From 2ab8e4fa7f852e88dafe1d16e4ed327ead660b55 Mon Sep 17 00:00:00 2001 From: Jiri Sztuka Date: Mon, 8 Dec 2025 18:13:27 +0100 Subject: [PATCH 1/2] add-debug-task --- rox/auth-task.yaml | 2 +- rox/rox-sample-init.yaml | 347 ++++++++++++++++++++++++++++++++++++++ rox/rox-sample-task.yaml | 352 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 700 insertions(+), 1 deletion(-) create mode 100644 rox/rox-sample-init.yaml create mode 100644 rox/rox-sample-task.yaml diff --git a/rox/auth-task.yaml b/rox/auth-task.yaml index 896839bb..67474642 100644 --- a/rox/auth-task.yaml +++ b/rox/auth-task.yaml @@ -27,7 +27,7 @@ spec: - name: rox_central_endpoint description: The address:port tuple for RHACS Stackrox Central. type: string - default: central.stackrox.svc:443 + default: https://acs-d3t60hcejrms73e5dk6g.acs.rhcloud.com - name: insecure-skip-tls-verify description: | Do not verify TLS certificates. diff --git a/rox/rox-sample-init.yaml b/rox/rox-sample-init.yaml new file mode 100644 index 00000000..3691c1d8 --- /dev/null +++ b/rox/rox-sample-init.yaml @@ -0,0 +1,347 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: roxctl-scan + labels: + app.kubernetes.io/version: "0.1" +spec: + description: >- + Exchanges a kubernetes service account token against a Red Hat Advanced Cluster Security short-lived token. + params: + - name: image-digest + description: Image digest to scan. + default: "" + - name: rox_image + description: Image providing the roxctl tool. + default: 'registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8@sha256:d6d5e50d1deda1e7b232d4e3f60fda6f3d27266b6fc007c8ec48a324e1c6c15c' + - name: rox_central_endpoint + description: The address:port tuple for RHACS Stackrox Central. + type: string + default: https://acs-d3t60hcejrms73e5dk6g.acs.rhcloud.com + - name: image-url + type: string + description: | + Full name of image to scan. + + SHA 256 digest may be included to ensure scan of sequental runs with same tag. + Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)' + default: "" + - name: insecure-skip-tls-verify + description: | + Do not verify TLS certificates. + + When set to "true", skip verifying the TLS certs of the Central endpoint. + type: string + default: "false" + - name: output_format + type: string + description: Results output format (json | csv | table) + default: json + - name: rox_token_file + description: | + Path to the API Token file (if authentication through API token). + Mutually exclusive with rox_config_dir. + The path must be prefixed with "/rox-api-token-auth". + Example "/rox-api-token-auth/rox_api_token" + type: string + default: "" + - name: rox_config_dir + type: string + description: | + Path to the roxtl config directory within the roxctl-config workspace. + The path must be prefixed with "/roxctl-config". + default: "" + results: + - name: TEST_OUTPUT + description: Tekton task test output. + - name: SCAN_OUTPUT + description: Clair scan result. + - name: IMAGES_PROCESSED + description: Images processed in the task. + - name: REPORTS + description: Mapping of image digests to report digests + stepTemplate: + env: + - name: INSECURE + value: $(params.insecure-skip-tls-verify) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_CONFIG_DIR + value: /tekton/home + - name: ROX_EXECUTION_ENV + value: Tekton + steps: + - name: exchange-service-account-token + workingDir: /tekton/home + image: $(params.rox_image) + volumeMounts: + - name: token-vol + mountPath: /service-account-token + args: + - central + - m2m + - exchange + - --insecure-skip-tls-verify=$(INSECURE) + - --token-file=/service-account-token/token + - name: get-image-manifests + image: quay.io/konflux-ci/konflux-test:v1.4.43@sha256:0bcc59de96bdc6f989d5c06d142d674da5d495c450a760fdd7d6fd333433342e + # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests + computeResources: + limits: + memory: 512Mi + requests: + memory: 256Mi + cpu: 100m + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + # shellcheck source=/dev/null + . /utils.sh + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + # strip new-line escape symbol from parameter and save it to variable + imageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST) + echo "Inspecting raw image manifest $imageanddigest." + + # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes + image_manifests=$(get_image_manifests -i "${imageanddigest}") + if [ -n "$image_manifests" ]; then + echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"' | while read -r arch arch_sha; do + echo "$arch_sha" > /tekton/home/image-manifest-$arch.sha + done + else + echo "Failed to get image manifests from image \"$imageanddigest\"" + note="Task $(context.task.name) failed: Failed to get image manifests from image \"$imageanddigest\". For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r "ERROR" -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + - name: rox-image-scan + image: $(params.rox_image) + env: + - name: HOME + value: /tekton/home + - name: IMAGE + value: $(params.image-url) + - name: INSECURE + value: $(params.insecure-skip-tls-verify) + - name: OUTPUT + value: $(params.output_format) + - name: ROX_CONFIG_DIR + value: $(params.rox_config_dir) + - name: ROX_API_TOKEN_FILE + value: $(params.rox_token_file) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_EXECUTION_ENV + value: Tekton + script: | + #!/usr/bin/env bash + roxctl image scan --insecure-skip-tls-verify=$INSECURE --output=$OUTPUT --image=$IMAGE | tee /tekton/home/rox-output.json + if [ ! -s /tekton/home/rox-output.json ]; then + echo "Failed to scan image using Roxctl" + note="Task $(context.task.name) failed: Failed to scan image using Roxctl image: $IMAGE For details, check Tekton task log." + ERROR_OUTPUT=$note + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + - name: proccess-output + image: quay.io/konflux-ci/konflux-test:v1.4.43@sha256:0bcc59de96bdc6f989d5c06d142d674da5d495c450a760fdd7d6fd333433342e + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + workingDir: /tekton/home + script: | + #!/usr/bin/env bash + + set -o errexit + set -o nounset + set -o pipefail + # shellcheck source=/utils.sh + . /utils.sh + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' + digests_processed=() + + for sha_file in image-manifest-*.sha; do + if [ -e "$sha_file" ]; then + arch_sha=$(cat "$sha_file") + arch=$(basename "$sha_file" | sed 's/image-manifest-//;s/.sha//') + arch_specific_digest="$imagewithouttag@$arch_sha" + + digests_processed+=("\"$arch_sha\"") + fi + done + + # If the image is an Image Index, also add the Image Index digest to the list. + if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then + digests_processed+=("\"$IMAGE_DIGEST\"") + fi + digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") + + images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") + echo "$images_processed" > images-processed.json + - name: oci-attach-report + image: quay.io/konflux-ci/oras:latest@sha256:4542f5a2a046ca36653749a8985e46744a5d2d36ee10ca14409be718ce15129e + workingDir: /tekton/home + env: + - name: IMAGE_URL + value: $(params.image-url) + script: | + #!/usr/bin/env bash + + set -o errexit + set -o nounset + set -o pipefail + + if ! compgen -G "rox-output*.json" > /dev/null; then + echo 'No Rox reports generated. Skipping upload.' + exit 0 + fi + + echo "Selecting auth" + select-oci-auth "$IMAGE_URL" > "$HOME/auth.json" + + repository="${IMAGE_URL/:*/}" + + arch() { + report_file="$1" + arch="${report_file/*-}" + echo "${arch/.json/}" + } + + MEDIA_TYPE='application/vnd.redhat.rox-report+json' + + reports_json="" + for f in image-manifest-*.sha; do + digest=$(cat "image-manifest-$(arch "$f")") + image_ref="${repository}@${digest}" + echo "Attaching $f to ${image_ref}" + if ! report_digest="$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \ + "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${image_ref}" "$f:${MEDIA_TYPE}")" + then + echo "Failed to attach ${f} to ${image_ref}" + exit 1 + fi + # shellcheck disable=SC2016 + reports_json="$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' <(echo "${reports_json}") <(echo "${digest}: ${report_digest}"))" + done + echo "${reports_json}" > reports.json + - name: conftest-vulnerabilities + image: quay.io/konflux-ci/konflux-test:v1.4.43@sha256:0bcc59de96bdc6f989d5c06d142d674da5d495c450a760fdd7d6fd333433342e + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + computeResources: + limits: + memory: 2Gi + requests: + memory: 256Mi + cpu: 100m + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + rox_result_files=$(ls /tekton/home/rox-output*.json) + if [ -z "$rox_result_files" ]; then + echo "Previous step [get-vulnerabilities] failed: No rox-output files found in /tekton/home." + fi + + missing_vulnerabilities_files="" + for file in $rox_result_files; do + file_suffix=$(basename "$file" | sed 's/rox-result-//;s/.json//') + if [ ! -s "$file" ]; then + echo "Previous step [get-vulnerabilities] failed: $file is empty." + else + /usr/bin/conftest test --no-fail $file \ + --policy /project/roxctl/vulnerabilities-check.rego --namespace required_checks \ + --output=json | tee /tekton/home/rox-vulnerabilities-$file_suffix.json || true + fi + + #check for missing "rox-vulnerabilities-/image-index" file and create a string + if [ ! -f "/tekton/home/rox-vulnerabilities-$file_suffix.json" ]; then + missing_vulnerabilities_files+="${missing_vulnerabilities_files:+, }/tekton/home/rox-vulnerabilities-$file_suffix.json" + fi + done + + if [ -n "$missing_vulnerabilities_files" ]; then + note="Task $(context.task.name) failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r "ERROR" -t "$note") + echo "$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log." + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + exit 0 + fi + + scan_result='{"vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0}, "unpatched_vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0}}' + for file in /tekton/home/rox-vulnerabilities-*.json; do + result=$(jq -rce \ + '{ + vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + }, + unpatched_vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + } + }' "$file") + + scan_result=$(jq -s -rce \ + '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical | + .[0].vulnerabilities.high += .[1].vulnerabilities.high | + .[0].vulnerabilities.medium += .[1].vulnerabilities.medium | + .[0].vulnerabilities.low += .[1].vulnerabilities.low | + .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical | + .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high | + .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium | + .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low | + .[0]' <<<"$scan_result $result") + done + + echo "$scan_result" | tee "$(results.SCAN_OUTPUT.path)" + + cat /tekton/home/images-processed.json | tee $(results.IMAGES_PROCESSED.path) + # shellcheck disable=SC2154 + cat /tekton/home/reports.json > "$(results.REPORTS.path)" + + note="Task $(context.task.name) completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Rox." + TEST_OUTPUT=$(make_result_json -r "SUCCESS" -t "$note") + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + volumes: + - name: token-vol + projected: + sources: + - serviceAccountToken: + audience: rhacs + path: token + expirationSeconds: 3600 + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true diff --git a/rox/rox-sample-task.yaml b/rox/rox-sample-task.yaml new file mode 100644 index 00000000..44a95258 --- /dev/null +++ b/rox/rox-sample-task.yaml @@ -0,0 +1,352 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: roxctl-scan + labels: + app.kubernetes.io/version: "0.1" +spec: + description: >- + Exchanges a kubernetes service account token against a Red Hat Advanced Cluster Security short-lived token. + params: + - name: image-digest + description: Image digest to scan. + default: sha256:18f99f1ede83f7e522a96180dae9a0f25924e5afacf3e1357ffcd8a6d635d510 + - name: rox_image + description: Image providing the roxctl tool. + default: 'registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8@sha256:d6d5e50d1deda1e7b232d4e3f60fda6f3d27266b6fc007c8ec48a324e1c6c15c' + - name: rox_central_endpoint + description: The address:port tuple for RHACS Stackrox Central. + type: string + default: https://acs-d3t60hcejrms73e5dk6g.acs.rhcloud.com + - name: image-url + type: string + description: | + Full name of image to scan. + + SHA 256 digest may be included to ensure scan of sequental runs with same tag. + Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)' + default: quay.io/redhat-user-workloads-stage/kpavic-tenant/test-project-minimal:on-pr-92951c0ca7e0dccb9fe87c30d5033f3044c0c97d + - name: insecure-skip-tls-verify + description: | + Do not verify TLS certificates. + + When set to "true", skip verifying the TLS certs of the Central endpoint. + type: string + default: "false" + - name: output_format + type: string + description: Results output format (json | csv | table) + default: json + - name: rox_token_file + description: | + Path to the API Token file (if authentication through API token). + Mutually exclusive with rox_config_dir. + The path must be prefixed with "/rox-api-token-auth". + Example "/rox-api-token-auth/rox_api_token" + type: string + default: "" + - name: rox_config_dir + type: string + description: | + Path to the roxtl config directory within the roxctl-config workspace. + The path must be prefixed with "/roxctl-config". + default: "" + results: + - name: TEST_OUTPUT + description: Tekton task test output. + - name: SCAN_OUTPUT + description: Clair