From 9552f3bbd88a7fecb5e7fd9463ad8ef8ecd9aecf Mon Sep 17 00:00:00 2001
From: "red-hat-konflux[bot]"
 <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Date: Mon, 4 Mar 2024 11:07:57 +0100
Subject: [PATCH 01/22] Red Hat Konflux update scanner-slim (#1428)

Co-authored-by: red-hat-konflux <rhtap@redhat.com>
---
 .tekton/scanner-slim-pull-request.yaml | 410 +++++++++++++++++++++++++
 .tekton/scanner-slim-push.yaml         | 407 ++++++++++++++++++++++++
 2 files changed, 817 insertions(+)
 create mode 100644 .tekton/scanner-slim-pull-request.yaml
 create mode 100644 .tekton/scanner-slim-push.yaml

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
new file mode 100644
index 000000000..4e1411d5f
--- /dev/null
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -0,0 +1,410 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "tm/scanner-slim-konflux-onboarding"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: scanner-slim
+    pipelines.appstudio.openshift.io/type: build
+  name: scanner-slim-on-pull-request
+  namespace: rh-acs-tenant
+spec:
+  params:
+  - name: dockerfile
+    value: image/scanner/rhel/konflux.Dockerfile
+  - name: git-url
+    value: '{{source_url}}'
+  - name: image-expires-after
+    value: 5d
+  - name: output-image
+    value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:on-pr-{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  pipelineSpec:
+    finally:
+    - name: show-sbom
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      taskRef:
+        params:
+        - name: name
+          value: show-sbom
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: show-summary
+      params:
+      - name: pipelinerun-name
+        value: $(context.pipelineRun.name)
+      - name: git-url
+        value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
+      - name: image-url
+        value: $(params.output-image)
+      - name: build-task-status
+        value: $(tasks.build-container.status)
+      taskRef:
+        params:
+        - name: name
+          value: summary
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+        - name: kind
+          value: task
+        resolver: bundles
+    params:
+    - description: Source Repository URL
+      name: git-url
+      type: string
+    - default: ""
+      description: Revision of the Source Repository
+      name: revision
+      type: string
+    - description: Fully Qualified Output Image
+      name: output-image
+      type: string
+    - default: .
+      description: Path to the source code of an application's component from where
+        to build image.
+      name: path-context
+      type: string
+    - default: Dockerfile
+      description: Path to the Dockerfile inside the context specified by parameter
+        path-context
+      name: dockerfile
+      type: string
+    - default: "false"
+      description: Force rebuild image
+      name: rebuild
+      type: string
+    - default: "false"
+      description: Skip checks against built image
+      name: skip-checks
+      type: string
+    - default: "false"
+      description: Execute the build with network isolation
+      name: hermetic
+      type: string
+    - default: ""
+      description: Build dependencies to be prefetched by Cachi2
+      name: prefetch-input
+      type: string
+    - default: "false"
+      description: Java build
+      name: java
+      type: string
+    - default: ""
+      description: Image tag expiration time, time values could be something like
+        1h, 2d, 3w for hours, days, and weeks, respectively.
+      name: image-expires-after
+    - default: "false"
+      description: Build a source image.
+      name: build-source-image
+      type: string
+    results:
+    - description: ""
+      name: IMAGE_URL
+      value: $(tasks.build-container.results.IMAGE_URL)
+    - description: ""
+      name: IMAGE_DIGEST
+      value: $(tasks.build-container.results.IMAGE_DIGEST)
+    - description: ""
+      name: CHAINS-GIT_URL
+      value: $(tasks.clone-repository.results.url)
+    - description: ""
+      name: CHAINS-GIT_COMMIT
+      value: $(tasks.clone-repository.results.commit)
+    - description: ""
+      name: JAVA_COMMUNITY_DEPENDENCIES
+      value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+    tasks:
+    - name: init
+      params:
+      - name: image-url
+        value: $(params.output-image)
+      - name: rebuild
+        value: $(params.rebuild)
+      - name: skip-checks
+        value: $(params.skip-checks)
+      taskRef:
+        params:
+        - name: name
+          value: init
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: clone-repository
+      params:
+      - name: url
+        value: $(params.git-url)
+      - name: revision
+        value: $(params.revision)
+      runAfter:
+      - init
+      taskRef:
+        params:
+        - name: name
+          value: git-clone
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: output
+        workspace: workspace
+      - name: basic-auth
+        workspace: git-auth
+    - name: prefetch-dependencies
+      params:
+      - name: input
+        value: $(params.prefetch-input)
+      runAfter:
+      - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: prefetch-dependencies
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.hermetic)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: source
+        workspace: workspace
+    - name: build-container
+      params:
+      - name: IMAGE
+        value: $(params.output-image)
+      - name: DOCKERFILE
+        value: $(params.dockerfile)
+      - name: CONTEXT
+        value: $(params.path-context)
+      - name: HERMETIC
+        value: $(params.hermetic)
+      - name: PREFETCH_INPUT
+        value: $(params.prefetch-input)
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.image-expires-after)
+      - name: COMMIT_SHA
+        value: $(tasks.clone-repository.results.commit)
+      runAfter:
+      - prefetch-dependencies
+      taskRef:
+        params:
+        - name: name
+          value: buildah
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: source
+        workspace: workspace
+    - name: build-source-image
+      params:
+      - name: BINARY_IMAGE
+        value: $(params.output-image)
+      - name: BASE_IMAGES
+        value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: source-build
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      - input: $(params.build-source-image)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: workspace
+        workspace: workspace
+    - name: deprecated-base-image-check
+      params:
+      - name: BASE_IMAGES_DIGESTS
+        value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: deprecated-image-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: clair-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: clair-scan
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: ecosystem-cert-preflight-checks
+      params:
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: ecosystem-cert-preflight-checks
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: sast-snyk-check
+      runAfter:
+      - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: sast-snyk-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+      workspaces:
+      - name: workspace
+        workspace: workspace
+    - name: clamav-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: clamav-scan
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: sbom-json-check
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - name: IMAGE_DIGEST
