feat: support for kyverno policies

[MeNsaaH]

No description provided.

[github-actions]

Temporary image available at ghcr.io/zapier/kubechecks:0.0.0-pr333.

[zapier-sre-bot]

Mergecat's Review

Click to read mergecats review!

😼 Mergecat review of .tool-versions

-earthly 0.8.15
-golang 1.22.7
+golang 1.23.4
 golangci-lint 1.62.2
 helm 3.16.3
 helm-cr 1.6.1

Feedback & Suggestions:

• ⚠️ Compatibility Check: Ensure that the new version of Go (1.23.4) is compatible with your existing codebase and dependencies. Sometimes, new versions introduce breaking changes or deprecate certain features.

• 🔍 Test Thoroughly: After updating the Go version, run your test suite to verify that everything works as expected. This helps catch any issues early.

• 📄 Update Documentation: If you have any documentation that specifies the Go version, make sure to update it to reflect this change.

---

😼 Mergecat review of Tiltfile

@@ -236,7 +236,7 @@ k8s_resource(
   port_forwards=['2345:2345', '8080:8080'],
   resource_deps=[
     # 'go-build',
-    'go-test',
+    # 'go-test',
     'k8s:namespace',
     'argocd',
     'argocd-crds',

Feedback & Suggestions:

1. Commenting Out go-test Dependency: By commenting out 'go-test' from the resource_deps, you are removing the dependency on the Go tests for the kubechecks resource. Ensure that this change is intentional and that the tests are not required for the deployment or operation of the kubechecks resource. If the tests are still necessary, consider keeping them as a dependency to ensure the resource's integrity.

2. Documentation: If this change is intentional, it would be helpful to add a comment explaining why the go-test dependency is being removed. This will aid future developers in understanding the rationale behind this decision.

3. Testing: After making this change, ensure that you thoroughly test the deployment to confirm that the removal of the go-test dependency does not introduce any issues or regressions.

---

😼 Mergecat review of localdev/terraform/modules/vcs_files/mr5_files/apps/httpdump/overlays/a/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base
+- ../../base
 
-patchesStrategicMerge:
-  - replica-patch.yaml
\ No newline at end of file
+patches:
+- path: replica-patch.yaml

Feedback & Suggestions:

1. Patch Format Change: The change from patchesStrategicMerge to patches with a path key is a significant alteration. Ensure that this change aligns with the intended behavior and the version of Kustomize being used. The patches field is used for JSON 6902 patches, which might not be the same as strategic merge patches. Double-check that this change will not affect the desired patching behavior. 🛠️

2. Newline at End of File: The diff indicates there is no newline at the end of the file. It's a good practice to include a newline at the end of files to avoid potential issues with some tools and version control systems. Consider adding a newline. 📄

---

😼 Mergecat review of pkg/config/config.go

@@ -68,6 +68,10 @@ type ServerConfig struct {
 	// -- preupgrade
 	EnablePreupgrade     bool            `mapstructure:"enable-preupgrade"`
 	WorstPreupgradeState pkg.CommitState `mapstructure:"worst-preupgrade-state"`
+	// -- kyverno
+	EnableKyvernoChecks     bool     `mapstructure:"enable-kyverno-checks"`
+	KyvernoPoliciesLocation []string `mapstructure:"kyverno-policies-location"`
+	KyvernoPoliciesPaths    []string `mapstructure:"kyverno-policies-paths"`
 
 	// misc
 	FallbackK8sVersion       string        `mapstructure:"fallback-k8s-version"`

Feedback & Suggestions:

1. Security Consideration: Ensure that the KyvernoPoliciesLocation and KyvernoPoliciesPaths are validated to prevent potential path traversal vulnerabilities. Consider sanitizing these inputs to ensure they do not contain any malicious paths.

2. Consistency: The naming of the new fields is consistent with the existing naming conventions, which is great! Make sure that the usage of these fields throughout the codebase follows the same pattern for consistency.

3. Documentation: It would be beneficial to add comments or documentation explaining the purpose and usage of the new Kyverno-related fields. This will help other developers understand the context and usage of these configurations.

4. Testing: Ensure that there are adequate tests covering the new Kyverno configuration options. This includes testing the parsing and handling of these fields to ensure they work as expected.

5. Performance: If the KyvernoPoliciesPaths can potentially contain a large number of entries, consider the performance implications and whether any optimizations or limits should be applied.

