From 3ab68b34ea1365d54d0a3c5933b3bdffb2f10aba Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Fri, 30 Apr 2021 13:02:24 -0600
Subject: [PATCH 01/22] update readme

---
 README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 54 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 2e594fe..46866f2 100644
--- a/README.md
+++ b/README.md
@@ -22,13 +22,13 @@ The Ironbank pipeline requires all upstream resouces to be declared in the harde
 ---
 **Note**
 
-    There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
+  There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
 
-    --
+  --
 
-    It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
+  It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
 
-    For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
+  For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
 
 ---
 
@@ -59,15 +59,19 @@ resources:
 
 The `Ironbank Manager` is a custom **manager** that was developed for use in Repo1 to handle extracting dependencies from the `hardening_manifest.yaml` file resource section.
 
-`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi`**datasources** are currently supported, but other native datasources can be added as well. The manager parses the `url` key to determine the type of dependency.
+`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi`**datasources** are currently supported, but other native datasources can be added as well upon request. The manager parses the `url` key to determine the type of dependency.
 
 ```yaml
 - url: docker://{registry}/{repo}@{digest}
-- url: https://github.com/${repo}/releases/download/${version}/${archive}
+- url: https://github.com/${repo}/.../${version}/${archive}
 - url: https://rubygems.org/downloads/{import}-{version}.gem
 - url: https://files.pythonhosted.org/../.../{import}-{version}...whl
 ```
 
+Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.
+
+!!! Do not add a renovate.json if the main resource in the hardening_manifest that dictates the tag and label does not have a supported datasource.  This can lead to improperly labeled containers and we use other methods to track these cases.
+
 ---
 **Note**
 
@@ -82,7 +86,9 @@ Renovate includes a regex **manager** that can extract dependencies with a regul
 The example `renovate.json` below will update the **tags:** and **labels:** strings if there is an update to the argocd docker image found on docker.io.
 
 ```json
-    {
+{
+  "baseBranches": ["development"],
+  "regexManagers": [
     "fileMatch": [
         "^hardening_manifest.yaml$"
     ],
@@ -102,10 +108,47 @@ The example `renovate.json` below will update the **tags:** and **labels:** stri
     "depNameTemplate": "argoproj/argocd",
     "datasourceTemplate": "docker"
     }
+  ]
+}
 ```
 
 Notice the `depNameTemplate` and `datasourceTemplate` that defines the dependency metadata.
 
+---
+**Note**
+Examples:
+
+  Docker:
+
+    if from docker hub the depNameTemplate will be the docker hub path up to the delimiter (@sha, :v...)
+
+      - "depNameTemplate": "argoproj/argocd",
+        "datasourceTemplate": "docker"
+    any other docker registry the depNameTemplate will be the full path up to the delimeter
+      
+      - "depNameTemplate": "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller",
+        "datasourceTemplate": "docker"
+
+  Github
+
+    if source is github and the url contains 'archive' or 'tags' you will use github-tags as datasource
+      
+      - "depNameTemplate": "postgres/postgres",
+        "datasourceTemplate": "github-tags"
+
+    else it will be github-releases
+
+      - "depNameTemplate": "gohugoio/hugo",
+        "datasourceTemplate": "github-releases"
+
+  Pypi and Rubygems:
+
+    These are just the name of the package
+    
+      - "depNameTemplate": "fluentd",
+        "datasourceTemplate": "rubygems"
+---
+
 ### Major Versions
 
 Repositories that a pinned to a major version (i.e. `dsop/opensource/redis/redis6`) should disable major revision bumps.
@@ -139,7 +182,9 @@ For more indepth documentation and configuration options you can visit the offic
 
 ## Renovate Workflow
 
-In order to begin using Renovate in your project you must create a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
+In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
+
+Only add a renovate.json file if your main resource in your hardening_manifest file has a supported datasource.  You must also add your regex managers to update the tag and label to the correct version.  If you have a supported datasource and both regex managers in the renovate.json file any updates will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
 
 If an update is detected a merge request will be created with those changes.  An Issue will be created and associated with that merge request.  It is then required that the normal container hardening process if followed with that merge request.  The pipeline must pass, merged into development, and any new CVEs must be justified before requesting it to be merged to master.  
 
@@ -147,7 +192,7 @@ If an update is detected a merge request will be created with those changes.  An
 
 ### Renovate Datasources
 
-The base image in this repository does not support many of the native Renovate datasources. The image provides support for the minimum feature set required by Ironbank (docker, github-releases).
+The base image in this repository does not support many of the native Renovate datasources. The image provides support for the minimum feature set required by Ironbank (eg, docker, github-releases, github-tags, rubygems, pypi).
 