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: sbom-json-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    workspaces:
+    - name: workspace
+    - name: git-auth
+      optional: true
+  taskRunTemplate: {}
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
new file mode 100644
index 000000000..dc388a973
--- /dev/null
+++ b/.tekton/scanner-slim-push.yaml
@@ -0,0 +1,407 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
+      == "tm/scanner-slim-konflux-onboarding"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: scanner-slim
+    pipelines.appstudio.openshift.io/type: build
+  name: scanner-slim-on-push
+  namespace: rh-acs-tenant
+spec:
+  params:
+  - name: dockerfile
+    value: image/scanner/rhel/konflux.Dockerfile
+  - name: git-url
+    value: '{{source_url}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  pipelineSpec:
+    finally:
+    - name: show-sbom
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      taskRef:
+        params:
+        - name: name
+          value: show-sbom
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: show-summary
+      params:
+      - name: pipelinerun-name
+        value: $(context.pipelineRun.name)
+      - name: git-url
+        value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
+      - name: image-url
+        value: $(params.output-image)
+      - name: build-task-status
+        value: $(tasks.build-container.status)
+      taskRef:
+        params:
+        - name: name
+          value: summary
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+        - name: kind
+          value: task
+        resolver: bundles
+    params:
+    - description: Source Repository URL
+      name: git-url
+      type: string
+    - default: ""
+      description: Revision of the Source Repository
+      name: revision
+      type: string
+    - description: Fully Qualified Output Image
+      name: output-image
+      type: string
+    - default: .
+      description: Path to the source code of an application's component from where
+        to build image.
+      name: path-context
+      type: string
+    - default: Dockerfile
+      description: Path to the Dockerfile inside the context specified by parameter
+        path-context
+      name: dockerfile
+      type: string
+    - default: "false"
+      description: Force rebuild image
+      name: rebuild
+      type: string
+    - default: "false"
+      description: Skip checks against built image
+      name: skip-checks
+      type: string
+    - default: "false"
+      description: Execute the build with network isolation
+      name: hermetic
+      type: string
+    - default: ""
+      description: Build dependencies to be prefetched by Cachi2
+      name: prefetch-input
+      type: string
+    - default: "false"
+      description: Java build
+      name: java
+      type: string
+    - default: ""
+      description: Image tag expiration time, time values could be something like
+        1h, 2d, 3w for hours, days, and weeks, respectively.
+      name: image-expires-after
+    - default: "false"
+      description: Build a source image.
+      name: build-source-image
+      type: string
+    results:
+    - description: ""
+      name: IMAGE_URL
+      value: $(tasks.build-container.results.IMAGE_URL)
+    - description: ""
+      name: IMAGE_DIGEST
+      value: $(tasks.build-container.results.IMAGE_DIGEST)
+    - description: ""
+      name: CHAINS-GIT_URL
+      value: $(tasks.clone-repository.results.url)
+    - description: ""
+      name: CHAINS-GIT_COMMIT
+      value: $(tasks.clone-repository.results.commit)
+    - description: ""
+      name: JAVA_COMMUNITY_DEPENDENCIES
+      value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+    tasks:
+    - name: init
+      params:
+      - name: image-url
+        value: $(params.output-image)
+      - name: rebuild
+        value: $(params.rebuild)
+      - name: skip-checks
+        value: $(params.skip-checks)
+      taskRef:
+        params:
+        - name: name
+          value: init
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b
+        - name: kind
+          value: task
+        resolver: bundles
+    - name: clone-repository
+      params:
+      - name: url
+        value: $(params.git-url)
+      - name: revision
+        value: $(params.revision)
+      runAfter:
+      - init
+      taskRef:
+        params:
+        - name: name
+          value: git-clone
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: output
+        workspace: workspace
+      - name: basic-auth
+        workspace: git-auth
+    - name: prefetch-dependencies
+      params:
+      - name: input
+        value: $(params.prefetch-input)
+      runAfter:
+      - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: prefetch-dependencies
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.hermetic)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: source
+        workspace: workspace
+    - name: build-container
+      params:
+      - name: IMAGE
+        value: $(params.output-image)
+      - name: DOCKERFILE
+        value: $(params.dockerfile)
+      - name: CONTEXT
+        value: $(params.path-context)
+      - name: HERMETIC
+        value: $(params.hermetic)
+      - name: PREFETCH_INPUT
+        value: $(params.prefetch-input)
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.image-expires-after)
+      - name: COMMIT_SHA
+        value: $(tasks.clone-repository.results.commit)
+      runAfter:
+      - prefetch-dependencies
+      taskRef:
+        params:
+        - name: name
+          value: buildah
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: source
+        workspace: workspace
+    - name: build-source-image
+      params:
+      - name: BINARY_IMAGE
+        value: $(params.output-image)
+      - name: BASE_IMAGES
+        value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: source-build
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
+      - input: $(params.build-source-image)
+        operator: in
+        values:
+        - "true"
+      workspaces:
+      - name: workspace
+        workspace: workspace
+    - name: deprecated-base-image-check
+      params:
+      - name: BASE_IMAGES_DIGESTS
+        value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: deprecated-image-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: clair-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: clair-scan
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: ecosystem-cert-preflight-checks
+      params:
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: ecosystem-cert-preflight-checks
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: sast-snyk-check
+      runAfter:
+      - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: sast-snyk-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+      workspaces:
+      - name: workspace
+        workspace: workspace
+    - name: clamav-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: clamav-scan
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    - name: sbom-json-check
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - name: IMAGE_DIGEST
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: sbom-json-check
+        - name: bundle
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+        - name: kind
+          value: task
+        resolver: bundles
+      when:
+      - input: $(params.skip-checks)
+        operator: in
+        values:
+        - "false"
+    workspaces:
+    - name: workspace
+    - name: git-auth
+      optional: true
+  taskRunTemplate: {}
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}

From 15718e4e38cb41a45589bc3d9aa98ea4d387c442 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 11:13:16 +0100
Subject: [PATCH 02/22] update pipelines

---
 .tekton/scanner-slim-pull-request.yaml | 132 ++++++++++++++-----------
 .tekton/scanner-slim-push.yaml         | 132 ++++++++++++++-----------
 2 files changed, 149 insertions(+), 115 deletions(-)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 4e1411d5f..72a334b9a 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -6,9 +6,9 @@ metadata:
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
-    pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
-      == "tm/scanner-slim-konflux-onboarding"
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    # TODO(ROX-21073): re-enable for all PR branches
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("rhtap") || source_branch.contains("konflux"))
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: acs
@@ -21,16 +21,40 @@ spec:
   - name: dockerfile
     value: image/scanner/rhel/konflux.Dockerfile
   - name: git-url
-    value: '{{source_url}}'
+    value: '{{repo_url}}'
   - name: image-expires-after
-    value: 5d
+    value: '13w'
   - name: output-image
     value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:on-pr-{{revision}}
   - name: path-context
     value: .
   - name: revision
     value: '{{revision}}'
+  - name: rebuild
+    value: 'true'
+  - name: prefetch-input
+    value: '{"type": "gomod", "path": "."}'
+  - name: build-source-image
+    value: 'true'
+
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+
   pipelineSpec:
+
     finally:
     - name: show-sbom
       params:
@@ -60,10 +84,11 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
         - name: kind
           value: task
         resolver: bundles
+
     params:
     - description: Source Repository URL
       name: git-url
@@ -109,6 +134,7 @@ spec:
       description: Image tag expiration time, time values could be something like
         1h, 2d, 3w for hours, days, and weeks, respectively.
       name: image-expires-after
+      type: string
     - default: "false"
       description: Build a source image.
       name: build-source-image
@@ -129,7 +155,13 @@ spec:
     - description: ""
       name: JAVA_COMMUNITY_DEPENDENCIES
       value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+
+    workspaces:
+    - name: workspace
+    - name: git-auth
+
     tasks:
+
     - name: init
       params:
       - name: image-url
@@ -153,6 +185,10 @@ spec:
         value: $(params.git-url)
       - name: revision
         value: $(params.revision)
+      - name: depth
+        value: "0"
+      - name: fetchTags
+        value: "true"
       runAfter:
       - init
       taskRef:
@@ -189,14 +225,30 @@ spec:
         - name: kind
           value: task
         resolver: bundles
-      when:
-      - input: $(params.hermetic)
-        operator: in
-        values:
-        - "true"
       workspaces:
       - name: source
         workspace: workspace
+
+    - name: fetch-vuln-feed-data
+      runAfter:
+      - init
+      - clone-repository
+      taskSpec:
+        steps:
+          - name: fetch-vuln-feed-data
+            image: registry.access.redhat.com/ubi8-minimal:latest
+            script: |
+              #!/usr/bin/env bash
+              "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
+                  "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
+                  repo2cpe.zip \
+                  genesis_manifests.json
+      workspaces:
+      - name: source
+        workspace: workspace
+
     - name: build-container
       params:
       - name: IMAGE
@@ -215,6 +267,7 @@ spec:
         value: $(tasks.clone-repository.results.commit)
       runAfter:
       - prefetch-dependencies
+      - fetch-vuln-feed-data
       taskRef:
         params:
         - name: name
@@ -245,7 +298,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
         - name: kind
           value: task
         resolver: bundles
@@ -272,7 +325,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
         - name: kind
           value: task
         resolver: bundles
@@ -294,27 +347,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
-        - name: kind
-          value: task
-        resolver: bundles
-      when:
-      - input: $(params.skip-checks)
-        operator: in
-        values:
-        - "false"
-    - name: ecosystem-cert-preflight-checks
-      params:
-      - name: image-url
-        value: $(tasks.build-container.results.IMAGE_URL)
-      runAfter:
-      - build-container
-      taskRef:
-        params:
-        - name: name
-          value: ecosystem-cert-preflight-checks
-        - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
         - name: kind
           value: task
         resolver: bundles
@@ -331,7 +364,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
         - name: kind
           value: task
         resolver: bundles
@@ -356,7 +389,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
         - name: kind
           value: task
         resolver: bundles
@@ -378,7 +411,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
         - name: kind
           value: task
         resolver: bundles
@@ -387,24 +420,7 @@ spec:
         operator: in
         values:
         - "false"
-    workspaces:
-    - name: workspace
-    - name: git-auth
-      optional: true
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}
+
+status: { }
+
+taskRunTemplate: { }
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index dc388a973..fcfa419e4 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -5,9 +5,8 @@ metadata:
     build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}}
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
-    pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
-      == "tm/scanner-slim-konflux-onboarding"
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master"
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: acs
@@ -20,14 +19,41 @@ spec:
   - name: dockerfile
     value: image/scanner/rhel/konflux.Dockerfile
   - name: git-url
-    value: '{{source_url}}'
+    value: '{{repo_url}}'
+  - name: image-expires-after
+    # TODO(ROX-20230): make release images not expire.
+    value: '13w'
   - name: output-image
     value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-slim:{{revision}}
   - name: path-context
     value: .
   - name: revision
     value: '{{revision}}'
+  - name: rebuild
+    value: 'true'
+  - name: prefetch-input
+    value: '{"type": "gomod", "path": "."}'
+  - name: build-source-image
+    value: 'true'
+
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+
   pipelineSpec:
+
     finally:
     - name: show-sbom
       params:
@@ -57,10 +83,11 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
         - name: kind
           value: task
         resolver: bundles
+
     params:
     - description: Source Repository URL
       name: git-url
@@ -106,6 +133,7 @@ spec:
       description: Image tag expiration time, time values could be something like
         1h, 2d, 3w for hours, days, and weeks, respectively.
       name: image-expires-after
+      type: string
     - default: "false"
       description: Build a source image.
       name: build-source-image
@@ -126,7 +154,13 @@ spec:
     - description: ""
       name: JAVA_COMMUNITY_DEPENDENCIES
       value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+
+    workspaces:
+    - name: workspace
+    - name: git-auth
+
     tasks:
+
     - name: init
       params:
       - name: image-url
@@ -150,6 +184,10 @@ spec:
         value: $(params.git-url)
       - name: revision
         value: $(params.revision)
+      - name: depth
+        value: "0"
+      - name: fetchTags
+        value: "true"
       runAfter:
       - init
       taskRef:
@@ -186,14 +224,30 @@ spec:
         - name: kind
           value: task
         resolver: bundles
-      when:
-      - input: $(params.hermetic)
-        operator: in
-        values:
-        - "true"
       workspaces:
       - name: source
         workspace: workspace
+
+    - name: fetch-vuln-feed-data
+      runAfter:
+      - init
+      - clone-repository
+      taskSpec:
+        steps:
+          - name: fetch-vuln-feed-data
+            image: registry.access.redhat.com/ubi8-minimal:latest
+            script: |
+              #!/usr/bin/env bash
+              "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
+                  "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
+                  repo2cpe.zip \
+                  genesis_manifests.json
+      workspaces:
+      - name: source
+        workspace: workspace
+
     - name: build-container
       params:
       - name: IMAGE
@@ -212,6 +266,7 @@ spec:
         value: $(tasks.clone-repository.results.commit)
       runAfter:
       - prefetch-dependencies
+      - fetch-vuln-feed-data
       taskRef:
         params:
         - name: name
@@ -242,7 +297,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
         - name: kind
           value: task
         resolver: bundles
@@ -269,7 +324,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
         - name: kind
           value: task
         resolver: bundles
@@ -291,27 +346,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
-        - name: kind
-          value: task
-        resolver: bundles
-      when:
-      - input: $(params.skip-checks)
-        operator: in
-        values:
-        - "false"
-    - name: ecosystem-cert-preflight-checks
-      params:
-      - name: image-url
-        value: $(tasks.build-container.results.IMAGE_URL)
-      runAfter:
-      - build-container
-      taskRef:
-        params:
-        - name: name
-          value: ecosystem-cert-preflight-checks
-        - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:4bcabe436ddbef6af8f8108ee234d83e116e63e91f64a77191e1492db11bf56b
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
         - name: kind
           value: task
         resolver: bundles
@@ -328,7 +363,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
         - name: kind
           value: task
         resolver: bundles
@@ -353,7 +388,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
         - name: kind
           value: task
         resolver: bundles
@@ -375,7 +410,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
         - name: kind
           value: task
         resolver: bundles
@@ -384,24 +419,7 @@ spec:
         operator: in
         values:
         - "false"
-    workspaces:
-    - name: workspace
-    - name: git-auth
-      optional: true
-  taskRunTemplate: {}
-  workspaces:
-  - name: workspace
-    volumeClaimTemplate:
-      metadata:
-        creationTimestamp: null
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-      status: {}
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}
+
+status: { }
+
+taskRunTemplate: { }

From f9bc0a4ff64dc74d9591f310faff64917528f94d Mon Sep 17 00:00:00 2001
From: "red-hat-konflux[bot]"
 <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Date: Mon, 4 Mar 2024 11:50:24 +0100
Subject: [PATCH 03/22] chore(deps): update rhtap references
 (tm/scanner-slim-konflux-onboarding) (#1430)

