diff --git a/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml b/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml index db6447a7..bc979d48 100644 --- a/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml +++ b/.tekton/devfile-sample-java-springboot-basic-be2e8-pull-request.yaml @@ -10,7 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" - pipelinesascode.tekton.dev/task: "[rox/auth-task.yaml]" + pipelinesascode.tekton.dev/task: "[rox/auth-task.yaml, rox/image-scan.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: rox @@ -164,6 +164,51 @@ spec: workspaces: - name: basic-auth workspace: git-auth + - name: rhacs-authenticate + taskRef: + name: rhacs-m2m-authenticate + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_config_dir + value: /roxctl-config + workspaces: + - name: roxctl-config + workspace: shared-workspace + - name: scan-image + taskRef: + name: rhacs-image-scan + kind: Task + runAfter: + - rhacs-authenticate + workspaces: + - name: roxctl-config + workspace: shared-workspace + params: + - name: image + value: "quay.io/jsztuka/simple-fbc:8b74591" + - name: insecure-skip-tls-verify + value: "true" # stackrox to OCP image registry x509 fail... + - name: rox_config_dir + value: /roxctl-config + - name: rox_image + value: quay.io/stackrox-io/roxctl:4.4.2 + - name: show-output + runAfter: + - scan-image + taskSpec: + steps: + - name: ahoj + image: quay.io/konflux-ci/konflux-test:v1.4.28@sha256:4a5423e125fc28db800421422d9933290dc4b62a22401d74cd3348c03107a5d9 + script: | + #!/usr/bin/env bash + echo "Lets see what is there" + cd workspace + ls roxctl-config + workspaces: + - name: roxctl-config + workspace: shared-workspace - name: prefetch-dependencies params: - name: input @@ -595,10 +640,20 @@ spec: optional: true - name: netrc optional: true + - name: shared-workspace + optional: false taskRunTemplate: serviceAccountName: build-pipeline-devfile-sample-java-springboot-basic-be2e8 workspaces: - name: git-auth secret: secretName: '{{ git_auth_secret }}' + - name: shared-workspace + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 500Mi status: {} diff --git a/rox/acs-plr.yaml b/rox/acs-plr.yaml index 09223c5e..332b9f5f 100644 --- a/rox/acs-plr.yaml +++ b/rox/acs-plr.yaml @@ -4,6 +4,20 @@ kind: PipelineRun metadata: generateName: rox-pipelinerun-test- spec: + workspaces: + - name: shared-workspace + emptyDir: {} pipelineSpec: tasks: - - name: + - name: rhacs-authenticate + taskRef: + name: rhacs-m2m-authenticate + kind: Task + params: + - name: insecure-skip-tls-verify + value: "true" + - name: rox_config_dir + value: $(params.rox_config_dir) + workspaces: + - name: roxctl-config + workspace: shared-workspace diff --git a/rox/auth-task.yaml b/rox/auth-task.yaml index 896839bb..67474642 100644 --- a/rox/auth-task.yaml +++ b/rox/auth-task.yaml @@ -27,7 +27,7 @@ spec: - name: rox_central_endpoint description: The address:port tuple for RHACS Stackrox Central. type: string - default: central.stackrox.svc:443 + default: https://acs-d3t60hcejrms73e5dk6g.acs.rhcloud.com - name: insecure-skip-tls-verify description: | Do not verify TLS certificates. diff --git a/rox/image-scan.yaml b/rox/image-scan.yaml new file mode 100644 index 00000000..11deaaf0 --- /dev/null +++ b/rox/image-scan.yaml @@ -0,0 +1,120 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: rhacs-image-scan + labels: + app.kubernetes.io/version: "4.0" + annotations: + tekton.dev/tags: security + tekton.dev/categories: Security + tekton.dev/displayName: "Scan an image for vulnerabilities with Red Hat Advanced Cluster Security" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,darwin/amd64,darwin/arm64,windows/amd64" + tekton.dev/pipelines.minVersion: "0.50.0" +spec: + description: >- + Scan an image with Red Hat Advanced Cluster Security. + + This task allows you to return full vulnerability scan results for an image + in CSV, Table, or JSON formats. + The companion rhacs-image-check task checks an image against build-time policies. + params: + - name: rox_central_endpoint + type: string + description: The address:port tuple for RHACS Stackrox Central. + default: https://acs-d3t60hcejrms73e5dk6g.acs.rhcloud.com + - name: rox_image + description: Image providing the roxctl tool. + default: quay.io/stackrox-io/roxctl:4.4.2 + - name: image + type: string + description: | + Full name of image to scan. + + SHA 256 digest may be included to ensure scan of sequental runs with same tag. + Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)' + default: '$(params.IMAGE)' + - name: output_format + type: string + description: Results output format (json | csv | table) + default: json + - name: insecure-skip-tls-verify + type: string + description: | + Do not verify TLS certificates. + + When set to "true", skip verifying the TLS certs of the Central endpoint and registry. + default: "false" + - name: rox_config_dir + type: string + description: | + Path to the roxtl config directory within the roxctl-config workspace (if machine to machine authentication is used). + Mutually exclusive with token_file. + The path must be prefixed with "/roxctl-config" yes. + default: "" + - name: rox_token_file + description: | + Path to the API Token file (if authentication through API token). + Mutually exclusive with rox_config_dir. + The path must be prefixed with "/rox-api-token-auth". + Example "/rox-api-token-auth/rox_api_token" + type: string + default: "" + - name: output_file + type: string + description: | + Path to a file where to write the roxctl standard output stream. + If empty, the output stream goes to the container standard output. + default: "" + - name: error_file + type: string + description: | + Path to a file where to write the roxctl standard error stream. + If empty, the error stream goes to the container standard error. + default: "" + workspaces: + - name: roxctl-config + description: | + A workspace containing the configuration for roxctl. Used to authenticate with the remote central using short-lived tokens. + Mutually exclusive with rox-api-token-auth workspace. + The workspace has to be populated by a rhacs-m2m-authenticate TaskRun. + optional: true + readOnly: true + mountPath: /roxctl-config + - name: rox-api-token-auth + description: | + A workspace containing a rox token file. Used to authenticate with the remote central. + Mutually exclusive with roxctl-config. + It is strongly recommended that this workspace be bound to a Kubernetes secret. + optional: true + readOnly: true + mountPath: /rox-api-token-auth + steps: + - name: rox-image-scan + image: $(params.rox_image) + env: + - name: HOME + value: /tekton/home + - name: IMAGE + value: $(params.image) + - name: INSECURE + value: $(params.insecure-skip-tls-verify) + - name: OUTPUT + value: $(params.output_format) + - name: ROX_CONFIG_DIR + value: $(params.rox_config_dir) + - name: ROX_API_TOKEN_FILE + value: $(params.rox_token_file) + - name: ROX_ENDPOINT + value: $(params.rox_central_endpoint) + - name: ROX_EXECUTION_ENV + value: Tekton + - name: ROX_OUTPUT_FILE + value: $(params.output_file) + - name: ROX_ERROR_FILE + value: $(params.error_file) + args: + - image + - scan + - --insecure-skip-tls-verify=$(INSECURE) + - --image=$(IMAGE)