 Also metioned before your upstream resource must be stored in a location for which renovate has a datasoure.  Renovate ships with several datasources such as docker, github-releases, rubygems, and pypi. A vendor's upstream resource may not publish to one of these supported platforms and as such could be a limiting factor for the use of Renovate. A custom datasource would have to be implemented to support fetching release information for these resources.
 
-- 
GitLab


From 24804b5f9e4db5a9bb9f81de396fb8d657e7cd73 Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 11:05:34 -0600
Subject: [PATCH 02/22] update readme

---
 README.md | 41 ++++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 46866f2..8093a37 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ The Ironbank pipeline requires all upstream resouces to be declared in the harde
 
 ---
 
-### Hardening_manifest
+## Hardening_manifest
 
 Specifically, there are three pieces of data in the `hardening_manifest` that Renovate needs to watch and update.
 
@@ -55,11 +55,15 @@ resources:
 
 ```
 
-### Ironbank Manager
+We use two Renovate managers to fully update the `hardening_manifest`: `Ironbank` and `Regex`
 
-The `Ironbank Manager` is a custom **manager** that was developed for use in Repo1 to handle extracting dependencies from the `hardening_manifest.yaml` file resource section.
+---
+
+## IronbankManager
+
+The `Ironbank Manager` is a custom **manager** that was developed for use in Repo1 to handle extracting dependencies from the `hardening_manifest.yaml` file resource section.  If you have a hardening_manifest.yaml file and a renovate.json file the `Ironbank Manager` will automatically parse the resource section and look for updates for each resource that comes from a supported datasource.
 
-`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi`**datasources** are currently supported, but other native datasources can be added as well upon request. The manager parses the `url` key to determine the type of dependency.
+`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi`**datasources** are currently the only supported datasource, but other native datasources can be added as well upon request. The manager parses the `url` key to determine the type of dependency.
 
 ```yaml
 - url: docker://{registry}/{repo}@{digest}
@@ -70,8 +74,6 @@ The `Ironbank Manager` is a custom **manager** that was developed for use in Rep
 
 Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.
 
-!!! Do not add a renovate.json if the main resource in the hardening_manifest that dictates the tag and label does not have a supported datasource.  This can lead to improperly labeled containers and we use other methods to track these cases.
-
 ---
 **Note**
 
@@ -79,7 +81,7 @@ Any other datasource in your hardening_manifest.yaml file will not be automatica
 
 ---
 
-### Regex Manager
+## RegexManager
 
 Renovate includes a regex **manager** that can extract dependencies with a regular expression. This is useful for file formats that do not have an associated manager. Within Ironbank, the regex manager is used to handle updating the `hardening_manifest` tags and labels section.
 
@@ -112,26 +114,29 @@ The example `renovate.json` below will update the **tags:** and **labels:** stri
 }
 ```
 
-Notice the `depNameTemplate` and `datasourceTemplate` that defines the dependency metadata.
+You only need to add the `Regex Manager` to your renovate.json file if your main resource (that is the resource that dictates the tag and label) comes from a supported datasource.  There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you will only need to add `"baseBranches": ["development"],` in it.  
+
+When using the `Regex Manager` you will need to provide the what datasource it is and the dependancy name. Notice the `depNameTemplate` and `datasourceTemplate` that defines this information in the above example.
 
 ---
 **Note**
-Examples:
+The following example can help you determine what you will put for the `depNameTemplate` and `datasourceTemplate`
 
   Docker:
 
-    if from docker hub the depNameTemplate will be the docker hub path up to the delimiter (@sha, :v...)
+    if from docker hub the depNameTemplate will be the docker hub path 
 
       - "depNameTemplate": "argoproj/argocd",
         "datasourceTemplate": "docker"
-    any other docker registry the depNameTemplate will be the full path up to the delimeter
+
+    any other docker registry the depNameTemplate will be the full path 
       
       - "depNameTemplate": "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller",
         "datasourceTemplate": "docker"
 
   Github
 
-    if source is github and the url contains 'archive' or 'tags' you will use github-tags as datasource
+    if source is github and the url contains 'archive' or 'tags' you will use github-tags as the datasourceTemplate and github path as the depNameTemplate
       
       - "depNameTemplate": "postgres/postgres",
         "datasourceTemplate": "github-tags"
@@ -149,9 +154,9 @@ Examples:
         "datasourceTemplate": "rubygems"
 ---
 
-### Major Versions
+## Major Versions
 
-Repositories that a pinned to a major version (i.e. `dsop/opensource/redis/redis6`) should disable major revision bumps.
+Repositories that a pinned to a major version (i.e. `postgresql10`) should disable major revision bumps.
 
 ```json
 {
@@ -161,15 +166,17 @@ Repositories that a pinned to a major version (i.e. `dsop/opensource/redis/redis
 }
 ```
 
-### Reviewers
+## Reviewers
 
-Add reviewers for each repository so `MAINTAINERS` will be notified of a new pull request. Renovate can also be configured to automerge pull requests.
+Add reviewers for each repository so `MAINTAINERS` will be notified of a new pull request. Renovate can also be configured to automerge pull requests (currently under testing).
 
 ```json
 {
     "reviewers": [
         "jeason"
     ]
+    "automerge": true,
+    "gitLabAutomerge": true,
 }
 ```
 
@@ -184,7 +191,7 @@ For more indepth documentation and configuration options you can visit the offic
 
 In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
 
-Only add a renovate.json file if your main resource in your hardening_manifest file has a supported datasource.  You must also add your regex managers to update the tag and label to the correct version.  If you have a supported datasource and both regex managers in the renovate.json file any updates will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
+You only need to add a renovate.json file if there are resources in your `hardening_manifest` file that have supporting [datasource](##IronbankManager). You must also add your [regex managers](##RegexManager) to update the tag and label to the correct version if your main resource that dictates that data has a supported datasource.  If your main resouce has a supported datasource and you have proper regex managers in the renovate.json file any updates to that resource will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
 
 If an update is detected a merge request will be created with those changes.  An Issue will be created and associated with that merge request.  It is then required that the normal container hardening process if followed with that merge request.  The pipeline must pass, merged into development, and any new CVEs must be justified before requesting it to be merged to master.  
 
-- 
GitLab


From 7645c62a227e15b7af89177fbf490e9961c8b430 Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 11:49:21 -0600
Subject: [PATCH 03/22] update readme

---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8093a37..46aae20 100644
--- a/README.md
+++ b/README.md
@@ -22,13 +22,13 @@ The Ironbank pipeline requires all upstream resouces to be declared in the harde
 ---
 **Note**
 
-  There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
+There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
 
-  --
+--
 
-  It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
+It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
 
-  For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
+For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
 
 ---
 
-- 
GitLab


From 50b04fdc2d3bbbceb676d3b82e8e3d16cc1c7336 Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:00:56 -0600
Subject: [PATCH 04/22] update readme

---
 README.md | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 46aae20..6ffc9fb 100644
--- a/README.md
+++ b/README.md
@@ -20,16 +20,15 @@ Renonvate has a capability set of updating dependancies from a wide range of sou
 The Ironbank pipeline requires all upstream resouces to be declared in the hardening_manifest.  Due to this we use Renovate, more specifically a custom manager call `Ironbank` and the `Regex Manager`, to parse the hardening_manifest for declared versions and check for updates using the supported datasources in our `Ironbank Manager` or what is outlined in the renovate.json file for the `Regex Manager`.
 
 ---
-**Note**
+***Note*** 
 
 There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
 
---
-
-It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
+---
 
-For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
+> **_Important:_** It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
 
+> **example:** For example, use the filename kubernetes.tar.gz instead of the filename kubernetes-1.18.3 because the Dockerfile COPY kubernetes-1.18.3.tar.gz statement will throw an error that a resource cannot be found if the Kubernetes artifact version is bumped to 1.18.4. COPY kubernetes.tar.gz will handle any version bumps that occur and result in successful copying of the hardening_manifest.yaml artifact for the build.
 ---
 
 ## Hardening_manifest
@@ -75,9 +74,7 @@ The `Ironbank Manager` is a custom **manager** that was developed for use in Rep
 Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.
 
 ---
-**Note**
-
-    In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
+**_Important:_** In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
 
 ---
 
@@ -154,7 +151,7 @@ The following example can help you determine what you will put for the `depNameT
         "datasourceTemplate": "rubygems"
 ---
 
-## Major Versions
+### Major Versions
 
 Repositories that a pinned to a major version (i.e. `postgresql10`) should disable major revision bumps.
 
@@ -166,7 +163,7 @@ Repositories that a pinned to a major version (i.e. `postgresql10`) should disab
 }
 ```
 
-## Reviewers
+### Reviewers
 
 Add reviewers for each repository so `MAINTAINERS` will be notified of a new pull request. Renovate can also be configured to automerge pull requests (currently under testing).
 
-- 
GitLab


From 7dfd7fbce07dcd4642ea151d9c8b793ce267430b Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:04:11 -0600
Subject: [PATCH 05/22] update readme

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6ffc9fb..ce1008f 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,9 @@ The `Ironbank Manager` is a custom **manager** that was developed for use in Rep
 Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.
 
 ---
-**_Important:_** In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
+
+**Note**
+In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
 
 ---
 
-- 
GitLab


From 58818a4315c618b3ac435310e6020e72354dd7bd Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:04:50 -0600
Subject: [PATCH 06/22] update readme

---
 README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README.md b/README.md
index ce1008f..81a664f 100644
--- a/README.md
+++ b/README.md
@@ -9,8 +9,6 @@ The pluggable constructs in Renovate include:
 
 Renovate handles opening Gitlab Merge Requests for out-of-date dependencies and can be customized for individual projects.
 
----
-
 ## How we use Renovate in Ironbank
 
 Renovate is an opensource project which we have implemented in Repo1's Gitlab.  Our renovate-bot runs daily so any vendor that wants to create their own configuration of Renovate is free to do so.  The follow subsequent sections outline how we utilize Renovate on opensource projects that are mangaged by the Container Hardening Team to watch for updates to upstream resouces in those projects.  Ultimately, the vendor is responsible for the updating of their container in Ironbank, the use of Renovate is not required but is an option we provide for their use.
-- 
GitLab


From 0fb0ea084ffad8b72881fd01e82bc170cc1bad8e Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:05:51 -0600
Subject: [PATCH 07/22] update readme

---
 README.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/README.md b/README.md
index 81a664f..01eec8d 100644
--- a/README.md
+++ b/README.md
@@ -54,8 +54,6 @@ resources:
 
 We use two Renovate managers to fully update the `hardening_manifest`: `Ironbank` and `Regex`
 
----
-
 ## IronbankManager
 
 The `Ironbank Manager` is a custom **manager** that was developed for use in Repo1 to handle extracting dependencies from the `hardening_manifest.yaml` file resource section.  If you have a hardening_manifest.yaml file and a renovate.json file the `Ironbank Manager` will automatically parse the resource section and look for updates for each resource that comes from a supported datasource.
@@ -76,8 +74,6 @@ Any other datasource in your hardening_manifest.yaml file will not be automatica
 **Note**
 In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
 
----
-
 ## RegexManager
 
 Renovate includes a regex **manager** that can extract dependencies with a regular expression. This is useful for file formats that do not have an associated manager. Within Ironbank, the regex manager is used to handle updating the `hardening_manifest` tags and labels section.
-- 
GitLab


From b75b2981a65e0d22c8a88d65e668fbb638015ab9 Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:09:48 -0600
Subject: [PATCH 08/22] update readme

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 01eec8d..b57d20b 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ When using the `Regex Manager` you will need to provide the what datasource it i
 
 ---
 **Note**
-The following example can help you determine what you will put for the `depNameTemplate` and `datasourceTemplate`
+The following examples can help you determine what you will put for the `depNameTemplate` and `datasourceTemplate`
 
   Docker:
 
@@ -127,9 +127,10 @@ The following example can help you determine what you will put for the `depNameT
       - "depNameTemplate": "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller",
         "datasourceTemplate": "docker"
 
-  Github
+  Github:
 
-    if source is github and the url contains 'archive' or 'tags' you will use github-tags as the datasourceTemplate and github path as the depNameTemplate
+    if the source is github and the url contains 'archive' or 'tags' you will use github-tags 
+    as the datasourceTemplate and github path as the depNameTemplate
       
       - "depNameTemplate": "postgres/postgres",
         "datasourceTemplate": "github-tags"
-- 
GitLab


From 41e4d424aaa8910766177de4827f1f4eb59021c4 Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:12:06 -0600
Subject: [PATCH 09/22] update readme

---
 README.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index b57d20b..07a9e61 100644
--- a/README.md
+++ b/README.md
@@ -142,11 +142,11 @@ The following examples can help you determine what you will put for the `depName
 
   Pypi and Rubygems:
 
-    These are just the name of the package
+    These will just the name of the package depNameTemplate 
+    with the corrisponding datasourceTemplate
     
       - "depNameTemplate": "fluentd",
         "datasourceTemplate": "rubygems"
----
 
 ### Major Versions
 
@@ -162,13 +162,22 @@ Repositories that a pinned to a major version (i.e. `postgresql10`) should disab
 
 ### Reviewers
 
-Add reviewers for each repository so `MAINTAINERS` will be notified of a new pull request. Renovate can also be configured to automerge pull requests (currently under testing).
+Add reviewers for each repository so `MAINTAINERS` will be notified of a new pull request.
 
 ```json
 {
     "reviewers": [
         "jeason"
     ]
+}
+```
+
+### Automerge
+
+Renovate can also be configured to automerge pull requests (currently under testing).
+
+```json
+{
     "automerge": true,
     "gitLabAutomerge": true,
 }
@@ -179,8 +188,6 @@ Add reviewers for each repository so `MAINTAINERS` will be notified of a new pul
 **Note**
 For more indepth documentation and configuration options you can visit the official documentation [here](https://docs.renovatebot.com/configuration-options/).
 
----
-
 ## Renovate Workflow
 
 In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
-- 
GitLab


From d071b9d20b0468322efd025ae7a3672b0358b22e Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Mon, 3 May 2021 12:17:13 -0600
Subject: [PATCH 10/22] update readme

---
 README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 07a9e61..a63bcf4 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,11 @@ The example `renovate.json` below will update the **tags:** and **labels:** stri
 }
 ```
 
-You only need to add the `Regex Manager` to your renovate.json file if your main resource (that is the resource that dictates the tag and label) comes from a supported datasource.  There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you will only need to add `"baseBranches": ["development"],` in it.  
+> **_Important:_** You only need to add the `Regex Manager` to your renovate.json file if your main resource (that is the resource that dictates the tag and label) comes from a supported datasource.  
+
+There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you will only need to add `"baseBranches": ["development"],` in it.  
+
+> **_Important:_** all renovate.json files must have at least `"baseBranches": ["development"],` added to it.
 
 When using the `Regex Manager` you will need to provide the what datasource it is and the dependancy name. Notice the `depNameTemplate` and `datasourceTemplate` that defines this information in the above example.
 
@@ -192,7 +196,7 @@ For more indepth documentation and configuration options you can visit the offic
 
 In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
 
-You only need to add a renovate.json file if there are resources in your `hardening_manifest` file that have supporting [datasource](##IronbankManager). You must also add your [regex managers](##RegexManager) to update the tag and label to the correct version if your main resource that dictates that data has a supported datasource.  If your main resouce has a supported datasource and you have proper regex managers in the renovate.json file any updates to that resource will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
+You only need to add a renovate.json file if there are resources in your `hardening_manifest` file that have supporting [datasources](##IronbankManager). You must also add your [regex managers](##RegexManager) to update the tag and label to the correct version if your main resource has a supported datasource.  If your main resouce has a supported datasource and you have proper regex managers in the renovate.json file any updates to that resource will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
 
 If an update is detected a merge request will be created with those changes.  An Issue will be created and associated with that merge request.  It is then required that the normal container hardening process if followed with that merge request.  The pipeline must pass, merged into development, and any new CVEs must be justified before requesting it to be merged to master.  
 
-- 
GitLab


From ceadf9a67f92febed4e39009f20db91a0cb52e2b Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Tue, 4 May 2021 10:32:15 -0600
Subject: [PATCH 11/22] update readme

---
 README.md | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index a63bcf4..ec921e5 100644
--- a/README.md
+++ b/README.md
@@ -18,11 +18,10 @@ Renonvate has a capability set of updating dependancies from a wide range of sou
 The Ironbank pipeline requires all upstream resouces to be declared in the hardening_manifest.  Due to this we use Renovate, more specifically a custom manager call `Ironbank` and the `Regex Manager`, to parse the hardening_manifest for declared versions and check for updates using the supported datasources in our `Ironbank Manager` or what is outlined in the renovate.json file for the `Regex Manager`.
 
 ---
-***Note*** 
 
-There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.
+**Note**
 
----
+There is a limitation for this usage.  Your upstream resource must be stored in a location for which renovate has a datasoure (a full list of supported datasources can be found [here](https://docs.renovatebot.com/modules/datasource/) ).  Unfortunatly, this is a limiting factor for some projects.  For these cases we use an alternative approach, while not as elegant as Renovate it works.
 
 > **_Important:_** It is important to remove any references to a specific application version in the filename of the hardening_manifest.yaml file when downloading artifacts that are not images. This way, if the artifact version is bumped, the COPY statement included in the Dockerfile will be able to handle this updated version, without failing because it attempts to copy an older version which is no longer being downloaded.
 
@@ -67,7 +66,7 @@ The `Ironbank Manager` is a custom **manager** that was developed for use in Rep
 - url: https://files.pythonhosted.org/../.../{import}-{version}...whl
 ```
 
-Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.
+Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.  When selecting where you are pulling your resources from please take this into consideration, all things being equal we prefer you pull from a source for which renovate has a supported datasource.
 
 ---
 
@@ -111,8 +110,6 @@ The example `renovate.json` below will update the **tags:** and **labels:** stri
 
 There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you will only need to add `"baseBranches": ["development"],` in it.  
 
-> **_Important:_** all renovate.json files must have at least `"baseBranches": ["development"],` added to it.
-
 When using the `Regex Manager` you will need to provide the what datasource it is and the dependancy name. Notice the `depNameTemplate` and `datasourceTemplate` that defines this information in the above example.
 
 ---
@@ -194,7 +191,9 @@ For more indepth documentation and configuration options you can visit the offic
 
 ## Renovate Workflow
 
-In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.  
+In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it. 
+
+> **_Important:_** all renovate.json files must have at least `"baseBranches": ["development"],` added to it.
 
 You only need to add a renovate.json file if there are resources in your `hardening_manifest` file that have supporting [datasources](##IronbankManager). You must also add your [regex managers](##RegexManager) to update the tag and label to the correct version if your main resource has a supported datasource.  If your main resouce has a supported datasource and you have proper regex managers in the renovate.json file any updates to that resource will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
 
-- 
GitLab


From fab80d22a884e9cb09648139c233292c8a99291a Mon Sep 17 00:00:00 2001
From: Zachary Sanders <sanders_zachary@bah.com>
Date: Tue, 4 May 2021 11:41:48 -0600
Subject: [PATCH 12/22] update readme

---
 README.md | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index ec921e5..7890de1 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ We use two Renovate managers to fully update the `hardening_manifest`: `Ironbank
 
 The `Ironbank Manager` is a custom **manager** that was developed for use in Repo1 to handle extracting dependencies from the `hardening_manifest.yaml` file resource section.  If you have a hardening_manifest.yaml file and a renovate.json file the `Ironbank Manager` will automatically parse the resource section and look for updates for each resource that comes from a supported datasource.
 
-`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi`**datasources** are currently the only supported datasource, but other native datasources can be added as well upon request. The manager parses the `url` key to determine the type of dependency.
+`docker`, `github-releases`, `github-tags`, `ruby-gems`, and `pypi` **datasources** are currently the only supported datasource, but other native datasources can be added as well upon request. The manager parses the `url` key to determine the type of dependency.
 
 ```yaml
 - url: docker://{registry}/{repo}@{digest}
@@ -66,16 +66,16 @@ The `Ironbank Manager` is a custom **manager** that was developed for use in Rep
 - url: https://files.pythonhosted.org/../.../{import}-{version}...whl
 ```
 
-Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.  When selecting where you are pulling your resources from please take this into consideration, all things being equal we prefer you pull from a source for which renovate has a supported datasource.
+Any other datasource in your hardening_manifest.yaml file will not be automatically renovated.  When selecting where you are pulling your resources from please take this into consideration, all things being equal we prefer you pull from one of the supported datasources.
 
 ---
 
 **Note**
-In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project.  The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
+In order for you to take advantage of the custom Ironbank Manager you only need to have an empty renovate.json file in the base of your Gitlab project. The existance of the renovate.json file is what we use to identify projects to run the Renovate-bot against. The Ironbank Manager will parse the hardening_manifest (if it exists) and check for updates for supported sources by default without any additional configuration.
 
 ## RegexManager
 
-Renovate includes a regex **manager** that can extract dependencies with a regular expression. This is useful for file formats that do not have an associated manager. Within Ironbank, the regex manager is used to handle updating the `hardening_manifest` tags and labels section.
+Renovate includes a **regex manager** that can extract dependencies with a regular expression. This is useful for file formats that do not have an associated manager. Within Ironbank, the regex manager is used to handle updating the `hardening_manifest` **tags** and **labels** section.
 
 The example `renovate.json` below will update the **tags:** and **labels:** strings if there is an update to the argocd docker image found on docker.io.
 
@@ -108,7 +108,7 @@ The example `renovate.json` below will update the **tags:** and **labels:** stri
 
 > **_Important:_** You only need to add the `Regex Manager` to your renovate.json file if your main resource (that is the resource that dictates the tag and label) comes from a supported datasource.  
 
-There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you will only need to add `"baseBranches": ["development"],` in it.  
+There are cases where the main resource does not come from a supported datasource but other supporting resource in the hardening_manifest do have supporting datasources.  In those cases you will still need a renovate.json file but you won't use a `Regex Manager`.  See [Workflow](##RenovateWorkflow) on minimum renovate.json requirements 
 
 When using the `Regex Manager` you will need to provide the what datasource it is and the dependancy name. Notice the `depNameTemplate` and `datasourceTemplate` that defines this information in the above example.
 
@@ -187,13 +187,25 @@ Renovate can also be configured to automerge pull requests (currently under test
 ---
 
 **Note**
-For more indepth documentation and configuration options you can visit the official documentation [here](https://docs.renovatebot.com/configuration-options/).
+Renovate is very configurable and provides many configration options that can be put in the renovate.json file. For more indepth documentation and configuration options you can visit the official documentation [here](https://docs.renovatebot.com/configuration-options/).
 
-## Renovate Workflow
+## RenovateWorkflow
 
-In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it. 
+In order to begin using Renovate in your project you must have a renovate.json file in the base of your project. Any project with a renovate.json file the renovate-bot will detect and run against it.
 
-> **_Important:_** all renovate.json files must have at least `"baseBranches": ["development"],` added to it.
+---
+
+**Note** This is an example of the most basic renovate.json you can have:
+
+```json
+{
+    "baseBranches": ["development"]
+}
+```
+
+This will ensure the `Ironbank Manager` will run against your resources list in your `hardening_manifest` without updating either the tag or labels.
+
+---
 
 You only need to add a renovate.json file if there are resources in your `hardening_manifest` file that have supporting [datasources](##IronbankManager). You must also add your [regex managers](##RegexManager) to update the tag and label to the correct version if your main resource has a supported datasource.  If your main resouce has a supported datasource and you have proper regex managers in the renovate.json file any updates to that resource will produce a completely updated hardening_manifest in the generated merge request in Gitlab.
 
-- 
GitLab


From a93bb3f98bde49787b2cfee92f22a411c651f44d Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Thu, 6 May 2021 04:11:43 +0000
Subject: [PATCH 13/22] Update renovate/renovate Docker tag to v25

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ee6e476..ca923a3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:24.119.5-slim as builder
+FROM renovate/renovate:25.13.0-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 6c8165d..b49b698 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "24.119.5"
+- "25.13.0"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "24.119.5"
+  org.opencontainers.image.version: "25.13.0"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:24.119.5-slim
-  url: docker://docker.io/renovate/renovate@sha256:18e6630668bbc6cdf7f953a30b7ecbe101b07cb012347d7afc0bbec12eceeeb0
+- tag: renovate/renovate:25.13.0-slim
+  url: docker://docker.io/renovate/renovate@sha256:107db3e1e2a99c87d6722251370063f76c3ff6fa030ae14b542586e3c228a5ae
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From 7c208b843935386144145bfbe5cff0eb39ccd42f Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Fri, 7 May 2021 01:11:58 +0000
Subject: [PATCH 14/22] Update renovate/renovate Docker tag to v25.16.1

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ca923a3..89bb587 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.13.0-slim as builder
+FROM renovate/renovate:25.16.1-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index b49b698..c342ac6 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.13.0"
+- "25.16.1"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.13.0"
+  org.opencontainers.image.version: "25.16.1"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.13.0-slim
-  url: docker://docker.io/renovate/renovate@sha256:107db3e1e2a99c87d6722251370063f76c3ff6fa030ae14b542586e3c228a5ae
+- tag: renovate/renovate:25.16.1-slim
+  url: docker://docker.io/renovate/renovate@sha256:dd47b7ba5ed53a379ccafb28daa4d44ea7e374349ee94827106e0b369b2908fc
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From 18b15f44356db16bd1cfd021cf23c943daa77668 Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Sat, 8 May 2021 01:13:17 +0000
Subject: [PATCH 15/22] Update renovate/renovate:25.16.1-slim Docker digest to
 c88acc1

---