Co-authored-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com>
---
 .tekton/scanner-db-pull-request.yaml   | 14 +++++++-------
 .tekton/scanner-db-push.yaml           | 14 +++++++-------
 .tekton/scanner-pull-request.yaml      | 14 +++++++-------
 .tekton/scanner-push.yaml              | 14 +++++++-------
 .tekton/scanner-slim-pull-request.yaml | 14 +++++++-------
 .tekton/scanner-slim-push.yaml         | 14 +++++++-------
 6 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml
index 9405ae0e6..3082567f2 100644
--- a/.tekton/scanner-db-pull-request.yaml
+++ b/.tekton/scanner-db-pull-request.yaml
@@ -91,7 +91,7 @@ spec:
             - name: name
               value: summary
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
             - name: kind
               value: task
           resolver: bundles
@@ -304,7 +304,7 @@ spec:
             - name: name
               value: source-build
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
             - name: kind
               value: task
           resolver: bundles
@@ -330,7 +330,7 @@ spec:
             - name: name
               value: deprecated-image-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
             - name: kind
               value: task
           resolver: bundles
@@ -352,7 +352,7 @@ spec:
             - name: name
               value: clair-scan
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
             - name: kind
               value: task
           resolver: bundles
@@ -369,7 +369,7 @@ spec:
             - name: name
               value: sast-snyk-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
             - name: kind
               value: task
           resolver: bundles
@@ -394,7 +394,7 @@ spec:
             - name: name
               value: clamav-scan
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
             - name: kind
               value: task
           resolver: bundles
@@ -416,7 +416,7 @@ spec:
             - name: name
               value: sbom-json-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
             - name: kind
               value: task
           resolver: bundles
diff --git a/.tekton/scanner-db-push.yaml b/.tekton/scanner-db-push.yaml
index 75eaba48e..ecd950da0 100644
--- a/.tekton/scanner-db-push.yaml
+++ b/.tekton/scanner-db-push.yaml
@@ -89,7 +89,7 @@ spec:
             - name: name
               value: summary
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
             - name: kind
               value: task
           resolver: bundles
@@ -302,7 +302,7 @@ spec:
             - name: name
               value: source-build
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
             - name: kind
               value: task
           resolver: bundles
@@ -328,7 +328,7 @@ spec:
             - name: name
               value: deprecated-image-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
             - name: kind
               value: task
           resolver: bundles
@@ -350,7 +350,7 @@ spec:
             - name: name
               value: clair-scan
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
             - name: kind
               value: task
           resolver: bundles
@@ -367,7 +367,7 @@ spec:
             - name: name
               value: sast-snyk-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
             - name: kind
               value: task
           resolver: bundles
@@ -392,7 +392,7 @@ spec:
             - name: name
               value: clamav-scan
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
             - name: kind
               value: task
           resolver: bundles
@@ -414,7 +414,7 @@ spec:
             - name: name
               value: sbom-json-check
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
             - name: kind
               value: task
           resolver: bundles
diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml
index 894a6cda4..7ea48d15d 100644
--- a/.tekton/scanner-pull-request.yaml
+++ b/.tekton/scanner-pull-request.yaml
@@ -85,7 +85,7 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
         - name: kind
           value: task
         resolver: bundles
@@ -303,7 +303,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
         - name: kind
           value: task
         resolver: bundles
@@ -331,7 +331,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
         - name: kind
           value: task
         resolver: bundles
@@ -354,7 +354,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
         - name: kind
           value: task
         resolver: bundles
@@ -372,7 +372,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
         - name: kind
           value: task
         resolver: bundles
@@ -398,7 +398,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
         - name: kind
           value: task
         resolver: bundles
@@ -421,7 +421,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index ee8f65369..8a67f40bd 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -84,7 +84,7 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
         - name: kind
           value: task
         resolver: bundles
@@ -302,7 +302,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
         - name: kind
           value: task
         resolver: bundles
@@ -330,7 +330,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
         - name: kind
           value: task
         resolver: bundles
@@ -353,7 +353,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
         - name: kind
           value: task
         resolver: bundles
@@ -371,7 +371,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
         - name: kind
           value: task
         resolver: bundles
@@ -397,7 +397,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
         - name: kind
           value: task
         resolver: bundles
@@ -420,7 +420,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 72a334b9a..bf016c4fb 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -84,7 +84,7 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
         - name: kind
           value: task
         resolver: bundles
@@ -298,7 +298,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
         - name: kind
           value: task
         resolver: bundles
@@ -325,7 +325,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
         - name: kind
           value: task
         resolver: bundles
@@ -347,7 +347,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
         - name: kind
           value: task
         resolver: bundles
@@ -364,7 +364,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
         - name: kind
           value: task
         resolver: bundles
@@ -389,7 +389,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
         - name: kind
           value: task
         resolver: bundles
@@ -411,7 +411,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index fcfa419e4..8b8a80ff2 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -83,7 +83,7 @@ spec:
         - name: name
           value: summary
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:529f8c56d0e05122317fb8d9895a3dfc12390c889be9aaeb642b84b83a8fab52
+          value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
         - name: kind
           value: task
         resolver: bundles
@@ -297,7 +297,7 @@ spec:
         - name: name
           value: source-build
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:672fed833cf17deb402add8cd38b874f341ce1efdd83493250646f1a9727ed82
+          value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
         - name: kind
           value: task
         resolver: bundles
@@ -324,7 +324,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:724c2c0f59344f3b1d3fcf3b301d46c76436ecb5647e70e1b660766d5ec154cf
+          value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
         - name: kind
           value: task
         resolver: bundles
@@ -346,7 +346,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:9d0f4fa66c07ad3f1f37182c69244d94709d941f292e5d0f94c600a4eef88396
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
         - name: kind
           value: task
         resolver: bundles
@@ -363,7 +363,7 @@ spec:
         - name: name
           value: sast-snyk-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b5a5e50243ad18305b2ec2134fd1918fc8d85cd06ca9f17690c35ee7993954f6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
         - name: kind
           value: task
         resolver: bundles
@@ -388,7 +388,7 @@ spec:
         - name: name
           value: clamav-scan
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:144c1ab424cd9897a121ccd22e1e1bf25c0c95ff90d4a33278e42d8c183730f4
+          value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
         - name: kind
           value: task
         resolver: bundles
@@ -410,7 +410,7 @@ spec:
         - name: name
           value: sbom-json-check
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:be8d2e7b52e14cccca0a8c78656f967a7c7b9d0ae4ead7ab2e19c629dfe67eda
+          value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
         - name: kind
           value: task
         resolver: bundles