scan result. + - name: IMAGES_PROCESSED + description: Images processed in the task. + - name: REPORTS + description: Mapping of image digests to report digests + stepTemplate: + env: + - name: INSECURE + value: $(params.insecure-skip-tls-verify) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_CONFIG_DIR + value: /tekton/home + - name: ROX_EXECUTION_ENV + value: Tekton + steps: + - name: exchange-service-account-token + workingDir: /tekton/home + image: $(params.rox_image) + volumeMounts: + - name: token-vol + mountPath: /service-account-token + args: + - central + - m2m + - exchange + - --insecure-skip-tls-verify=$(INSECURE) + - --token-file=/service-account-token/token + - name: get-image-manifests + image: quay.io/konflux-ci/konflux-test:v1.4.40@sha256:99eb8bcc7bcb35bdd5edea7b0ac333bbdb67586dea6b4dab92baf2b8fb32bf2c + # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests + computeResources: + limits: + memory: 512Mi + requests: + memory: 256Mi + cpu: 100m + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + # shellcheck source=/dev/null + . /utils.sh + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + # strip new-line escape symbol from parameter and save it to variable + imageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST) + echo "Inspecting raw image manifest $imageanddigest." + + # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes + image_manifests=$(get_image_manifests -i "${imageanddigest}") + if [ -n "$image_manifests" ]; then + echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"' | while read -r arch arch_sha; do + echo "$arch_sha" > /tekton/home/image-manifest-$arch.sha + done + else + echo "Failed to get image manifests from image \"$imageanddigest\"" + note="Task $(context.task.name) failed: Failed to get image manifests from image \"$imageanddigest\". For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r "ERROR" -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + - name: rox-image-scan + image: $(params.rox_image) + env: + - name: HOME + value: /tekton/home + - name: IMAGE + value: $(params.image-url) + - name: INSECURE + value: $(params.insecure-skip-tls-verify) + - name: OUTPUT + value: $(params.output_format) + - name: ROX_CONFIG_DIR + value: $(params.rox_config_dir) + - name: ROX_API_TOKEN_FILE + value: $(params.rox_token_file) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_EXECUTION_ENV + value: Tekton + script: | + #!/usr/bin/env bash + roxctl image scan --insecure-skip-tls-verify=$INSECURE --output=$OUTPUT --image=$IMAGE | tee /tekton/home/rox-output.json + if [ ! -s /tekton/home/rox-output.json ]; then + echo "Failed to scan image using Roxctl" + note="Task $(context.task.name) failed: Failed to scan image using Roxctl image: $IMAGE For details, check Tekton task log." + ERROR_OUTPUT=$note + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + - name: proccess-output + image: quay.io/konflux-ci/konflux-test:v1.4.42@sha256:32112ba0f1b8a3944f4905be40308713c32beb6c059c42ef0bc2b5fe7947ff2f + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + workingDir: /tekton/home + script: | + #!/usr/bin/env bash + + set -o errexit + set -o nounset + set -o pipefail + # shellcheck source=/utils.sh + . /utils.sh + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' + digests_processed=() + + for sha_file in image-manifest-*.sha; do + if [ -e "$sha_file" ]; then + arch_sha=$(cat "$sha_file") + arch=$(basename "$sha_file" | sed 's/image-manifest-//;s/.sha//') + arch_specific_digest="$imagewithouttag@$arch_sha" + + digests_processed+=("\"$arch_sha\"") + fi + done + + # If the image is an Image Index, also add the Image Index digest to the list. + if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then + digests_processed+=("\"$IMAGE_DIGEST\"") + fi + digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") + + images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") + echo "$images_processed" > images-processed.json + - name: oci-attach-report + image: quay.io/konflux-ci/oras:latest@sha256:4542f5a2a046ca36653749a8985e46744a5d2d36ee10ca14409be718ce15129e + workingDir: /tekton/home + env: + - name: IMAGE_URL + value: $(params.image-url) + script: | + #!