Checkmarx · cx-miguel-dasilva · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 17, 2026
@@ -40,7 +40,7 @@ jobs:
     strategy:
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest, windows-2022, macos-latest]
+        os: [ubuntu-latest, ubuntu-24.04-arm, windows-2022, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Set up Go
@@ -88,7 +88,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: unit-test-${{ runner.os }}-${{ github.event.pull_request.head.sha }}.log
+          name: unit-test-${{ matrix.os }}-${{ github.event.pull_request.head.sha }}.log
           path: unit-test.log
   security-scan:
     name: security-scan

@@ -5,14 +5,22 @@ on:
     branches: [master]
 
 jobs:
-  e2e-debian-tests:
-    name: e2e-debian-tests
+  e2e-tests:
+    name: e2e-tests-${{ matrix.config.tag_suffix }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
+        config:
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.debian
+            tag_suffix: debian-amd64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.debian
+            tag_suffix: debian-arm64
+    runs-on: ${{ matrix.config.os }}
     steps:
       - name: Cancel Previous Runs
         uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
@@ -47,10 +55,11 @@ jobs:
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.ref }}
+          key: ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
           restore-keys: |
-            ${{ runner.os }}-buildx-${{ github.ref }}
+            ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
       - name: Append Entrypoint in dockerfile
+        if: matrix.config.dockerfile == 'docker/Dockerfile.debian'
         run: |
           echo "ENTRYPOINT [\"/app/bin/kics\"]" >> docker/Dockerfile.debian
       - name: Get short SHA
@@ -61,13 +70,15 @@ jobs:
         with:
           load: true
           context: ./
-          file: ./docker/Dockerfile.debian
+          file: ./${{ matrix.config.dockerfile }}
           builder: ${{ steps.buildx.outputs.name }}
           push: false
-          tags: kics:e2e-debian-tests-${{ github.sha }}
+          tags: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
+          platforms: ${{ matrix.config.platform }}
           build-args: |
             VERSION=development
             COMMIT=${{ github.sha }}
+            BUILDPLATFORM=${{ matrix.config.platform }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
       - name: Image digest
@@ -81,27 +92,23 @@ jobs:
           sudo chmod -R 777 ./e2e
       - name: Run E2E Tests
         env:
-          E2E_KICS_DOCKER: kics:e2e-debian-tests-${{ github.sha }}
+          E2E_KICS_DOCKER: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
           E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }}
         run: |
           go test -tags dev "github.com/Checkmarx/kics/v2/e2e" -timeout 1500s -json > results.json
       - name: Generate E2E Report
         if: always()
         env:
-          E2E_KICS_DOCKERFILE: docker/Dockerfile.debian
+          E2E_KICS_DOCKERFILE: ${{ matrix.config.dockerfile }}
         run: |
           CWD=$(pwd)
           cd .github/scripts/report
           go mod tidy
           go build
           ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html
-      - name: Get docker name
-        run: |
-          DOCKER_NAME=$(echo docker/Dockerfile.debian | sed 's/\//-/')
       - name: Archive test report
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: e2e-tests-report-dockerfile-$DOCKER_NAME
+          name: e2e-tests-report-${{ matrix.config.tag_suffix }}
           path: e2e-report.html
-          # dummy
@@ -6,14 +6,37 @@ on:
 
 jobs:
   e2e-tests:
-    name: e2e-tests
+    name: e2e-tests-${{ matrix.config.tag_suffix }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.25.x]
-        os: [ubuntu-latest]
-        kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
-    runs-on: ${{ matrix.os }}
+        config:
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: Dockerfile
+            tag_suffix: default-amd64
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.ubi8
+            tag_suffix: ubi8-amd64
+          - os: ubuntu-latest
+            platform: linux/amd64
+            dockerfile: docker/Dockerfile.alpine
+            tag_suffix: alpine-amd64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: Dockerfile
+            tag_suffix: default-arm64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.ubi8
+            tag_suffix: ubi8-arm64
+          - os: ubuntu-24.04-arm
+            platform: linux/arm64
+            dockerfile: docker/Dockerfile.alpine
+            tag_suffix: alpine-arm64
+    runs-on: ${{ matrix.config.os }}
     steps:
       - name: Cancel Previous Runs
         uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
@@ -48,9 +71,9 @@ jobs:
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.ref }}
+          key: ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
           restore-keys: |
-            ${{ runner.os }}-buildx-${{ github.ref }}
+            ${{ runner.os }}-buildx-${{ matrix.config.tag_suffix }}-${{ github.ref }}
       - name: Get short SHA
         run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV
       - name: Build
@@ -59,10 +82,11 @@ jobs:
         with:
           load: true
           context: ./
-          file: ./${{ matrix.kics-docker }}
+          file: ./${{ matrix.config.dockerfile }}
           builder: ${{ steps.buildx.outputs.name }}
           push: false
-          tags: kics:e2e-tests-${{ github.sha }}
+          tags: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
+          platforms: ${{ matrix.config.platform }}
           build-args: |
             VERSION=development
             COMMIT=${{ github.sha }}
@@ -79,28 +103,23 @@ jobs:
           sudo chmod -R 777 ./e2e
       - name: Run E2E Tests
         env:
-          E2E_KICS_DOCKER: kics:e2e-tests-${{ github.sha }}
+          E2E_KICS_DOCKER: kics:e2e-${{ matrix.config.tag_suffix }}-${{ github.sha }}
           E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }}
         run: |
           go test -tags dev "github.com/Checkmarx/kics/v2/e2e" -timeout 1500s -json > results.json
       - name: Generate E2E Report
         if: always()
         env:
-          E2E_KICS_DOCKERFILE: ${{ matrix.kics-docker }}
+          E2E_KICS_DOCKERFILE: ${{ matrix.config.dockerfile }}
         run: |
           CWD=$(pwd)
           cd .github/scripts/report
           go mod tidy
           go build
           ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html
-      - name: Get docker name
-        if: always()
-        run: |
-          DOCKER_NAME=$(echo ${{ matrix.kics-docker }} | sed 's/\//-/')
-          echo "DOCKER_NAME=$DOCKER_NAME" >> $GITHUB_ENV
       - name: Archive test report
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: e2e-tests-report-${{ env.DOCKER_NAME }}
+          name: e2e-tests-report-${{ matrix.config.tag_suffix }}
           path: e2e-report.html
@@ -118,7 +118,7 @@ jobs:
           file: ./docker/Dockerfile.ubi8
           push: true
           tags: checkmarx/kics:ubi8,checkmarx/kics:${{ steps.get-version.outputs.version }}-ubi8
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           build-args: |
             VERSION=${{ steps.get-version.outputs.version }}
             COMMIT=${{ github.sha }}