From f339e676d57907e933c0ce39b1f8a67f4f99e170 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 12:31:29 +0100
Subject: [PATCH 04/22] only fetch support package files required for -slim

---
 .tekton/scanner-slim-pull-request.yaml | 2 --
 .tekton/scanner-slim-push.yaml         | 2 --
 2 files changed, 4 deletions(-)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 72a334b9a..7d7e1ffb9 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -241,8 +241,6 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
-                  nvd-definitions.zip \
-                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index fcfa419e4..331ef70fa 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -240,8 +240,6 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
-                  nvd-definitions.zip \
-                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:

From d01c84f7ff31ab12ea3754386ce0018f219e7f75 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 12:37:53 +0100
Subject: [PATCH 05/22] use separate dockerfile for -slim

---
 .tekton/scanner-slim-pull-request.yaml     |  2 +-
 .tekton/scanner-slim-push.yaml             |  2 +-
 image/scanner/rhel/konflux-slim.Dockerfile | 73 ++++++++++++++++++++++
 3 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 image/scanner/rhel/konflux-slim.Dockerfile

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 7d7e1ffb9..4ed3fa16e 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -19,7 +19,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: image/scanner/rhel/konflux.Dockerfile
+    value: image/scanner/rhel/konflux-slim.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 331ef70fa..256d3c4ba 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -17,7 +17,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: image/scanner/rhel/konflux.Dockerfile
+    value: image/scanner/rhel/konflux-slim.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
diff --git a/image/scanner/rhel/konflux-slim.Dockerfile b/image/scanner/rhel/konflux-slim.Dockerfile
new file mode 100644
index 000000000..cc7d6cd23
--- /dev/null
+++ b/image/scanner/rhel/konflux-slim.Dockerfile
@@ -0,0 +1,73 @@
+ARG BASE_REGISTRY=registry.access.redhat.com
+ARG BASE_IMAGE=ubi8-minimal
+ARG BASE_TAG=latest
+
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder
+
+ENV CGO_ENABLED=1
+ENV GOFLAGS=""
+ENV CI=1
+
+COPY . /src
+WORKDIR /src
+
+RUN scripts/konflux/fail-build-if-git-is-dirty.sh
+
+RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe
+
+RUN echo -n "version: " && scripts/konflux/version.sh && \
+    go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair
+
+# Replace genesis manifests file in the source code with the one generated at
+# the point when the dump was taken.  This is to avoid discrepancy between other
+# files of the dump and the manifest.
+COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+LABEL \
+    com.redhat.component="rhacs-scanner-slim-container" \
+    com.redhat.license_terms="https://www.redhat.com/agreements" \
+    description="This image supports image scanning for RHACS" \
+    io.k8s.description="This image supports image scanning for RHACS" \
+    io.k8s.display-name="scanner-slim" \
+    io.openshift.tags="rhacs,scanner,stackrox" \
+    maintainer="Red Hat, Inc." \
+    name="rhacs-scanner-slim-rhel8" \
+    source-location="https://github.com/stackrox/scanner" \
+    summary="The image scanner for RHACS" \
+    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
+    # We must set version label to prevent inheriting value set in the base stage.
+    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
+    version="0.0.1-todo"
+
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+
+ENV REPO_TO_CPE_DIR="/repo2cpe"
+
+COPY --from=builder /src/image/scanner/scripts /
+COPY --from=builder /src/image/scanner/bin/scanner ./
+COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
+
+RUN microdnf upgrade --nobest && \
+    microdnf install xz && \
+    microdnf clean all && \
+    # (Optional) Remove line below to keep package management utilities
+    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
+    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
+    rm -rf /var/cache/dnf /var/cache/yum && \
+    chown -R 65534:65534 /tmp && \
+    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
+    # by the script `save-dir-contents` during the image build. The directory
+    # contents are then restored by the script `restore-all-dir-contents`
+    # during the container start.
+    chown -R 65534:65534 /etc/pki /etc/ssl && \
+    /save-dir-contents /etc/pki/ca-trust /etc/ssl
+
+# This is equivalent to nobody:nobody.
+USER 65534:65534
+
+ENV ROX_SLIM_MODE="true"
+
+ENTRYPOINT ["/entrypoint.sh"]

From 705a24bcc55062a4f41ced3dda8c173b8a9c5478 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 12:53:51 +0100
Subject: [PATCH 06/22] ignore changes to all Konflux dockerfiles