/usr/bin/env bash + + set -o errexit + set -o nounset + set -o pipefail + + if ! compgen -G "rox-output*.json" > /dev/null; then + echo 'No Rox reports generated. Skipping upload.' + exit 0 + fi + + echo "Selecting auth" + select-oci-auth "$IMAGE_URL" > "$HOME/auth.json" + + repository="${IMAGE_URL/:*/}" + + arch() { + report_file="$1" + arch="${report_file/*-}" + echo "${arch/.json/}" + } + + MEDIA_TYPE='application/vnd.redhat.rox-report+json' + + reports_json="" + for f in image-manifest-*.sha; do + digest=$(cat "image-manifest-$(arch "$f")") + image_ref="${repository}@${digest}" + echo "Attaching $f to ${image_ref}" + if ! report_digest="$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \ + "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${image_ref}" "$f:${MEDIA_TYPE}")" + then + echo "Failed to attach ${f} to ${image_ref}" + exit 1 + fi + # shellcheck disable=SC2016 + reports_json="$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' <(echo "${reports_json}") <(echo "${digest}: ${report_digest}"))" + done + echo "${reports_json}" > reports.json + - name: conftest-vulnerabilities + image: quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:05b0ad430a4a117eefe9483a8a56926ff7595b0f + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + # UPDATE THE IMAGE REFF ONCE THE konflux-test has a new release. + computeResources: + limits: + memory: 2Gi + requests: + memory: 256Mi + cpu: 100m + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + rox_result_files=$(ls /tekton/home/rox-output*.json) + if [ -z "$rox_result_files" ]; then + echo "Previous step [get-vulnerabilities] failed: No rox-output files found in /tekton/home." + fi + + missing_vulnerabilities_files="" + for file in $rox_result_files; do + file_suffix=$(basename "$file" | sed 's/rox-result-//;s/.json//') + if [ ! -s "$file" ]; then + echo "Previous step [get-vulnerabilities] failed: $file is empty." + else + /usr/bin/conftest test --no-fail $file \ + --policy /project/roxctl/vulnerabilities-check.rego --namespace required_checks \ + --output=json | tee /tekton/home/rox-vulnerabilities-$file_suffix.json || true + fi + + #check for missing "rox-vulnerabilities-/image-index" file and create a string + if [ ! -f "/tekton/home/rox-vulnerabilities-$file_suffix.json" ]; then + missing_vulnerabilities_files+="${missing_vulnerabilities_files:+, }/tekton/home/rox-vulnerabilities-$file_suffix.json" + fi + done + + if [ -n "$missing_vulnerabilities_files" ]; then + note="Task $(context.task.name) failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r "ERROR" -t "$note") + echo "$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log." + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + exit 0 + fi + + scan_result='{"vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0}, "unpatched_vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0}}' + for file in /tekton/home/rox-vulnerabilities-*.json; do + result=$(jq -rce \ + '{ + vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + }, + unpatched_vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="roxctl_unpatched_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + } + }' "$file") + + scan_result=$(jq -s -rce \ + '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical | + .[0].vulnerabilities.high += .[1].vulnerabilities.high | + .[0].vulnerabilities.medium += .[1].vulnerabilities.medium | + .[0].vulnerabilities.low += .[1].vulnerabilities.low | + .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical | + .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high | + .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium | + .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low | + .[0]' <<<"$scan_result $result") + done + + echo "$scan_result" | tee "$(results.SCAN_OUTPUT.path)" + + cat /tekton/home/images-processed.json | tee $(results.IMAGES_PROCESSED.path) + # shellcheck disable=SC2154 + cat /tekton/home/reports.json > "$(results.REPORTS.path)" + + note="Task $(context.task.name) completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Rox." + TEST_OUTPUT=$(make_result_json -r "SUCCESS" -t "$note") + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + volumes: + - name: token-vol + projected: + sources: + - serviceAccountToken: + audience: rhacs + path: token + expirationSeconds: 3600 + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true + + + + From a5e9b0917c017e2a1584f5ebd64d07c6146c443f Mon Sep 17 00:00:00 2001 From: "konflux-staging[bot]" <124796549+konflux-staging[bot]@users.noreply.github.com> Date: Sat, 13 Dec 2025 20:16:38 +0000 Subject: [PATCH 2/2] Update Konflux references Signed-off-by: konflux-staging <124796549+konflux-staging[bot]@users.noreply.github.com> --- ...a-springboot-basic-be2e8-pull-request.yaml | 12 ++--- ...mple-java-springboot-basic-be2e8-push.yaml | 12 ++--- ...le-java-springboot-basic-pull-request.yaml | 48 ++++++++++++------- ...ile-sample-java-springboot-basic-push.yaml | 12 ++--- .tekton/hermeto-more-pull-request.yaml | 14 +++--- .tekton/hermeto-more-push.yaml | 14 +++--- 6 files changed, 64 insertions(+), 48 deletions(-) diff --git a/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml b/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml index 1746094a..63eba9a3 100644 --- a/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml +++ b/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml @@ -312,7 +312,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:f59175d9a0a60411738228dfe568af4684af4aa5e7e05c832927cb917801d489 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:462baed733dfc38aca5395499e92f19b6f13a74c2e88fe5d86c3cffa2f899b57 - name: kind value: task resolver: bundles @@ -380,7 +380,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:60f2dac41844d222086ff7f477e51f3563716b183d87db89f603d6f604c21760 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8ad28b7783837a24acbc9a8494c935e796e591ce476085ad5899bebd7e53f077 - name: kind value: task resolver: bundles @@ -447,7 +447,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ae62d14c999fd93246fef4e57d28570fa5200c3266b9a3263a39965e5a5b02d7 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:78f5244a8cfd28c890ed62db7e4ff1fc97ff39876d37fb19f1b0c2c286a4002c - name: kind value: task resolver: bundles @@ -494,7 +494,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1f0fcba24ebc447d9f8a2ea2e8f262fa435d6c523ca6b0346cd67261551fc9ed + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:d44336d7bcbd1f7cedee639357a493bd1f661e2859e49e11a34644bdf6819c4e - name: kind value: task resolver: bundles @@ -520,7 +520,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:1833c618170ab9deb8455667f220df8e88d16ccd630a2361366f594e2bdcb712 + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:e5a8d3e8e7be7246a1460385b95c084ea6e8fe7520d40fe4389deb90f1bf5176 - name: kind value: task resolver: bundles @@ -542,7 +542,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:a61d8a6d0ba804869e8fe57a9289161817afad379ef2d7433d75ae40a148e2ec + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:e4017ec351a0891ef95989f35bd20b8c3f091fa1a3da364c4d4e975e99f3063c - name: kind value: task resolver: bundles diff --git a/.tekton/devfile-sample-java-springboot-basic-be2e8-push.yaml b/.tekton/devfile-sample-java-springboot-basic-be2e8-push.yaml index fbc49feb..62a7c210 100644 --- a/.tekton/devfile-sample-java-springboot-basic-be2e8-push.yaml +++ b/.tekton/devfile-sample-java-springboot-basic-be2e8-push.yaml @@ -308,7 +308,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:f59175d9a0a60411738228dfe568af4684af4aa5e7e05c832927cb917801d489 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:462baed733dfc38aca5395499e92f19b6f13a74c2e88fe5d86c3cffa2f899b57 - name: kind value: task resolver: bundles @@ -376,7 +376,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:60f2dac41844d222086ff7f477e51f3563716b183d87db89f603d6f604c21760 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8ad28b7783837a24acbc9a8494c935e796e591ce476085ad5899bebd7e53f077 - name: kind value: task resolver: bundles @@ -443,7 +443,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ae62d14c999fd93246fef4e57d28570fa5200c3266b9a3263a39965e5a5b02d7 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:78f5244a8cfd28c890ed62db7e4ff1fc97ff39876d37fb19f1b0c2c286a4002c - name: kind value: task resolver: bundles @@ -490,7 +490,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:1f0fcba24ebc447d9f8a2ea2e8f262fa435d6c523ca6b0346cd67261551fc9ed + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:d44336d7bcbd1f7cedee639357a493bd1f661e2859e49e11a34644bdf6819c4e - name: kind value: task resolver: bundles @@ -516,7 +516,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:1833c618170ab9deb8455667f220df8e88d16ccd630a2361366f594e2bdcb712 + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:e5a8d3e8e7be7246a1460385b95c084ea6e8fe7520d40fe4389deb90f1bf5176 - name: kind value: task resolver: bundles @@ -538,7 +538,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:a61d8a6d0ba804869e8fe57a9289161817afad379ef2d7433d75ae40a148e2ec + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:e4017ec351a0891ef95989f35bd20b8c3f091fa1a3da364c4d4e975e99f3063c - name: kind value: task resolver: bundles diff --git a/.tekton/devfile-sample-java-springboot-basic-pull-request.yaml b/.tekton/devfile-sample-java-springboot-basic-pull-request.yaml index 59dbb29b..a9bc501d 