secureCodeBox · J12934 · Sep 22, 2025 · Sep 9, 2025 · Sep 9, 2025 · Sep 9, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -272,10 +272,26 @@ jobs:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Setup Python Version
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - name: Go Setup
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v6.0.0
+        with:
+          go-version-file: "auto-discovery/kubernetes/go.mod"
+
+      - name: Lint Go Code
+        working-directory: ./auto-discovery/kubernetes
+        run: |
+          go fmt ./...
+          go vet ./...
+
+      - name: Download Task
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          python-version: "${{ env.PYTHON_VERSION }}"
+          name: task
+          path: ./task
+
+      - name: Make Task globally available
+        run: |
+          chmod +x ./task/task && sudo mv ./task/task /usr/local/bin/task
 
       - name: Download Kind
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
@@ -309,15 +325,15 @@ jobs:
 
       - name: Unit Tests
         working-directory: ./auto-discovery/kubernetes/pull-secret-extractor
-        run: make unit-test
+        run: task unit-test
 
       - name: Build Container Image
         working-directory: ./auto-discovery/kubernetes/pull-secret-extractor
-        run: make docker-build
+        run: task docker-build
 
       - name: Export Container Image
         working-directory: ./auto-discovery/kubernetes/pull-secret-extractor
-        run: make docker-export
+        run: task docker-export
 
       - name: Upload Image As Artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -339,7 +355,7 @@ jobs:
       - name: "Run integration tests"
         working-directory: ./auto-discovery/kubernetes/pull-secret-extractor
         run: |
-          make integration-test
+          task integration-test
 
   # ---- Build Stage | AutoDiscovery | Cloud | AWS ----
   auto-discovery-cloud-aws:

diff --git a/auto-discovery/kubernetes/controllers/container_scan_controller.go b/auto-discovery/kubernetes/controllers/container_scan_controller.go
@@ -335,8 +335,7 @@ func getSecretExtractionInitContainer(imageID string, scanConfig config.ScanConf
 	return corev1.Container{
 		Name:         "secret-extraction-to-env",
 		Image:        "docker.io/securecodebox/auto-discovery-pull-secret-extractor",
-		Command:      []string{"python"},
-		Args:         []string{"secret_extraction.py", imageID, temporarySecretName},
+		Args:         []string{"-imageID", imageID, "-secret", temporarySecretName},
 		VolumeMounts: volumeMounts,
 		Env: []corev1.EnvVar{
 			{
@@ -355,6 +354,14 @@ func getSecretExtractionInitContainer(imageID string, scanConfig config.ScanConf
 					},
 				},
 			},
+			{
+				Name: "POD_UID",
+				ValueFrom: &corev1.EnvVarSource{
+					FieldRef: &corev1.ObjectFieldSelector{
+						FieldPath: "metadata.uid",
+					},
+				},
+			},
 		},
 	}
 }