---

😼 Mergecat review of cmd/root.go

@@ -118,6 +118,11 @@ func init() {
 	stringFlag(flags, "replan-comment-msg", "comment message which re-triggers kubechecks on PR.",
 		newStringOpts().
 			withDefault("kubechecks again"))
+	boolFlag(flags, "enable-kyverno-checks", "Enable kyverno policy checks.")
+	stringFlag(flags, "kyverno-policies-location", "Sets kyverno policy locations to be used for every check request. This is a git url in either git or http(s) format.")
+	stringSliceFlag(flags, "kyverno-policies-paths", "Sets the paths inside the kyverno-policies-location that contains the policies. Default to root of the repository.",
+		newStringSliceOpts().
+			withDefault([]string{"."}))
 
 	panicIfError(viper.BindPFlags(flags))
 	setupLogOutput()

Feedback & Suggestions:

1. Security Consideration: Ensure that the kyverno-policies-location and kyverno-policies-paths are validated and sanitized to prevent potential security vulnerabilities such as path traversal or injection attacks. Consider implementing checks to validate the URLs and paths provided.

2. Documentation: It would be beneficial to provide more detailed documentation or comments on how the kyverno-policies-location and kyverno-policies-paths are expected to be formatted and used. This will help users understand the expected input and avoid misconfigurations.

3. Error Handling: Consider adding error handling for scenarios where the kyverno-policies-location or kyverno-policies-paths are invalid or inaccessible. This will improve the robustness of the application and provide clearer feedback to the user.

4. Default Values: While setting default values is good practice, ensure that the default path ["."] for kyverno-policies-paths is appropriate for all use cases. If not, consider providing guidance on how to override this default effectively.

5. Consistency: Ensure that the naming conventions for flags are consistent with existing flags. For example, consider using underscores instead of hyphens if that is the convention used elsewhere in the codebase.

---

😼 Mergecat review of cmd/processors.go

@@ -7,6 +7,7 @@ import (
 	"github.com/zapier/kubechecks/pkg/checks/diff"
 	"github.com/zapier/kubechecks/pkg/checks/hooks"
 	"github.com/zapier/kubechecks/pkg/checks/kubeconform"
+	"github.com/zapier/kubechecks/pkg/checks/kyverno"
 	"github.com/zapier/kubechecks/pkg/checks/preupgrade"
 	"github.com/zapier/kubechecks/pkg/checks/rego"
 	"github.com/zapier/kubechecks/pkg/container"
@@ -57,5 +58,13 @@ func getProcessors(ctr container.Container) ([]checks.ProcessorEntry, error) {
 		})
 	}
 
+	if ctr.Config.EnableKyvernoChecks {
+		procs = append(procs, checks.ProcessorEntry{
+			Name:       "running kyverno check",
+			Processor:  kyverno.Check,
+			WorstState: ctr.Config.WorstPreupgradeState,
+		})
+	}
+
 	return procs, nil
 }

Feedback & Suggestions:

1. Configuration Consistency: The WorstState for the Kyverno check is set to ctr.Config.WorstPreupgradeState. This seems like a copy-paste error. Ensure that there is a specific configuration for Kyverno, such as ctr.Config.WorstKyvernoState, to maintain consistency and clarity in configuration management. 🛠️

2. Error Handling: Consider adding error handling for the Kyverno check similar to the Rego checker. If kyverno.Check can potentially return an error, it would be beneficial to handle it gracefully to prevent unexpected failures. 🐛

3. Documentation: Update any relevant documentation to reflect the addition of the Kyverno check. This will help maintainers and users understand the new functionality and configuration options. 📚

---

😼 Mergecat review of charts/kubechecks/templates/clusterrole.yaml

@@ -7,5 +7,5 @@ rules:
     resources: ['applications', 'appprojects', 'applicationsets', 'services']
     verbs: ['get', 'list', 'watch']
   - apiGroups: [''] # The core API group, which is indicated by an empty string
-    resources: ['secrets']
+    resources: ['secrets', 'configmaps']
     verbs: ['get', 'list', 'watch']

Feedback & Suggestions:

1. Security Consideration: Adding configmaps to the resources list increases the scope of access. Ensure that this change is necessary and that the access to configmaps is limited to only what is required. ConfigMaps can contain sensitive configuration data, and broad access might lead to unintended exposure. 🔒

2. Documentation Update: If this change is part of a broader update, ensure that any relevant documentation or user guides are updated to reflect the new permissions. This helps maintain clarity for users and developers interacting with the system. 📚