100644 --- a/.tekton/devfile-sample-java-springboot-basic-pull-request.yaml +++ b/.tekton/devfile-sample-java-springboot-basic-pull-request.yaml @@ -8,9 +8,8 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: "true" pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" - creationTimestamp: null + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" + creationTimestamp: labels: appstudio.openshift.io/application: test-1050-with-power appstudio.openshift.io/component: devfile-sample-java-springboot-basic @@ -45,7 +44,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - name: kind value: task resolver: bundles @@ -61,13 +60,11 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where - to build image. + description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context + description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" @@ -87,8 +84,7 @@ spec: name: prefetch-input type: string - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - default: "false" description: Build a source image. @@ -106,6 +102,14 @@ spec: description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string + - name: buildah-format + default: docker + type: string + description: The format for the resulting image's mediaType. Valid values are oci or docker. + - name: enable-cache-proxy + default: 'false' + description: Enable cache proxy configuration + type: string results: - description: "" name: IMAGE_URL @@ -128,12 +132,14 @@ spec: value: $(params.rebuild) - name: skip-checks value: $(params.skip-checks) + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) taskRef: params: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:63eb4a4c0cfb491276bff86fdad1c96bf238506388848e79001058450a8e843a + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:75b88ee5e134a22ee35eb974808dfe6a63693115fa445208a9060a7175b448cf - name: kind value: task resolver: bundles @@ -154,7 +160,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0a89e1a6304076525e9766f63a4cd006763d21d5aca6863281fc427537a23c6f - name: kind value: task resolver: bundles @@ -217,6 +223,12 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) runAfter: - prefetch-dependencies taskRef: @@ -224,7 +236,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:8cdd218d094e586ece807eb0c61b42cd6baa32c7397fe4ce9d33f6239b78c3cd + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:2de614f405527e779534a5d1a1293a528c482aa6abebc8ea158ad47e4be5dea4 - name: kind value: task resolver: bundles @@ -246,6 +258,8 @@ spec: - name: IMAGES value: - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) runAfter: - build-container taskRef: @@ -345,7 +359,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e - name: kind value: task resolver: bundles @@ -518,8 +532,10 @@ spec: - "false" - name: apply-tags params: - - name: IMAGE + - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -527,7 +543,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:5e5f290359fd34ae4cc77cbbba6ef8c9907d752572d6dc2a00f5a4c504eb48bb + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:e4017ec351a0891ef95989f35bd20b8c3f091fa1a3da364c4d4e975e99f3063c - name: kind value: task resolver: bundles diff --git a/.tekton/devfile-sample-java-springboot-basic-push.yaml b/.tekton/devfile-sample-java-springboot-basic-push.yaml index d4c18467..f475ffc7 100644 --- a/.tekton/devfile-sample-java-springboot-basic-push.yaml +++ b/.tekton/devfile-sample-java-springboot-basic-push.yaml @@ -42,7 +42,7 @@ spec: - name: name value: show-sbom - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - name: kind value: task resolver: bundles @@ -130,7 +130,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:63eb4a4c0cfb491276bff86fdad1c96bf238506388848e79001058450a8e843a + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:75b88ee5e134a22ee35eb974808dfe6a63693115fa445208a9060a7175b448cf - name: kind value: task resolver: bundles @@ -151,7 +151,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0a89e1a6304076525e9766f63a4cd006763d21d5aca6863281fc427537a23c6f - name: kind value: task resolver: bundles @@ -221,7 +221,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:8cdd218d094e586ece807eb0c61b42cd6baa32c7397fe4ce9d33f6239b78c3cd + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:2de614f405527e779534a5d1a1293a528c482aa6abebc8ea158ad47e4be5dea4 - name: kind value: task resolver: bundles @@ -342,7 +342,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e - name: kind value: task resolver: bundles @@ -524,7 +524,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:5e5f290359fd34ae4cc77cbbba6ef8c9907d752572d6dc2a00f5a4c504eb48bb + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:e4017ec351a0891ef95989f35bd20b8c3f091fa1a3da364c4d4e975e99f3063c - name: kind value: task resolver: bundles diff --git a/.tekton/hermeto-more-pull-request.yaml b/.tekton/hermeto-more-pull-request.yaml index 0e436735..db37e8c1 100644 --- a/.tekton/hermeto-more-pull-request.yaml +++ b/.tekton/hermeto-more-pull-request.yaml @@ -219,7 +219,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:db496b9f7072fb9d1c4b749db6bab8c19c0b647a8a4d2589833dcec979876657 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:2de614f405527e779534a5d1a1293a528c482aa6abebc8ea158ad47e4be5dea4 - name: kind value: task resolver: bundles @@ -274,7 +274,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:7a36cc284c5932c18e117fe5995f3246b5dcc11ec742b66a2f9ae710034b064f + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:4abb2dbc9dcfad52d56b490a2f25f99989a2cb2bbd9881223025272db60fd75e - name: kind value: task resolver: bundles @@ -300,7 +300,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:462baed733dfc38aca5395499e92f19b6f13a74c2e88fe5d86c3cffa2f899b57 - name: kind value: task resolver: bundles @@ -322,7 +322,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:893ffa3ce26b061e21bb4d8db9ef7ed4ddd4044fe7aa5451ef391034da3ff759 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:ee558db6af779ab162163ec88f288a5c1b2d5f70c3361f3690a474866e3bdc74 - name: kind value: task resolver: bundles @@ -342,7 +342,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e106b6182e72c8f34ceae3f56b0b1aa2b4dc60f573877d9e51c3791029a7acb6 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e - name: kind value: task resolver: bundles @@ -368,7 +368,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:322c86ad5ee252c04440184d9f5046d276415148cb6bfaf571be1b102101786b + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8ad28b7783837a24acbc9a8494c935e796e591ce476085ad5899bebd7e53f077 - name: kind value: task resolver: bundles @@ -553,7 +553,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:235ef6e835de8171c07b8a7f8947d0b40bfcff999e1ff3cb6ddd9acc65c48430 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08bba4a659ecd48f871bef00b80af58954e5a09fcbb28a1783ddd640c4f6535e - name: kind value: task resolver: bundles diff --git a/.tekton/hermeto-more-push.yaml b/.tekton/hermeto-more-push.yaml index 751fee74..31ec91a3 100644 --- a/.tekton/hermeto-more-push.yaml +++ b/.tekton/hermeto-more-push.yaml @@ -215,7 +215,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:db496b9f7072fb9d1c4b749db6bab8c19c0b647a8a4d2589833dcec979876657 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.7@sha256:2de614f405527e779534a5d1a1293a528c482aa6abebc8ea158ad47e4be5dea4 - name: kind value: task resolver: bundles @@ -270,7 +270,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:7a36cc284c5932c18e117fe5995f3246b5dcc11ec742b66a2f9ae710034b064f + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:4abb2dbc9dcfad52d56b490a2f25f99989a2cb2bbd9881223025272db60fd75e - name: kind value: task resolver: bundles @@ -296,7 +296,7 @@ spec: - name: name value: deprecated-image-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:462baed733dfc38aca5395499e92f19b6f13a74c2e88fe5d86c3cffa2f899b57 - name: kind value: task resolver: bundles @@ -318,7 +318,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:893ffa3ce26b061e21bb4d8db9ef7ed4ddd4044fe7aa5451ef391034da3ff759 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:ee558db6af779ab162163ec88f288a5c1b2d5f70c3361f3690a474866e3bdc74 - name: kind value: task resolver: bundles @@ -338,7 +338,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:e106b6182e72c8f34ceae3f56b0b1aa2b4dc60f573877d9e51c3791029a7acb6 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:04f75593558f79a27da2336400bc63d460bf0c5669e3c13f40ee2fb650b1ad1e - name: kind value: task resolver: bundles @@ -364,7 +364,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:322c86ad5ee252c04440184d9f5046d276415148cb6bfaf571be1b102101786b + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8ad28b7783837a24acbc9a8494c935e796e591ce476085ad5899bebd7e53f077 - name: kind value: task resolver: bundles @@ -549,7 +549,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:235ef6e835de8171c07b8a7f8947d0b40bfcff999e1ff3cb6ddd9acc65c48430 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08bba4a659ecd48f871bef00b80af58954e5a09fcbb28a1783ddd640c4f6535e - name: kind value: task resolver: bundles