From d14d02b350018ee8f727558a18d92f9d686da3cb Mon Sep 17 00:00:00 2001
From: Johannes Scheerer <johannes.scheerer@sap.com>
Date: Tue, 15 Oct 2024 16:53:49 +0200
Subject: [PATCH] Add SAST logs to OCM component descriptor

---
 .ci/pipeline_definitions | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
index 53e8f6be..8050b757 100644
--- a/.ci/pipeline_definitions
+++ b/.ci/pipeline_definitions
@@ -1,5 +1,12 @@
 apiserver-proxy:
   base_definition:
+    repo:
+      source_labels:
+      - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
+        value:
+          policy: skip
+          comment: |
+            we use gosec for sast scanning. See attached log.
     steps:
       verify:
         image: 'golang:1.23.1'
@@ -48,6 +55,17 @@ apiserver-proxy:
           preprocess: 'finalize'
         release:
           nextversion: 'bump_minor'
+          assets:
+          - type: build-step-log
+            step_name: verify
+            purposes:
+            - lint
+            - sast
+            - gosec
+            comment: |
+                we use gosec (linter) for SAST scans
+                see: https://github.com/securego/gosec
+                enabled by https://github.com/gardener/apiserver-proxy/pull/143
         component_descriptor:
           ocm_repository: europe-docker.pkg.dev/gardener-project/releases
         slack: