From f3bb6e3549d71c005012c5cf9e370ccb098baaaf Mon Sep 17 00:00:00 2001 From: Tom Martensen Date: Tue, 12 Mar 2024 13:46:01 +0100 Subject: [PATCH] ROX-20752: scanner-slim konflux onboarding (#1429) Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux Co-authored-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com> --- .tekton/scanner-db-pull-request.yaml | 8 + .tekton/scanner-db-push.yaml | 8 + .tekton/scanner-db-slim-pull-request.yaml | 764 +++++++++++----------- .tekton/scanner-db-slim-push.yaml | 761 ++++++++++----------- .tekton/scanner-pull-request.yaml | 8 + .tekton/scanner-push.yaml | 8 + .tekton/scanner-slim-pull-request.yaml | 434 ++++++++++++ .tekton/scanner-slim-push.yaml | 433 ++++++++++++ image/db/rhel/konflux.Dockerfile | 27 +- image/scanner/rhel/konflux.Dockerfile | 37 +- 10 files changed, 1720 insertions(+), 768 deletions(-) create mode 100644 .tekton/scanner-slim-pull-request.yaml create mode 100644 .tekton/scanner-slim-push.yaml diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml index 8ab0d6625..ff019cfb9 100644 --- a/.tekton/scanner-db-pull-request.yaml +++ b/.tekton/scanner-db-pull-request.yaml @@ -43,6 +43,8 @@ spec: value: '' - name: build-source-image value: 'true' + - name: build-target-stage + value: scanner-db workspaces: - name: workspace @@ -146,6 +148,10 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - description: "" @@ -271,6 +277,8 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) runAfter: - prefetch-dependencies - fetch-sql-definitions diff --git a/.tekton/scanner-db-push.yaml b/.tekton/scanner-db-push.yaml index 45bf3b708..87c492c62 100644 --- a/.tekton/scanner-db-push.yaml +++ b/.tekton/scanner-db-push.yaml @@ -41,6 +41,8 @@ spec: value: '' - name: build-source-image value: 'true' + - name: build-target-stage + value: scanner-db workspaces: - name: workspace @@ -144,6 +146,10 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - description: "" @@ -269,6 +275,8 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) runAfter: - prefetch-dependencies - fetch-sql-definitions diff --git a/.tekton/scanner-db-slim-pull-request.yaml b/.tekton/scanner-db-slim-pull-request.yaml index af0854792..99fd5acc3 100644 --- a/.tekton/scanner-db-slim-pull-request.yaml +++ b/.tekton/scanner-db-slim-pull-request.yaml @@ -6,9 +6,9 @@ metadata: build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "master" + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("konflux") || source_branch.contains("rhtap")) creationTimestamp: null labels: appstudio.openshift.io/application: acs @@ -16,395 +16,405 @@ metadata: pipelines.appstudio.openshift.io/type: build name: scanner-db-slim-on-pull-request namespace: rh-acs-tenant + spec: + params: - - name: dockerfile - value: image/db/rhel/konflux.Dockerfile - - name: git-url - value: '{{source_url}}' - - name: image-expires-after - value: 5d - - name: output-image - value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:on-pr-{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' + - name: dockerfile + value: image/db/rhel/konflux.Dockerfile + - name: git-url + value: '{{source_url}}' + - name: image-expires-after + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for scanner-db-slim image. + - name: prefetch-input + value: '' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: scanner-db-slim + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + pipelineSpec: + finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 + - name: kind + value: task + resolver: bundles + params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: + + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + # A shallow repo clone is sufficient for scanner-db-slim build. + - name: depth + value: "1" + - name: fetchTags + value: "false" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - runAfter: - - prefetch-dependencies - taskRef: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(params.output-image) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace + + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace + + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sbom-json-check params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true - taskRunTemplate: {} - workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {} + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + taskRunTemplate: { } + +status: { } diff --git a/.tekton/scanner-db-slim-push.yaml b/.tekton/scanner-db-slim-push.yaml index e2169466a..33beca4bc 100644 --- a/.tekton/scanner-db-slim-push.yaml +++ b/.tekton/scanner-db-slim-push.yaml @@ -5,9 +5,8 @@ metadata: build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "master" + pipelinesascode.tekton.dev/max-keep-runs: "500" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" creationTimestamp: null labels: appstudio.openshift.io/application: acs @@ -15,393 +14,405 @@ metadata: pipelines.appstudio.openshift.io/type: build name: scanner-db-slim-on-push namespace: rh-acs-tenant + spec: + params: - - name: dockerfile - value: image/db/rhel/konflux.Dockerfile - - name: git-url - value: '{{source_url}}' - - name: output-image - value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:{{revision}} - - name: path-context - value: . - - name: revision - value: '{{revision}}' + - name: dockerfile + value: image/db/rhel/konflux.Dockerfile + - name: git-url + value: '{{source_url}}' + - name: image-expires-after + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for scanner-db-slim image. + - name: prefetch-input + value: '' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: scanner-db-slim + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + pipelineSpec: + finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 + - name: kind + value: task + resolver: bundles + params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "false" - description: Build a source image. - name: build-source-image - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: + + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - clone-repository - taskRef: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + # A shallow repo clone is sufficient for scanner-db-slim build. + - name: depth + value: "1" + - name: fetchTags + value: "false" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - runAfter: - - prefetch-dependencies - taskRef: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(params.output-image) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace + + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace + + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sbom-json-check params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: workspace - - name: git-auth - optional: true - taskRunTemplate: {} - workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {} + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + taskRunTemplate: { } + +status: { } diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml index 4f3e9f45c..5ca41ce7e 100644 --- a/.tekton/scanner-pull-request.yaml +++ b/.tekton/scanner-pull-request.yaml @@ -37,6 +37,8 @@ spec: value: '{"type": "gomod", "path": "."}' - name: build-source-image value: 'true' + - name: build-target-stage + value: scanner workspaces: - name: workspace @@ -140,6 +142,10 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - description: "" @@ -269,6 +275,8 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) runAfter: - prefetch-dependencies - fetch-vuln-feed-data diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml index 8ec4eb2b8..e5fbd04e2 100644 --- a/.tekton/scanner-push.yaml +++ b/.tekton/scanner-push.yaml @@ -36,6 +36,8 @@ spec: value: '{"type": "gomod", "path": "."}' - name: build-source-image value: 'true' + - name: build-target-stage + value: scanner workspaces: - name: workspace @@ -139,6 +141,10 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - description: "" @@ -268,6 +274,8 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) runAfter: - prefetch-dependencies - fetch-vuln-feed-data diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml new file mode 100644 index 000000000..e660ff9d5 --- /dev/null +++ b/.tekton/scanner-slim-pull-request.yaml @@ -0,0 +1,434 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("rhtap") || source_branch.contains("konflux")) + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner-slim + pipelines.appstudio.openshift.io/type: build + name: scanner-slim-on-pull-request + namespace: rh-acs-tenant +spec: + params: + - name: dockerfile + value: image/scanner/rhel/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: prefetch-input + value: '{"type": "gomod", "path": "."}' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: scanner-slim + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineSpec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + + tasks: + + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "0" + - name: fetchTags + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: fetch-vuln-feed-data + runAfter: + - init + - clone-repository + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8-minimal:latest + script: | + #!/usr/bin/env bash + "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \ + "$(workspaces.source.path)/source" \ + nvd-definitions.zip \ + k8s-definitions.zip \ + repo2cpe.zip \ + genesis_manifests.json + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + +status: { } + +taskRunTemplate: { } diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml new file mode 100644 index 000000000..423227db4 --- /dev/null +++ b/.tekton/scanner-slim-push.yaml @@ -0,0 +1,433 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner-slim + pipelines.appstudio.openshift.io/type: build + name: scanner-slim-on-push + namespace: rh-acs-tenant +spec: + params: + - name: dockerfile + value: image/scanner/rhel/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: prefetch-input + value: '{"type": "gomod", "path": "."}' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: scanner-slim + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineSpec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + + tasks: + + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "0" + - name: fetchTags + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: fetch-vuln-feed-data + runAfter: + - init + - clone-repository + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8-minimal:latest + script: | + #!/usr/bin/env bash + "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \ + "$(workspaces.source.path)/source" \ + nvd-definitions.zip \ + k8s-definitions.zip \ + repo2cpe.zip \ + genesis_manifests.json + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + +status: { } + +taskRunTemplate: { } diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index d848356fd..7077477e5 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -1,14 +1,11 @@ -FROM registry.redhat.io/rhel8/postgresql-12:latest +FROM registry.redhat.io/rhel8/postgresql-12:latest AS scanner-db-common LABEL \ - com.redhat.component="rhacs-scanner-db-container" \ com.redhat.license_terms="https://www.redhat.com/agreements" \ description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \ io.k8s.description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \ - io.k8s.display-name="scanner-db" \ io.openshift.tags="rhacs,scanner-db,stackrox" \ maintainer="Red Hat, Inc." \ - name="rhacs-scanner-db-rhel8" \ source-location="https://github.com/stackrox/scanner" \ summary="Scanner DB for RHACS" \ url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \ @@ -38,9 +35,6 @@ RUN dnf upgrade -y --nobest && \ rm -rf /var/cache/dnf /var/cache/yum && \ chmod +x /usr/local/bin/docker-entrypoint.sh -COPY blob-pg-definitions.sql.gz \ - /docker-entrypoint-initdb.d/definitions.sql.gz - ENV PG_MAJOR=12 \ PGDATA="/var/lib/postgresql/data/pgdata" @@ -50,3 +44,22 @@ EXPOSE 5432 CMD ["postgres", "-c", "config_file=/etc/postgresql.conf"] USER 70:70 + +FROM scanner-db-common AS scanner-db-slim + +LABEL \ + com.redhat.component="rhacs-scanner-db-slim-container" \ + io.k8s.display-name="scanner-db-slim" \ + name="rhacs-scanner-db-slim-rhel8" + +ENV ROX_SLIM_MODE="true" + +FROM scanner-db-common AS scanner-db + +LABEL \ + com.redhat.component="rhacs-scanner-db-container" \ + io.k8s.display-name="scanner-db" \ + name="rhacs-scanner-db-rhel8" + +COPY --chown=0:0 blob-pg-definitions.sql.gz \ + /docker-entrypoint-initdb.d/definitions.sql.gz diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index 066fb6dfd..f8cf87f9b 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -2,7 +2,8 @@ ARG BASE_REGISTRY=registry.access.redhat.com ARG BASE_IMAGE=ubi8-minimal ARG BASE_TAG=latest -FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder +# Compiling scanner binaries and staging repo2cpe and genesis manifests +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 AS builder ENV CGO_ENABLED=1 ENV GOFLAGS="" @@ -25,17 +26,15 @@ RUN echo -n "version: " && scripts/konflux/version.sh && \ # files of the dump and the manifest. COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +# Common base for scanner slim and full +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS scanner-common LABEL \ - com.redhat.component="rhacs-scanner-container" \ com.redhat.license_terms="https://www.redhat.com/agreements" \ description="This image supports image scanning for RHACS" \ io.k8s.description="This image supports image scanning for RHACS" \ - io.k8s.display-name="scanner" \ io.openshift.tags="rhacs,scanner,stackrox" \ maintainer="Red Hat, Inc." \ - name="rhacs-scanner-rhel8" \ source-location="https://github.com/stackrox/scanner" \ summary="The image scanner for RHACS" \ url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \ @@ -45,14 +44,10 @@ LABEL \ SHELL ["/bin/sh", "-o", "pipefail", "-c"] -ENV NVD_DEFINITIONS_DIR="/nvd_definitions" -ENV K8S_DEFINITIONS_DIR="/k8s_definitions" ENV REPO_TO_CPE_DIR="/repo2cpe" COPY --from=builder /src/image/scanner/scripts / COPY --from=builder /src/image/scanner/bin/scanner ./ -COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/" -COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/" COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/" COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./ @@ -75,3 +70,27 @@ RUN microdnf upgrade --nobest && \ USER 65534:65534 ENTRYPOINT ["/entrypoint.sh"] + +# Scanner Slim +FROM scanner-common AS scanner-slim + +LABEL \ + com.redhat.component="rhacs-scanner-slim-container" \ + io.k8s.display-name="scanner-slim" \ + name="rhacs-scanner-slim-rhel8" + +ENV ROX_SLIM_MODE="true" + +# Scanner (full) +FROM scanner-common AS scanner + +LABEL \ + com.redhat.component="rhacs-scanner-container" \ + io.k8s.display-name="scanner" \ + name="rhacs-scanner-rhel8" + +ENV NVD_DEFINITIONS_DIR="/nvd_definitions" +ENV K8S_DEFINITIONS_DIR="/k8s_definitions" + +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/" +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"