ROX-24283: enable strictfipsruntime in the Konflux build (#1709)

Co-authored-by: Misha Sugakov <[email protected]>
stackrox · Jan 13, 2025 · 2124e53 · 2124e53
1 parent 92de534
commit 2124e53
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -71,7 +71,7 @@ GOPATH_WD_OVERRIDES := -w /src -e GOPATH=/go
 IMAGE_BUILD_FLAGS   := -e CGO_ENABLED=$(CGO_ENABLED) -e GOOS=linux -e GOARCH=$(GOARCH)
 IMAGE_BUILD_ARGS     = --build-arg LABEL_VERSION=$(TAG) --build-arg LABEL_RELEASE=$(TAG) --build-arg QUAY_TAG_EXPIRATION=$(QUAY_TAG_EXPIRATION)
 BUILD_FLAGS         := CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH)
-BUILD_CMD           := go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(TAG)" -o image/scanner/bin/scanner ./cmd/clair
+BUILD_CMD           := go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(TAG)" -tags="$(GOTAGS)" -o image/scanner/bin/scanner ./cmd/clair
 NODESCAN_BUILD_CMD  := go build -trimpath -o tools/bin/local-nodescanner ./tools/local-nodescanner
 
 #####################################################################

diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
@@ -10,6 +10,9 @@ ARG SCANNER_TAG
 RUN if [[ "$SCANNER_TAG" == "" ]]; then >&2 echo "error: required SCANNER_TAG arg is unset"; exit 6; fi
 ENV RELEASE_TAG="${SCANNER_TAG}"
 
+# TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so
+ENV GOEXPERIMENT=strictfipsruntime
+ENV GOTAGS=strictfipsruntime
 ENV GOFLAGS=""
 ENV CI=1