feat(testing): add arm64 testing infra (#7998)

* add arm64 testing infra

* add arm64 testing infra

* bump images

* ci

* update e2e infra

* update e2e infra

* improve docker ubi 8 to support arm

* improve docker ubi 8 to support arm

* improve docker ubi 8 to support arm

* improve docker ubi 8 to support arm

* fix vulnerabilities

* fix vulnerabilities

* fix vulnerabilities

* fix vulnerabilities

* fix vulnerabilities

---------

Co-authored-by: cx-miguel-silva <100352574+cx-miguel-silva@users.noreply.github.com>
Co-authored-by: Artur Ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>

Author: cx-miguel-dasilva

.github/workflows/go-ci.yml

@@ -40,7 +40,7 @@ jobs:
     strategy:
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest, windows-2022, macos-latest]
+        os: [ubuntu-latest, ubuntu-24.04-arm, windows-2022, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Set up Go
@@ -88,7 +88,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: unit-test-${{ runner.os }}-${{ github.event.pull_request.head.sha }}.log
+          name: unit-test-${{ matrix.os }}-${{ github.event.pull_request.head.sha }}.log
           path: unit-test.log
   security-scan:
     name: security-scan

.github/workflows/go-e2e-debian.yaml

@@ -5,14 +5,22 @@ on:
     branches: [master]
 
 jobs:
-  e2e-debian-tests:
-    name: e2e-debian-tests
+  e2e-tests:
+    name: e2e-tests-${{ matrix.config.tag_suffix }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
+        config:
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.debian
+            tag_suffix: debian-amd64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.debian
+            tag_suffix: debian-arm64
+    runs-on: ${{ matrix.config.os }}
     steps:
       - name: Cancel Previous Runs
         uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
@@ -47,10 +55,11 @@ jobs:
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.ref }}
+          key: ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
           restore-keys: |
-            ${{ runner.os }}-buildx-${{ github.ref }}
+            ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
       - name: Append Entrypoint in dockerfile
+        if: matrix.config.dockerfile == 'docker/Dockerfile.debian'
         run: |
           echo "ENTRYPOINT [\"/app/bin/kics\"]" >> docker/Dockerfile.debian
       - name: Get short SHA
@@ -61,13 +70,15 @@ jobs:
         with:
           load: true
           context: ./
-          file: ./docker/Dockerfile.debian
+          file: ./${{ matrix.config.dockerfile }}
           builder: ${{ steps.buildx.outputs.name }}
           push: false
-          tags: kics:e2e-debian-tests-${{ github.sha }}
+          tags: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
+          platforms: ${{ matrix.config.platform }}
           build-args: |
             VERSION=development
             COMMIT=${{ github.sha }}
+            BUILDPLATFORM=${{ matrix.config.platform }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
       - name: Image digest
@@ -81,27 +92,23 @@ jobs:
           sudo chmod -R 777 ./e2e
       - name: Run E2E Tests
         env:
-          E2E_KICS_DOCKER: kics:e2e-debian-tests-${{ github.sha }}
+          E2E_KICS_DOCKER: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
           E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }}
         run: |
           go test -tags dev "github.com/Checkmarx/kics/v2/e2e" -timeout 1500s -json > results.json
       - name: Generate E2E Report
         if: always()
         env:
-          E2E_KICS_DOCKERFILE: docker/Dockerfile.debian
+          E2E_KICS_DOCKERFILE: ${{ matrix.config.dockerfile }}
         run: |
           CWD=$(pwd)
           cd .github/scripts/report
           go mod tidy
           go build
           ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html
-      - name: Get docker name
-        run: |
-          DOCKER_NAME=$(echo docker/Dockerfile.debian | sed 's/\//-/')
       - name: Archive test report
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: e2e-tests-report-dockerfile-$DOCKER_NAME
+          name: e2e-tests-report-${{ matrix.config.tag_suffix }}
           path: e2e-report.html
-          # dummy

.github/workflows/go-e2e.yaml

@@ -6,14 +6,37 @@ on:
 