3. Review Access Needs: Double-check if the verbs for configmaps should be the same as for secrets. Sometimes, different resources might require different levels of access. Ensure that get, list, and watch are indeed necessary for configmaps. 🔍

---

😼 Mergecat review of cmd/controller.go

@@ -79,6 +79,11 @@ var ControllerCmd = &cobra.Command{
 			log.Fatal().Err(err).Msg("failed to process schema locations")
 		}
 
+		log.Info().Strs("locations", cfg.KyvernoPoliciesLocation).Msg("processing kyverno policies locations")
+		if err = processLocations(ctx, ctr, cfg.KyvernoPoliciesLocation); err != nil {
+			log.Fatal().Err(err).Msg("failed to process kyverno policies locations")
+		}
+
 		processors, err := getProcessors(ctr)
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed to create processors")

Feedback & Suggestions:

1. Error Handling Consistency: The new code block for processing KyvernoPoliciesLocation follows the same error handling pattern as the existing code, which is good for consistency. However, consider if log.Fatal is the best choice for handling errors in this context. Using log.Fatal will terminate the program immediately, which might not always be desirable. If there's a way to recover or continue operation, consider using log.Error or another logging level.

2. Performance Consideration: If processLocations is a potentially long-running operation, and if cfg.KyvernoPoliciesLocation can be processed independently of other locations, consider running it in a separate goroutine to improve performance. This would allow other parts of the program to continue executing while the locations are being processed.

3. Configuration Validation: Ensure that cfg.KyvernoPoliciesLocation is validated before being used. If this configuration can be empty or invalid, it might be worth adding a check before attempting to process it to avoid unnecessary errors.

4. Logging Clarity: The log message "processing kyverno policies locations" is clear, but consider adding more context if available, such as the number of locations being processed, to aid in debugging and monitoring.

---

😼 Mergecat review of localdev/kubechecks/values.yaml

@@ -21,14 +21,20 @@ configMap:
     # KUBECHECKS_SCHEMAS_LOCATION: https://github.com/zapier/kubecheck-schemas.git
     KUBECHECKS_TIDY_OUTDATED_COMMENTS_MODE: "delete"
     KUBECHECKS_ENABLE_CONFTEST: "false"
+    KUBECHECKS_ENABLE_KYVERNO_CHECKS: "true"
+    KUBECHECKS_KYVERNO_POLICIES_LOCATION: "https://gitlab.com/zapier/team-sre/service-kyverno.git"
+    KUBECHECKS_KYVERNO_POLICIES_PATHS: "argocd/production/templates/checks"
+    KUBECHECKS_ARGOCD_SEND_FULL_REPOSITORY: "true"
+    KUBECHECKS_ARGOCD_REPOSITORY_ENDPOINT: argocd-repo-server.kubechecks:8081
+    GRPC_ENFORCE_ALPN_ENABLED: false
 
 
 deployment:
   annotations:
     reloader.stakater.com/auto: "true" 
   
   image:
-    pullPolicy: Never
+    pullPolicy: IfNotPresent
     name: "kubechecks"
     tag: ""
 

Feedback & Suggestions:

1. Security Concern: The KUBECHECKS_ARGOCD_REPOSITORY_ENDPOINT is set to a specific server and port. Ensure that this endpoint is secure and that proper authentication and authorization mechanisms are in place to prevent unauthorized access. 🔒

2. Boolean Value Consistency: The GRPC_ENFORCE_ALPN_ENABLED is set to false without quotes, while other boolean-like values are in quotes. For consistency and to avoid potential parsing issues, consider using quotes for all boolean values, e.g., "false". 🧩

3. Image Pull Policy: Changing the pullPolicy from Never to IfNotPresent is a good move for environments where the image might not always be available locally. However, ensure that this change aligns with your deployment strategy and that it won't inadvertently pull an outdated image from a remote registry. 🚀

4. Documentation: Consider adding comments or documentation for the new configuration options like KUBECHECKS_ENABLE_KYVERNO_CHECKS and KUBECHECKS_KYVERNO_POLICIES_LOCATION to help future developers understand their purpose and usage. 📚

