
@@ -67,13 +67,15 @@ jobs:
 
       - name: Generate build summary
         run: |
-          echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Registry**: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Tags**:" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Platforms**: linux/amd64, linux/arm64, linux/ppc64le, linux/s390x" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## Build Summary"
+            echo ""
+            echo "**Registry**: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+            echo ""
+            echo "**Tags**:"
+            echo '```'
+            echo "${{ steps.meta.outputs.tags }}"
+            echo '```'
+            echo ""
+            echo "**Platforms**: linux/amd64, linux/arm64, linux/ppc64le, linux/s390x"
+          } >> "$GITHUB_STEP_SUMMARY"
@@ -53,25 +53,31 @@ jobs:
             cd e2e-tests/mcpchecker
 
             # Get stats in GitHub Actions format
-            ../../e2e-tests/bin/mcpchecker summary mcpchecker-stackrox-mcp-e2e-out.json --github-output >> $GITHUB_OUTPUT
+            ../../e2e-tests/bin/mcpchecker summary mcpchecker-stackrox-mcp-e2e-out.json --github-output >> "$GITHUB_OUTPUT"
 
             # Get human-readable summary for PR comment
             SUMMARY=$(../../e2e-tests/bin/mcpchecker summary mcpchecker-stackrox-mcp-e2e-out.json)
-            echo "summary<<EOF" >> $GITHUB_OUTPUT
-            echo "$SUMMARY" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITHUB_OUTPUT
+            {
+              echo "summary<<EOF"
+              echo "$SUMMARY"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
 
             # Add to GitHub Actions step summary
-            echo "## E2E Test Results" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
+            {
+              echo "## E2E Test Results"
+              echo ""
+              echo '```'
+              echo "$SUMMARY"
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
           else
-            echo "total=0" >> $GITHUB_OUTPUT
-            echo "passed=0" >> $GITHUB_OUTPUT
-            echo "failed=0" >> $GITHUB_OUTPUT
-            echo "summary=No results file found" >> $GITHUB_OUTPUT
+            {
+              echo "total=0"
+              echo "passed=0"
+              echo "failed=0"
+              echo "summary=No results file found"
+            } >> "$GITHUB_OUTPUT"
           fi
 
       - name: Find existing comment
 
@@ -66,3 +66,9 @@ jobs:
 
       - name: Run chart-testing (lint)
         run: ct lint charts/stackrox-mcp --validate-maintainers=false --all
+
+      - name: Run shellcheck
+        run: make shell-lint
+
+      - name: Run actionlint
+        run: make actionlint
@@ -33,7 +33,7 @@ jobs:
           if [ -n "$(git status --porcelain)" ]; then
             echo "Error: go.mod or go.sum files are not up to date"
             echo "Modified files:"
-            git status --porcelain
+            git diff
             echo ""
             echo "Please run 'go mod tidy' in all directories containing go.mod and commit the changes"
             exit 1
@@ -53,6 +53,6 @@ jobs:
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v5
         with:
-          file: ./coverage.out
+          files: ./coverage.out
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
@@ -0,0 +1,9 @@
+# Follow external sources (equivalent to -x flag)
+external-sources=true
+
+# Enable all optional checks
+enable=all
+
+# Exclude checks that are too noisy
+# SC2312: Consider invoking this command separately to avoid masking its return value
+exclude=SC2312
@@ -91,6 +91,17 @@ lint: ## Run golangci-lint
 	go install -v "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6"
 	golangci-lint run
 
+.PHONY: shell-lint
+shell-lint: ## Run shellcheck on shell scripts
+	@echo "Running shellcheck..."
+	@shellcheck scripts/*.sh e2e-tests/scripts/*.sh
+
+.PHONY: actionlint
+actionlint: ## Run actionlint on GitHub Actions workflows
+	@echo "Running actionlint..."
+	@cd e2e-tests/tools && go build -o ../../bin/actionlint github.com/rhysd/actionlint/cmd/actionlint
+	@./bin/actionlint -color
+
 ##############
 ## Protobuf ##
 ##############
 
@@ -409,3 +409,23 @@ Common commands:
 - `make test` - Run tests
 - `make fmt` - Format code
 - `make lint` - Run linter
+
+### Code Style Checks
+
+The project enforces several code style checks:
+
+- **Go formatting**: `make fmt-check` (or `make fmt` to auto-fix)
+- **Go linting**: `make lint`
+- **Shell scripts**: `make shell-lint`
+- **GitHub Actions workflows**: `make actionlint`
+- **Dockerfile**: `make dockerfile-lint`
+- **Helm charts**: `make helm-lint`
+
+All checks run automatically in CI on pull requests.
+
+#### Shell Script Guidelines
+
+- All scripts must pass `shellcheck` with no errors
+- Use `set -e` for error handling
+- Use `SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"` for directory detection
+- Include cleanup traps for temporary resources (see existing scripts for examples)
@@ -4,9 +4,9 @@ set -e
 E2E_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 
 echo "Building mcpchecker from tool dependencies..."
-cd "$E2E_DIR/tools"
+cd "${E2E_DIR}/tools"
 go build -o ../bin/mcpchecker github.com/mcpchecker/mcpchecker/cmd/mcpchecker
 
 echo "mcpchecker built successfully"
-cd "$E2E_DIR"
+cd "${E2E_DIR}"
 ./bin/mcpchecker help
@@ -2,15 +2,15 @@
 set -e
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-E2E_DIR="$(dirname "$SCRIPT_DIR")"
-ROOT_DIR="$(dirname "$E2E_DIR")"
+E2E_DIR="$(dirname "${SCRIPT_DIR}")"
+ROOT_DIR="$(dirname "${E2E_DIR}")"
 
 # Cleanup function
 WIREMOCK_WAS_STARTED=false
 cleanup() {
-    if [ "$WIREMOCK_WAS_STARTED" = true ]; then
+    if [[ "${WIREMOCK_WAS_STARTED}" = true ]]; then
         echo "Stopping WireMock..."
-        cd "$ROOT_DIR"
+        cd "${ROOT_DIR}"
         make mock-stop > /dev/null 2>&1 || true
     fi
 }
@@ -23,16 +23,16 @@ echo "════════════════════════
 echo ""
 
 # Load environment variables
-if [ -f "$E2E_DIR/.env" ]; then
+if [[ -f "${E2E_DIR}/.env" ]]; then
     echo "Loading environment variables from .env..."
     # shellcheck source=/dev/null
-    set -a && source "$E2E_DIR/.env" && set +a
+    set -a && source "${E2E_DIR}/.env" && set +a
 fi
 
 # Check if WireMock is already running
 if ! curl -skf https://localhost:8081/__admin/mappings > /dev/null 2>&1; then
     echo "Starting WireMock mock service..."
-    cd "$ROOT_DIR"
+    cd "${ROOT_DIR}"
     make mock-start
     WIREMOCK_WAS_STARTED=true
 else
@@ -45,55 +45,55 @@ export STACKROX_MCP__CENTRAL__API_TOKEN="test-token-admin"
 export STACKROX_MCP__CENTRAL__INSECURE_SKIP_TLS_VERIFY="true"
 
 # Check OpenAI API key for judge
-if [ -z "$OPENAI_API_KEY" ]; then
+if [[ -z "${OPENAI_API_KEY}" ]]; then
     echo "Warning: OPENAI_API_KEY is not set (needed for LLM judge)"
     echo "Note: mcpchecker only supports OpenAI-compatible APIs for the judge"
 fi
 
 # Build mcpchecker if not present
-if [ ! -f "$E2E_DIR/bin/mcpchecker" ]; then
+if [[ ! -f "${E2E_DIR}/bin/mcpchecker" ]]; then
     echo "mcpchecker binary not found. Building..."
-    "$SCRIPT_DIR/build-mcpchecker.sh"
+    "${SCRIPT_DIR}/build-mcpchecker.sh"
     echo ""
 fi
 
 
 # Set agent environment variables (use OpenAI)
 export MODEL_BASE_URL="${MODEL_BASE_URL:-https://api.openai.com/v1}"
-export MODEL_KEY="${MODEL_KEY:-$OPENAI_API_KEY}"
+export MODEL_KEY="${MODEL_KEY:-${OPENAI_API_KEY}}"
 export MODEL_NAME="${MODEL_NAME:-gpt-5-nano}"
 
