quay-dast: migrate to in-cluster RapiDAST for Quay 3.17

[LiZhang19817]

Summary

• Migrate Quay DAST testing from legacy ZAP-based approach to the new quay-rapidast in-cluster RapiDAST framework for Quay 3.17
• Remove obsolete stage.quay.io and quay.io DAST scan jobs, consolidate into a single quay-dast-test-quay317 periodic job
• Update step-registry quay-tests-test-quay-dast to use the in-cluster scanning scripts (generate-quay-config, run-quay-scan) instead of running ZAP directly
• Add QBO and CSO test steps (quay-tests-qbo-qe-test, quay-tests-cso-qe-test) to the DAST pipeline
• Upgrade base images and OCP version references from 4.17 to 4.21
• Switch cluster profile from aws-qe to aws-quay-qe

Test plan

• Verify generated Prow jobs via make update (done locally, no errors)
• Rehearse the periodic job to confirm the new in-cluster RapiDAST workflow runs successfully
• Validate that QBO and CSO test steps execute correctly in the pipeline

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

This PR upgrades the Quay DAST testing infrastructure from OpenShift 4.17 to 4.21, consolidates multiple scheduled test jobs into a single quay-dast-test-quay317 job, and rewrites the test script to use RapiDAST via Kubernetes with updated credential handling and artifact collection.

Changes

Quay DAST Test Infrastructure Update

Layer / File(s)	Summary
OpenShift version upgrade to 4.21 ci-operator/config/quay/quay-tests/quay-quay-tests-master__quay-dast.yaml	Base image CLI tag, build root image stream tag, and release candidate version all updated from OpenShift 4.17 to 4.21.
DAST test job consolidation and configuration ci-operator/config/quay/quay-tests/quay-quay-tests-master__quay-dast.yaml	Replaced multiple prior DAST test job definitions with a single scheduled test quay-dast-test-quay317 using aws-quay-qe cluster profile, cron schedule, refreshed environment variables for CSO/Quay channels, and pinned multistage image digest.
Test step configuration and execution script ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-ref.yaml, ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-commands.sh	Step configuration updated with new environment variables (QUAY_ENV, QUAY_VERSION) and credential mounts (quay-qe-quay-secret, quay-qe-dast-gcs-secret); test script completely rewritten to set KUBECTL=oc, copy kubeconfig and GCS credentials, generate quay-credentials.yaml from mounted secrets, invoke RapiDAST scan via helper scripts, and collect logs from Rapidast job pods.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ok-to-test, rehearsals-ack

Suggested reviewers

• smg247
• psalajova
• droslean

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'quay-dast: migrate to in-cluster RapiDAST for Quay 3.17' accurately reflects the main change: migrating DAST testing from legacy ZAP to in-cluster RapiDAST framework, which is the primary objective across all three modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies CI/CD config and shell scripts only; no Ginkgo tests present. Check is not applicable to this non-test codebase.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code. Files modified are YAML configs and a bash script for CI/operator infrastructure, not Ginkgo tests requiring the specified quality reviews.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies CI operator configurations (YAML) and helper scripts (Bash), which are not in scope for this MicroShift compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only CI/CD configuration and shell scripts (YAML and .sh files), not Ginkgo e2e tests. Check is not applicable as no new tests with It(), Describe(), Context(), etc. patterns are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains CI/CD configuration files only; no Kubernetes deployment manifests, operators, or scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML CI config and shell scripts; no OTE binary code is present or modified, making the check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests. The modified files are CI/CD configuration (YAML) and shell scripts only, so the IPv6/disconnected network test compatibility check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LiZhang19817

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/quay/quay-tests/OWNERS [LiZhang19817]
• ci-operator/jobs/quay/quay-tests/OWNERS [LiZhang19817]
• ci-operator/step-registry/quay-tests/OWNERS [LiZhang19817]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@LiZhang19817: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-quay-quay-tests-master-quay-dast-images	quay/quay-tests	presubmit	Ci-operator config changed
periodic-ci-quay-quay-tests-master-quay-dast-quay-dast-test-quay317	N/A	periodic	Periodic changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-commands.sh`:
- Line 28: The cp invocation using the glob "*-scan.yaml" can expand to a name
starting with a dash and be parsed as an option; update the cp command that
writes to ARTIFACT_DIR so it protects against option-like filenames by adding
the POSIX option terminator and prefixing the glob with ./ (i.e., use cp with --
and ./*-scan.yaml to ensure filenames like "-scan.yaml" are treated as paths
rather than flags), keeping the original 2>/dev/null || true best-effort
behavior; locate the cp line referencing "*-scan.yaml" and ARTIFACT_DIR to make
this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0e9c1d93-2e18-4e82-ab27-cb456f0735b7

📥 Commits

Reviewing files that changed from the base of the PR and between 3e488d3 and 5ad55b6.

⛔ Files ignored due to path filters (3)

• ci-operator/jobs/quay/quay-tests/quay-quay-tests-master-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/quay/quay-tests/quay-quay-tests-master-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/quay/quay-tests/quay-quay-tests-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (3)

• ci-operator/config/quay/quay-tests/quay-quay-tests-master__quay-dast.yaml
• ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-commands.sh
• ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Prefix the glob before copying scan artifacts.

*-scan.yaml can expand to an option-like filename such as -scan.yaml, which cp will parse as a flag. Because this command is best-effort, that failure gets hidden by || true and silently drops the artifact.

Proposed fix

-cp *-scan.yaml "${ARTIFACT_DIR}/" 2>/dev/null || true
+cp -- ./*-scan.yaml "${ARTIFACT_DIR}/" 2>/dev/null || true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cp *-scan.yaml "${ARTIFACT_DIR}/" 2>/dev/null || true
	cp -- ./*-scan.yaml "${ARTIFACT_DIR}/" 2>/dev/null || true

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 28-28: Use ./glob or -- glob so names with dashes won't become options.

(SC2035)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/quay-tests/test-quay-dast/quay-tests-test-quay-dast-commands.sh`
at line 28, The cp invocation using the glob "*-scan.yaml" can expand to a name
starting with a dash and be parsed as an option; update the cp command that
writes to ARTIFACT_DIR so it protects against option-like filenames by adding
the POSIX option terminator and prefixing the glob with ./ (i.e., use cp with --
and ./*-scan.yaml to ensure filenames like "-scan.yaml" are treated as paths
rather than flags), keeping the original 2>/dev/null || true best-effort
behavior; locate the cp line referencing "*-scan.yaml" and ARTIFACT_DIR to make
this change.

[LiZhang19817]

/pj-rehearse periodic-ci-quay-quay-tests-master-quay-dast-quay-dast-test-quay317

[openshift-merge-bot]

@LiZhang19817: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@LiZhang19817: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-quay-quay-tests-master-quay-dast-quay-dast-test-quay317	5ad55b6	link	unknown	/pj-rehearse periodic-ci-quay-quay-tests-master-quay-dast-quay-dast-test-quay317

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.