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.26.1-r1@sha256:3984b97600a32d5a9ff14cc4b8029572a762082d98fb9788bbc4050d4f45d9d2 AS build_env
+FROM checkmarx/go:1.26.1-r1@sha256:7eaab909cc0aca91eaa4dde0171ef12d03bcad437eea651ceebb70b0f63c5dee AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,9 +29,9 @@
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.53.0-r0@sha256:6f398e9772fc0271cbdd77b065a09c9244004fbda17c1c58ba01b412a4292bde
+FROM checkmarx/git:2.53.0-r0@sha256:36de24faffc5abca400a8f3bdb178bedca1f359ca98262b0400af6c77c5858af
 
 ENV TERM xterm-256color
 
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated
@@ -47,7 +47,7 @@
 USER root

 # Healthcheck the container
 ENV PATH $PATH:/app/bin

 # Command to run the executable
 ENTRYPOINT ["/app/bin/kics"]
@@ -1,23 +1,26 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} registry.access.redhat.com/ubi8:latest AS build_env
+FROM registry.access.redhat.com/ubi8:latest AS build_env
+
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /build
 
 ENV PATH=$PATH:/usr/local/go/bin
 
-ADD https://golang.org/dl/go1.25.7.linux-amd64.tar.gz .
-RUN yum install git gcc -y \
-  && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz \
-  && rm -f go1.25.7.linux-amd64.tar.gz
+RUN echo "Installing Go 1.25.7 for ${TARGETARCH:-amd64} architecture"
+
+RUN yum install git gcc wget -y \
+  && rm -rf /usr/local/go \
+  && wget -q https://golang.org/dl/go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
+  && tar -C /usr/local -xzf go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
+  && rm -f go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz
 
 ENV GOPRIVATE=github.com/Checkmarx/*
 ARG VERSION="development"
 ARG COMMIT="NOCOMMIT"
 ARG SENTRY_DSN=""
 ARG DESCRIPTIONS_URL=""
 
-ARG TARGETOS
-ARG TARGETARCH
-
 # Copy go mod and sum files
 COPY go.mod .
 COPY go.sum .
@@ -36,6 +39,9 @@
 
 FROM registry.access.redhat.com/ubi8:latest
 
+ARG RELEASE
+ARG VERSION
+
 ENV RELEASE=$RELEASE \
   VERSION=$VERSION
 
@@ -55,7 +61,7 @@
 ARG GID=1000
 
 RUN yum install git wget unzip -y \
-  && groupadd -g ${UID} ${KGROUP} \
+  && groupadd -g ${GID} ${KGROUP} \
   && adduser \
   --home-dir /app/bin \
   --no-create-home \
@@ -75,7 +81,7 @@
 COPY --chown=${KUSER}:${KGROUP} --from=build_env /build/bin/kics /app/bin/kics
 COPY --chown=${KUSER}:${KGROUP} --from=build_env /build/assets/ /app/bin/assets/

 ENV PATH $PATH:/app/bin

 # Command to run the executable
 ENTRYPOINT ["/app/bin/kics"]
@@ -40,8 +40,8 @@ require (
 	github.com/yargevad/filepathx v1.0.0
 	github.com/zclconf/go-cty v1.16.2
 	golang.org/x/exp v0.0.0-20250911091902-df9299821621
-	golang.org/x/net v0.47.0
-	golang.org/x/text v0.31.0
+	golang.org/x/net v0.48.0
+	golang.org/x/text v0.32.0
 	golang.org/x/tools/godoc v0.1.0-deprecated
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.19.4
@@ -50,7 +50,7 @@ require (
 )
 
 require (
-	cel.dev/expr v0.24.0 // indirect
+	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.116.0 // indirect
 	cloud.google.com/go/auth v0.13.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
@@ -81,14 +81,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 // indirect
 	github.com/aws/smithy-go v1.22.5 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.2 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -130,7 +130,7 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
@@ -140,12 +140,12 @@ require (
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	google.golang.org/api v0.215.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
@@ -243,13 +243,13 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/api v0.34.2