 # Set judge environment variables (use OpenAI)
 export JUDGE_BASE_URL="${JUDGE_BASE_URL:-https://api.openai.com/v1}"
-export JUDGE_API_KEY="${JUDGE_API_KEY:-$OPENAI_API_KEY}"
+export JUDGE_API_KEY="${JUDGE_API_KEY:-${OPENAI_API_KEY}}"
 export JUDGE_MODEL_NAME="${JUDGE_MODEL_NAME:-gpt-5-nano}"
 
 echo "Configuration:"
-echo "  Central URL: $STACKROX_MCP__CENTRAL__URL (WireMock)"
-echo "  Agent: $MODEL_NAME (OpenAI)"
-echo "  Judge: $JUDGE_MODEL_NAME (OpenAI)"
+echo "  Central URL: ${STACKROX_MCP__CENTRAL__URL} (WireMock)"
+echo "  Agent: ${MODEL_NAME} (OpenAI)"
+echo "  Judge: ${JUDGE_MODEL_NAME} (OpenAI)"
 echo "  MCP Server: stackrox-mcp (via go run)"
 echo ""
 
 # Run mcpchecker
-cd "$E2E_DIR/mcpchecker"
+cd "${E2E_DIR}/mcpchecker"
 echo "Running mcpchecker tests..."
 echo ""
 
 EVAL_FILE="eval.yaml"
-echo "Using eval file: $EVAL_FILE"
-"$E2E_DIR/bin/mcpchecker" check "$EVAL_FILE"
+echo "Using eval file: ${EVAL_FILE}"
+"${E2E_DIR}/bin/mcpchecker" check "${EVAL_FILE}"
 
 EXIT_CODE=$?
 
 echo ""
-if [ $EXIT_CODE -eq 0 ]; then
+if [[ "${EXIT_CODE}" -eq 0 ]]; then
     echo "══════════════════════════════════════════════════════════"
     echo "  Tests Completed Successfully!"
     echo "══════════════════════════════════════════════════════════"
 else
     echo "══════════════════════════════════════════════════════════"
     echo "  Tests Failed"
     echo "══════════════════════════════════════════════════════════"
-    exit $EXIT_CODE
+    exit "${EXIT_CODE}"
 fi
@@ -2,8 +2,8 @@
 set -e
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-E2E_DIR="$(dirname "$SCRIPT_DIR")"
-ROOT_DIR="$(dirname "$E2E_DIR")"
+E2E_DIR="$(dirname "${SCRIPT_DIR}")"
+ROOT_DIR="$(dirname "${E2E_DIR}")"
 
 echo "══════════════════════════════════════════════════════════"
 echo "  WireMock Integration Smoke Test"
@@ -12,14 +12,14 @@ echo ""
 
 # Start WireMock
 echo "1. Starting WireMock..."
-cd "$ROOT_DIR"
+cd "${ROOT_DIR}"
 make mock-stop > /dev/null 2>&1 || true
 make mock-start
 
 # Wait for WireMock to be ready
 echo ""
 echo "2. Waiting for WireMock to be ready..."
-for i in {1..10}; do
+for _ in {1..10}; do
     if nc -z localhost 8081 2>/dev/null; then
         echo "✓ WireMock is ready"
         break
@@ -30,7 +30,7 @@ done
 # Test MCP server can connect
 echo ""
 echo "3. Testing MCP server connection..."
-cd "$ROOT_DIR"
+cd "${ROOT_DIR}"
 
 # Run MCP server and test a simple tool call
 timeout 10 bash -c '
@@ -50,29 +50,29 @@ echo "4. Testing WireMock responses..."
 AUTH_RESULT=$(grpcurl -insecure -H "Authorization: Bearer test-token-admin" \
   -d '{}' localhost:8081 v1.ClustersService/GetClusters 2>&1 || true)
 
-if echo "$AUTH_RESULT" | grep -q "clusters"; then
+if echo "${AUTH_RESULT}" | grep -q "clusters"; then
     echo "✓ Authentication works"
 else
     echo "✗ Authentication failed"
-    echo "$AUTH_RESULT"
+    echo "${AUTH_RESULT}"
 fi
 
 # Test CVE query
 CVE_RESULT=$(grpcurl -insecure -H "Authorization: Bearer test-token-admin" \
   -d '{"query": "CVE:\"CVE-2021-44228\""}' \
   localhost:8081 v1.DeploymentService/ListDeployments 2>&1 || true)
 
-if echo "$CVE_RESULT" | grep -q "deployments"; then
+if echo "${CVE_RESULT}" | grep -q "deployments"; then
     echo "✓ CVE query returns data"
 else
     echo "✗ CVE query failed"
-    echo "$CVE_RESULT"
+    echo "${CVE_RESULT}"
 fi
 
 # Cleanup
 echo ""
 echo "5. Cleaning up..."
-cd "$ROOT_DIR"
+cd "${ROOT_DIR}"
 make mock-stop
 
 echo ""