 jobs:
   e2e-tests:
-    name: e2e-tests
+    name: e2e-tests-${{ matrix.config.tag_suffix }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest]
-        kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
-    runs-on: ${{ matrix.os }}
+        config:
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: Dockerfile
+            tag_suffix: default-amd64
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.ubi8
+            tag_suffix: ubi8-amd64
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.alpine
+            tag_suffix: alpine-amd64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: Dockerfile
+            tag_suffix: default-arm64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.ubi8
+            tag_suffix: ubi8-arm64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.alpine
+            tag_suffix: alpine-arm64
+    runs-on: ${{ matrix.config.os }}
     steps:
       - name: Cancel Previous Runs
         uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
@@ -48,9 +71,9 @@ jobs:
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.ref }}
+          key: ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
           restore-keys: |
-            ${{ runner.os }}-buildx-${{ github.ref }}
+            ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
       - name: Get short SHA
         run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV
       - name: Build
@@ -59,10 +82,11 @@ jobs:
         with:
           load: true
           context: ./
-          file: ./${{ matrix.kics-docker }}
+          file: ./${{ matrix.config.dockerfile }}
           builder: ${{ steps.buildx.outputs.name }}
           push: false
-          tags: kics:e2e-tests-${{ github.sha }}
+          tags: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
+          platforms: ${{ matrix.config.platform }}
           build-args: |
             VERSION=development
             COMMIT=${{ github.sha }}
@@ -79,28 +103,23 @@ jobs:
           sudo chmod -R 777 ./e2e
       - name: Run E2E Tests
         env:
-          E2E_KICS_DOCKER: kics:e2e-tests-${{ github.sha }}
+          E2E_KICS_DOCKER: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
           E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }}
         run: |
           go test -tags dev "github.com/Checkmarx/kics/v2/e2e" -timeout 1500s -json > results.json
       - name: Generate E2E Report
         if: always()
         env:
-          E2E_KICS_DOCKERFILE: ${{ matrix.kics-docker }}
+          E2E_KICS_DOCKERFILE: ${{ matrix.config.dockerfile }}
         run: |
           CWD=$(pwd)
           cd .github/scripts/report
           go mod tidy
           go build
           ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html
-      - name: Get docker name
-        if: always()
-        run: |
-          DOCKER_NAME=$(echo ${{ matrix.kics-docker }} | sed 's/\//-/')
-          echo "DOCKER_NAME=$DOCKER_NAME" >> $GITHUB_ENV
       - name: Archive test report
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: e2e-tests-report-${{ env.DOCKER_NAME }}
+          name: e2e-tests-report-${{ matrix.config.tag_suffix }}
           path: e2e-report.html

.github/workflows/release-dkr-image.yml

@@ -118,7 +118,7 @@ jobs:
           file: ./docker/Dockerfile.ubi8
           push: true
           tags: checkmarx/kics:ubi8,checkmarx/kics:${{ steps.get-version.outputs.version }}-ubi8
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           build-args: |
             VERSION=${{ steps.get-version.outputs.version }}
             COMMIT=${{ github.sha }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.26.1-r1@sha256:3984b97600a32d5a9ff14cc4b8029572a762082d98fb9788bbc4050d4f45d9d2 AS build_env
+FROM checkmarx/go:1.26.1@sha256:1d40555ccad7e4e931c5e36d9ca743e3d37d895923e061b94615ae0e69f57b8b AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.53.0-r0@sha256:6f398e9772fc0271cbdd77b065a09c9244004fbda17c1c58ba01b412a4292bde
+FROM checkmarx/git:2.53.0@sha256:9b16c12c6247d4f5a50f11844bf8e89b6bf1c14ddeed18291cbc857e84d8c4e6
 
 ENV TERM xterm-256color
 

docker/Dockerfile.ubi8

@@ -1,23 +1,26 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} registry.access.redhat.com/ubi8:latest AS build_env
+FROM registry.access.redhat.com/ubi8:latest AS build_env
+
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /build
 
 ENV PATH=$PATH:/usr/local/go/bin
 
-ADD https://golang.org/dl/go1.25.7.linux-amd64.tar.gz .
-RUN yum install git gcc -y \
-  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz \
-  && rm -f go1.25.7.linux-amd64.tar.gz
+RUN echo "Installing Go 1.25.7 for ${TARGETARCH:-amd64} architecture"
+
+RUN yum install git gcc wget -y \
+  && rm -rf /usr/local/go \
+  && wget -q https://golang.org/dl/go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
+  && tar -C /usr/local -xzf go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
+  && rm -f go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz
 
 ENV GOPRIVATE=github.com/Checkmarx/*
 ARG VERSION="development"
 ARG COMMIT="NOCOMMIT"
 ARG SENTRY_DSN=""
 ARG DESCRIPTIONS_URL=""
 
-ARG TARGETOS
-ARG TARGETARCH
-
 # Copy go mod and sum files
 COPY go.mod .
 COPY go.sum .
@@ -36,6 +39,9 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 
 FROM registry.access.redhat.com/ubi8:latest
 
+ARG RELEASE
+ARG VERSION
+
 ENV RELEASE=$RELEASE \
   VERSION=$VERSION
 
@@ -55,7 +61,7 @@ ARG UID=1000
 ARG GID=1000
 
 RUN yum install git wget unzip -y \
-  && groupadd -g ${UID} ${KGROUP} \
+  && groupadd -g ${GID} ${KGROUP} \
   && adduser \
   --home-dir /app/bin \
   --no-create-home \

go.mod

@@ -30,7 +30,7 @@ require (
 	github.com/relex/aini v1.6.0
 	github.com/rs/zerolog v1.34.0
 	github.com/sosedoff/ansible-vault-go v0.2.0
-	github.com/spf13/cobra v1.10.1
+	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
@@ -57,7 +57,7 @@ require (
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.2.2 // indirect
 	cloud.google.com/go/monitoring v1.21.2 // indirect
-	cloud.google.com/go/storage v1.49.0 // indirect
+	cloud.google.com/go/storage v1.50.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
@@ -88,13 +88,14 @@ require (
 	github.com/containerd/platforms v1.0.0-rc.2 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/distribution/distribution/v3 v3.1.0 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
 	github.com/go-openapi/swag/conv v0.25.4 // indirect
@@ -143,20 +144,21 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
+	go.opentelemetry.io/otel v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/api v0.215.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
@@ -232,8 +234,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rubenv/sql-migrate v1.8.0 // indirect
@@ -254,7 +256,7 @@ require (
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/term v0.40.0 // indirect