 hardening_manifest.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index c342ac6..c892a1e 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -38,7 +38,7 @@ labels:
 # List of resources to make available to the offline build context
 resources:
 - tag: renovate/renovate:25.16.1-slim
-  url: docker://docker.io/renovate/renovate@sha256:dd47b7ba5ed53a379ccafb28daa4d44ea7e374349ee94827106e0b369b2908fc
+  url: docker://docker.io/renovate/renovate@sha256:c88acc12f14d8e5729140da5758d9d19396c0c46a93009051f31120aa762512e
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From 5e2e2586839f3d1c050f70e7124274edc82d4304 Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Tue, 11 May 2021 04:11:40 +0000
Subject: [PATCH 16/22] Update renovate/renovate Docker tag to v25.18.4

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 89bb587..33026c4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.16.1-slim as builder
+FROM renovate/renovate:25.18.4-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index c342ac6..9553984 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.16.1"
+- "25.18.4"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.16.1"
+  org.opencontainers.image.version: "25.18.4"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.16.1-slim
-  url: docker://docker.io/renovate/renovate@sha256:dd47b7ba5ed53a379ccafb28daa4d44ea7e374349ee94827106e0b369b2908fc
+- tag: renovate/renovate:25.18.4-slim
+  url: docker://docker.io/renovate/renovate@sha256:638e4b715ed428e4cd9212ad7bae570c935c2d8c33dd8dcedd23e1a7e7e5560e
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From f480ed92aec0902606d6637d747962d5204dbf70 Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Wed, 12 May 2021 01:17:44 +0000
Subject: [PATCH 17/22] Update renovate/renovate Docker tag to v25.18.6

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 33026c4..ae486d3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.18.4-slim as builder
+FROM renovate/renovate:25.18.6-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 9553984..06e6d35 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.18.4"
+- "25.18.6"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.18.4"
+  org.opencontainers.image.version: "25.18.6"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.18.4-slim
-  url: docker://docker.io/renovate/renovate@sha256:638e4b715ed428e4cd9212ad7bae570c935c2d8c33dd8dcedd23e1a7e7e5560e
+- tag: renovate/renovate:25.18.6-slim
+  url: docker://docker.io/renovate/renovate@sha256:ef39ee8ff8191a9754ff26515d11d2849414878adb950d61b6d7d9005c53b86e
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From d9f464ce8fee8804f80f9df08e0145d49a5faeab Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Thu, 13 May 2021 04:16:21 +0000
Subject: [PATCH 18/22] Update renovate/renovate Docker tag to v25.19.1

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ae486d3..922258c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.18.6-slim as builder
+FROM renovate/renovate:25.19.1-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 06e6d35..3d94c32 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.18.6"
+- "25.19.1"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.18.6"
+  org.opencontainers.image.version: "25.19.1"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.18.6-slim
-  url: docker://docker.io/renovate/renovate@sha256:ef39ee8ff8191a9754ff26515d11d2849414878adb950d61b6d7d9005c53b86e
+- tag: renovate/renovate:25.19.1-slim
+  url: docker://docker.io/renovate/renovate@sha256:ea507f776dfa910073a60dbda5122cc57108df850a61f0fbaae8e415a0a0b28d
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From cce41793bec4f7bf9bd4bf991030e7f329b3bdc9 Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Fri, 14 May 2021 01:16:38 +0000
Subject: [PATCH 19/22] Update renovate/renovate Docker tag to v25.20.1

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 922258c..58d4ea0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.19.1-slim as builder
+FROM renovate/renovate:25.20.1-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 3d94c32..4363fbb 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.19.1"
+- "25.20.1"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.19.1"
+  org.opencontainers.image.version: "25.20.1"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.19.1-slim
-  url: docker://docker.io/renovate/renovate@sha256:ea507f776dfa910073a60dbda5122cc57108df850a61f0fbaae8e415a0a0b28d
+- tag: renovate/renovate:25.20.1-slim
+  url: docker://docker.io/renovate/renovate@sha256:ae9ec970fea4c3e45851ed2c3e9f6d7f06f7d37f8be81da7b6e3d171702542c0
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From 5474ec5d6a5aba7cdba2260ee80768fc0d92d51d Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Sat, 15 May 2021 01:17:36 +0000
Subject: [PATCH 20/22] Update renovate/renovate:25.20.1-slim Docker digest to
 c4741bb

---
 hardening_manifest.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 4363fbb..8aa4346 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -38,7 +38,7 @@ labels:
 # List of resources to make available to the offline build context
 resources:
 - tag: renovate/renovate:25.20.1-slim
-  url: docker://docker.io/renovate/renovate@sha256:ae9ec970fea4c3e45851ed2c3e9f6d7f06f7d37f8be81da7b6e3d171702542c0
+  url: docker://docker.io/renovate/renovate@sha256:c4741bbbda9080873f3d1ac477f4517553314b69331a2c73ee4d95e28522abdb
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From fac4ae0ad1e8620ec4183c59788724904ee11fdb Mon Sep 17 00:00:00 2001
From: renovate <renovate@support.dsop.io>
Date: Mon, 17 May 2021 01:15:28 +0000
Subject: [PATCH 21/22] Update renovate/renovate Docker tag to v25.21.11

---
 Dockerfile              | 2 +-
 hardening_manifest.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 58d4ea0..91cad7a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.15.5
 
-FROM renovate/renovate:25.20.1-slim as builder
+FROM renovate/renovate:25.21.11-slim as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 4363fbb..15f7f9b 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.20.1"
+- "25.21.11"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.20.1"
+  org.opencontainers.image.version: "25.21.11"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.20.1-slim
-  url: docker://docker.io/renovate/renovate@sha256:ae9ec970fea4c3e45851ed2c3e9f6d7f06f7d37f8be81da7b6e3d171702542c0
+- tag: renovate/renovate:25.21.11-slim
+  url: docker://docker.io/renovate/renovate@sha256:64a443248fb82639515f2475d0d6d2d9bc350089a86929a31dbe371c1648198d
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:
-- 
GitLab


From 46600695ae0a1cb9d4c36bf378a13f408982b332 Mon Sep 17 00:00:00 2001
From: Andy Maksymowicz <andre.maksymowicz@centauricorp.com>
Date: Mon, 17 May 2021 18:56:34 +0000
Subject: [PATCH 22/22] Update hardening_manifest.yaml

---
 hardening_manifest.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 15f7f9b..b2918f5 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -14,7 +14,7 @@ tags:
 # Build args passed to Dockerfile ARGs
 args:
   BASE_IMAGE: "opensource/nodejs/nodejs14"
-  BASE_TAG: "14.16.1"
+  BASE_TAG: "14.17.0"
 
 # Docker image labels
 labels:
-- 
GitLab