diff --git a/auto-discovery/kubernetes/pull-secret-extractor/.dockerignore b/auto-discovery/kubernetes/pull-secret-extractor/.dockerignore
@@ -2,5 +2,4 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-integration-test/*
-venv/*
+venv/*
diff --git a/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile b/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile
@@ -2,12 +2,29 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM python:3.13-alpine
-
-RUN addgroup -g 1001 nikto \
-  && adduser -G nikto -s /bin/sh -D -u 1001 nikto
-COPY requirements.txt .
-RUN pip install -r requirements.txt
-COPY --chown=root:root --chmod=755 docker_image.py secret_extraction.py ./
-USER 1001
-CMD ["python", "secret_extraction.py"]
+# Build the pull-secret-extractor binary
+FROM --platform=$BUILDPLATFORM golang:1.25.0 AS builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY internal/ internal/
+
+# Build
+ARG TARGETOS TARGETARCH
+RUN GOOS="$TARGETOS" GOARCH="$TARGETARCH" CGO_ENABLED=0 go build -a -o secret_extraction main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/secret_extraction .
+
+ENTRYPOINT ["/secret_extraction"]
diff --git a/auto-discovery/kubernetes/pull-secret-extractor/Makefile b/auto-discovery/kubernetes/pull-secret-extractor/Makefile
diff --git a/auto-discovery/kubernetes/pull-secret-extractor/Taskfile.yaml b/auto-discovery/kubernetes/pull-secret-extractor/Taskfile.yaml
@@ -0,0 +1,78 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+version: "3.44.0"
+
+vars:
+  IMG_NS: '{{default "securecodebox" .IMG_NS}}'
+  IMG: '{{default "auto-discovery-secret-extractor" .IMG}}'
+  IMG_TAG:
+    sh: echo "${IMG_TAG:-sha-$(git rev-parse --short HEAD)}"
+  FULL_IMAGE: "{{.IMG_NS}}/{{.IMG}}/{{.IMG_TAG}}"
+
+tasks:
+  unit-test:
+    desc: Run unit tests
+    cmds:
+      - go test ./...
+
+  integration-test:
+    desc: Run integration tests in kind cluster
+    deps:
+      - kind-import
+    cmds:
+      - defer: task clean
+      - 'echo "🩺 Starting integration test in kind namespace integration-tests."'
+      - cmd: kubectl delete namespace integration-test --wait
+        ignore_error: true
+      - kubectl create namespace integration-test
+      - ./test/integration/test-pod.sh {{.IMG_NS}}/{{.IMG}}:{{.IMG_TAG}}
+      - kubectl wait --for=condition=ready --timeout=60s -n integration-test pod/init-container-test
+      - kubectl get secret --namespace integration-test test-secret
+
+  test:
+    desc: Run all tests (unit and integration)
+    deps:
+      - unit-test
+      - integration-test
+
+  docker-build:
+    desc: Build docker image with the manager
+    cmds:
+      - 'echo "⚙️ Build Container Images"'
+      - docker build -t {{.IMG_NS}}/{{.IMG}}:{{.IMG_TAG}} .
+
+  docker-export:
+    desc: Export container image to tar archive
+    deps:
+      - docker-build
+    cmds:
+      - 'echo "💾 Export Container Images"'
+      - docker save {{.IMG_NS}}/{{.IMG}}:{{.IMG_TAG}} > {{.IMG}}.tar
+
+  kind-import:
+    desc: Import container image to local kind cluster
+    deps:
+      - docker-export
+    preconditions:
+      - sh: test -f {{.IMG}}.tar
+        msg: "Image archive {{.IMG}}.tar not found. Run 'task docker-export' first."
+    cmds:
+      - 'echo "💾 Importing the image archive to local kind cluster."'
+      - kind load image-archive ./{{.IMG}}.tar
+
+  clean:
+    desc: Clean up generated files
+    cmds:
+      - rm -f {{.IMG}}.tar
+
+  vars:
+    desc: Display current variable values (useful for debugging)
+    cmds:
+      - |
+        echo "Current variable values:"
+        echo "  IMG_NS:     {{.IMG_NS}}"
+        echo "  IMG:        {{.IMG}}"
+        echo "  IMG_TAG:    {{.IMG_TAG}}"
+        echo "  FULL_IMAGE: {{.IMG_NS}}/{{.IMG}}:{{.IMG_TAG}}"
diff --git a/auto-discovery/kubernetes/pull-secret-extractor/docker_image.py b/auto-discovery/kubernetes/pull-secret-extractor/docker_image.py
diff --git a/auto-discovery/kubernetes/pull-secret-extractor/go.mod b/auto-discovery/kubernetes/pull-secret-extractor/go.mod
@@ -0,0 +1,56 @@
+// SPDX-FileCopyrightText: the secureCodeBox authors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+module github.com/secureCodeBox/auto-discovery/kubernetes/pull-secret-extractor
+
+go 1.24.5
+
+require (
+	k8s.io/api v0.34.0
+	k8s.io/apimachinery v0.34.0
+	sigs.k8s.io/controller-runtime v0.22.1
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/client-go v0.34.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,5 +2,4 @@ @@
     //
     // SPDX-License-Identifier: Apache-2.0
-    integration-test/*
-    venv/*
+    venv/*