---

😼 Mergecat review of go.mod

@@ -1,29 +1,30 @@
 module github.com/zapier/kubechecks
 
-go 1.22.0
+go 1.22.8
 
-toolchain go1.22.7
+toolchain go1.23.4
 
 require (
 	github.com/argoproj/argo-cd/v2 v2.13.1
 	github.com/argoproj/gitops-engine v0.7.1-0.20240905010810-bd7681ae3f8b
 	github.com/aws/aws-sdk-go-v2 v1.32.6
-	github.com/aws/aws-sdk-go-v2/config v1.27.24
+	github.com/aws/aws-sdk-go-v2/config v1.27.33
 	github.com/aws/aws-sdk-go-v2/service/eks v1.46.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.2
 	github.com/aws/smithy-go v1.22.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/creasty/defaults v1.7.0
-	github.com/ghodss/yaml v1.0.0
+	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
 	github.com/go-logr/zerologr v1.2.3
 	github.com/google/go-github/v62 v62.0.0
 	github.com/google/uuid v1.6.0
 	github.com/heptiolabs/healthcheck v0.0.0-20211123025425-613501dd5deb
 	github.com/imdario/mergo v0.3.16
 	github.com/jeremywohl/flatten v1.0.1
+	github.com/kyverno/kyverno v1.13.1
 	github.com/labstack/echo-contrib v0.17.1
 	github.com/labstack/echo/v4 v4.12.0
 	github.com/masterminds/semver v1.5.0
@@ -32,7 +33,7 @@ require (
 	github.com/open-policy-agent/conftest v0.49.1
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/prometheus/client_golang v1.20.3
+	github.com/prometheus/client_golang v1.20.4
 	github.com/rikatz/kubepug v1.4.0
 	github.com/rs/zerolog v1.33.0
 	github.com/sashabaranov/go-openai v1.36.0
@@ -52,7 +53,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.33.0
 	go.opentelemetry.io/otel/sdk/metric v1.33.0
 	go.opentelemetry.io/otel/trace v1.33.0
-	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
+	golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
 	golang.org/x/net v0.30.0
 	golang.org/x/oauth2 v0.24.0
 	google.golang.org/grpc v1.67.1
@@ -67,138 +68,251 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go v0.115.1 // indirect
+	cloud.google.com/go/auth v0.9.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	cloud.google.com/go/compute/metadata v0.5.0 // indirect
-	cloud.google.com/go/iam v1.1.6 // indirect
-	cloud.google.com/go/storage v1.38.0 // indirect
-	cuelang.org/go v0.7.0 // indirect
+	cloud.google.com/go/iam v1.2.0 // indirect
+	cloud.google.com/go/kms v1.19.0 // indirect
+	cloud.google.com/go/longrunning v0.6.0 // indirect
+	cloud.google.com/go/storage v1.43.0 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20240807094312-a32ad29eed79 // indirect
+	cuelang.org/go v0.10.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
+	github.com/IGLOU-EU/go-wildcard v1.0.3 // indirect
 	github.com/KeisukeYamashita/go-vcl v0.4.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
+	github.com/alibabacloud-go/tea v1.2.2 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.6 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.8 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aptible/supercronic v0.2.30 // indirect
+	github.com/aquilax/truncate v1.0.0 // indirect
 	github.com/argoproj/pkg v0.13.7-0.20230627120311-a4dd357b057e // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go v1.55.5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.24 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240909191326-0ee4ec5d16bf // indirect
 	github.com/basgys/goxml2json v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
-	github.com/bufbuild/protocompile v0.6.0 // indirect
+	github.com/bufbuild/protocompile v0.10.0 // indirect
+	github.com/buildkite/agent/v3 v3.78.0 // indirect
+	github.com/buildkite/go-pipeline v0.11.0 // indirect
+	github.com/buildkite/interpolate v0.1.3 // indirect
+	github.com/buildkite/roko v1.2.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.4.0 // indirect
 	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/coreos/go-oidc/v3 v3.11.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
 	github.com/cyphar/filepath-securejoin v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.4 // indirect
+	github.com/docker/cli v27.2.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v27.2.1+incompatible // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+	github.com/emicklei/proto v1.13.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect

</details>

---

## Dependency Review
<details><summary>Click to read mergecats review!</summary>

No suggestions found
</details>

[djeebus]

do you need --- to seperate the manifests from each other here?

[MeNsaaH]

Yeah, that's right! Nice catch.
FYI, this is still in progress. So, it's not fully ready

[djeebus]

If there's no output, then it failed? This seems ... strange, no?

[MeNsaaH]

This is more like a dummy script to just see what happens.

We'll need to parse the output to know if it failed or not.

[djeebus]

We should also add a WorstKyvernoState pkg.CommitState field, which would allow people to either warn or fail depending on configuration.

[MeNsaaH]

Yeah! That'll be added