---
 scripts/konflux/fail-build-if-git-is-dirty.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/konflux/fail-build-if-git-is-dirty.sh b/scripts/konflux/fail-build-if-git-is-dirty.sh
index 4ea829b66..afd2d803e 100755
--- a/scripts/konflux/fail-build-if-git-is-dirty.sh
+++ b/scripts/konflux/fail-build-if-git-is-dirty.sh
@@ -16,7 +16,7 @@ set -euo pipefail
 if [[ -f /cachi2/cachi2.env ]]; then
     # We can safely restore dockerfiles because the modified version of dockerfile interpreted by docker/buildah stays
     # outside, and these are local copies inside of the build context.
-    git restore "**/konflux.Dockerfile"
+    git restore "**/konflux*.Dockerfile"
 fi
 
 # Next, make sure no other things that make it `-dirty` slipped through. If they did, fail the build.

From 58b4abf68f74436b55d2e5c4772be27779ec2adf Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 13:20:08 +0100
Subject: [PATCH 07/22] single stage

---
 .tekton/scanner-pull-request.yaml             |  2 +
 .tekton/scanner-push.yaml                     |  2 +
 .tekton/scanner-slim-pull-request.yaml        |  2 +
 .tekton/scanner-slim-push.yaml                |  2 +
 image/scanner/rhel/konflux-slim.Dockerfile    | 73 -------------------
 image/scanner/rhel/konflux.Dockerfile         | 66 +++++++++++------
 scripts/konflux/fail-build-if-git-is-dirty.sh |  2 +-
 7 files changed, 54 insertions(+), 95 deletions(-)
 delete mode 100644 image/scanner/rhel/konflux-slim.Dockerfile

diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml
index 7ea48d15d..014e7f3ae 100644
--- a/.tekton/scanner-pull-request.yaml
+++ b/.tekton/scanner-pull-request.yaml
@@ -269,6 +269,8 @@ spec:
         value: $(params.image-expires-after)
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
+      - name: TARGET_STAGE
+        value: scanner
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index 8a67f40bd..ca665c5b4 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -268,6 +268,8 @@ spec:
         value: $(params.image-expires-after)
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
+      - name: TARGET_STAGE
+        value: scanner-slim
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 91327f179..e59d07bf6 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -263,6 +263,8 @@ spec:
         value: $(params.image-expires-after)
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
+      - name: TARGET_STAGE
+        value: scanner-slim
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index d3606d8e2..92d6618af 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -262,6 +262,8 @@ spec:
         value: $(params.image-expires-after)
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
+      - name: TARGET_STAGE
+        value: scanner-slim
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/image/scanner/rhel/konflux-slim.Dockerfile b/image/scanner/rhel/konflux-slim.Dockerfile
deleted file mode 100644
index cc7d6cd23..000000000
--- a/image/scanner/rhel/konflux-slim.Dockerfile
+++ /dev/null
@@ -1,73 +0,0 @@
-ARG BASE_REGISTRY=registry.access.redhat.com
-ARG BASE_IMAGE=ubi8-minimal
-ARG BASE_TAG=latest
-
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder
-
-ENV CGO_ENABLED=1
-ENV GOFLAGS=""
-ENV CI=1
-
-COPY . /src
-WORKDIR /src
-
-RUN scripts/konflux/fail-build-if-git-is-dirty.sh
-
-RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe
-
-RUN echo -n "version: " && scripts/konflux/version.sh && \
-    go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair
-
-# Replace genesis manifests file in the source code with the one generated at
-# the point when the dump was taken.  This is to avoid discrepancy between other
-# files of the dump and the manifest.
-COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
-
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
-
-LABEL \
-    com.redhat.component="rhacs-scanner-slim-container" \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="This image supports image scanning for RHACS" \
-    io.k8s.description="This image supports image scanning for RHACS" \
-    io.k8s.display-name="scanner-slim" \
-    io.openshift.tags="rhacs,scanner,stackrox" \
-    maintainer="Red Hat, Inc." \
-    name="rhacs-scanner-slim-rhel8" \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="The image scanner for RHACS" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
-    version="0.0.1-todo"
-
-SHELL ["/bin/sh", "-o", "pipefail", "-c"]
-
-ENV REPO_TO_CPE_DIR="/repo2cpe"
-
-COPY --from=builder /src/image/scanner/scripts /
-COPY --from=builder /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
-
-RUN microdnf upgrade --nobest && \
-    microdnf install xz && \
-    microdnf clean all && \
-    # (Optional) Remove line below to keep package management utilities
-    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
-    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
-    # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
-    # by the script `save-dir-contents` during the image build. The directory
-    # contents are then restored by the script `restore-all-dir-contents`
-    # during the container start.
-    chown -R 65534:65534 /etc/pki /etc/ssl && \
-    /save-dir-contents /etc/pki/ca-trust /etc/ssl
-
-# This is equivalent to nobody:nobody.
-USER 65534:65534
-
-ENV ROX_SLIM_MODE="true"
-
-ENTRYPOINT ["/entrypoint.sh"]
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index 066fb6dfd..9e6372f82 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -25,34 +25,14 @@ RUN echo -n "version: " && scripts/konflux/version.sh && \
 # files of the dump and the manifest.
 COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
-
-LABEL \
-    com.redhat.component="rhacs-scanner-container" \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="This image supports image scanning for RHACS" \
-    io.k8s.description="This image supports image scanning for RHACS" \
-    io.k8s.display-name="scanner" \
-    io.openshift.tags="rhacs,scanner,stackrox" \
-    maintainer="Red Hat, Inc." \
-    name="rhacs-scanner-rhel8" \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="The image scanner for RHACS" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
-    version="0.0.1-todo"
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-base
 
 SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
-ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
-ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
 COPY --from=builder /src/image/scanner/scripts /
 COPY --from=builder /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
 COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
 COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
 
@@ -75,3 +55,47 @@ RUN microdnf upgrade --nobest && \
 USER 65534:65534
 
 ENTRYPOINT ["/entrypoint.sh"]
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-slim
+
+LABEL \
+    com.redhat.component="rhacs-scanner-slim-container" \
+    com.redhat.license_terms="https://www.redhat.com/agreements" \
+    description="This image supports image scanning for RHACS" \
+    io.k8s.description="This image supports image scanning for RHACS" \
+    io.k8s.display-name="scanner-slim" \
+    io.openshift.tags="rhacs,scanner,stackrox" \
+    maintainer="Red Hat, Inc." \
+    name="rhacs-scanner-slim-rhel8" \
+    source-location="https://github.com/stackrox/scanner" \
+    summary="The image scanner for RHACS" \
+    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
+    # We must set version label to prevent inheriting value set in the base stage.
+    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
+    version="0.0.1-todo"
+
+ENV ROX_SLIM_MODE="true"
+
+FROM scanner-base as scanner
+
+LABEL \
+    com.redhat.component="rhacs-scanner-container" \
+    com.redhat.license_terms="https://www.redhat.com/agreements" \
+    description="This image supports image scanning for RHACS" \
+    io.k8s.description="This image supports image scanning for RHACS" \
+    io.k8s.display-name="scanner" \
+    io.openshift.tags="rhacs,scanner,stackrox" \
+    maintainer="Red Hat, Inc." \
+    name="rhacs-scanner-rhel8" \
+    source-location="https://github.com/stackrox/scanner" \
+    summary="The image scanner for RHACS" \
+    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
+    # We must set version label to prevent inheriting value set in the base stage.
+    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
+    version="0.0.1-todo"
+
+ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
+ENV K8S_DEFINITIONS_DIR="/k8s_definitions"
+
+COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/"
+COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/"
diff --git a/scripts/konflux/fail-build-if-git-is-dirty.sh b/scripts/konflux/fail-build-if-git-is-dirty.sh
index afd2d803e..4ea829b66 100755
--- a/scripts/konflux/fail-build-if-git-is-dirty.sh
+++ b/scripts/konflux/fail-build-if-git-is-dirty.sh
@@ -16,7 +16,7 @@ set -euo pipefail
 if [[ -f /cachi2/cachi2.env ]]; then
     # We can safely restore dockerfiles because the modified version of dockerfile interpreted by docker/buildah stays
     # outside, and these are local copies inside of the build context.
-    git restore "**/konflux*.Dockerfile"
+    git restore "**/konflux.Dockerfile"
 fi
 
 # Next, make sure no other things that make it `-dirty` slipped through. If they did, fail the build.

From 63f4439b774788ec141b9968df60e94238944103 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 13:21:00 +0100
Subject: [PATCH 08/22] fix

---
 .tekton/scanner-push.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index ca665c5b4..218d81bc6 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -269,7 +269,7 @@ spec:
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
       - name: TARGET_STAGE
-        value: scanner-slim
+        value: scanner
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data

From 758e3aa03140821649bc8247782907b2bf111bab Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 13:24:15 +0100
Subject: [PATCH 09/22] another fix

---
 .tekton/scanner-slim-pull-request.yaml | 2 +-
 .tekton/scanner-slim-push.yaml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index e59d07bf6..f21ca2865 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -19,7 +19,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: image/scanner/rhel/konflux-slim.Dockerfile
+    value: image/scanner/rhel/konflux.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 92d6618af..5de7ae2c3 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -17,7 +17,7 @@ metadata:
 spec:
   params:
   - name: dockerfile
-    value: image/scanner/rhel/konflux-slim.Dockerfile
+    value: image/scanner/rhel/konflux.Dockerfile
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after

From c90271b4491c62ae53db44a92174c230b1e6a376 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 13:43:15 +0100
Subject: [PATCH 10/22] more dedup for labels

---
 image/scanner/rhel/konflux.Dockerfile | 41 +++++++++++----------------
 1 file changed, 16 insertions(+), 25 deletions(-)

diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index 9e6372f82..e593e2575 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -27,6 +27,19 @@ COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-base
 
+LABEL \
+    com.redhat.license_terms="https://www.redhat.com/agreements" \
+    description="This image supports image scanning for RHACS" \
+    io.k8s.description="This image supports image scanning for RHACS" \
+    io.openshift.tags="rhacs,scanner,stackrox" \
+    maintainer="Red Hat, Inc." \
+    source-location="https://github.com/stackrox/scanner" \
+    summary="The image scanner for RHACS" \
+    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
+    # We must set version label to prevent inheriting value set in the base stage.
+    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
+    version="0.0.1-todo"
+
 SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
@@ -56,23 +69,12 @@ USER 65534:65534
 
 ENTRYPOINT ["/entrypoint.sh"]
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-slim
+FROM scanner-base as scanner-slim
 
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="This image supports image scanning for RHACS" \
-    io.k8s.description="This image supports image scanning for RHACS" \
     io.k8s.display-name="scanner-slim" \
-    io.openshift.tags="rhacs,scanner,stackrox" \
-    maintainer="Red Hat, Inc." \
-    name="rhacs-scanner-slim-rhel8" \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="The image scanner for RHACS" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
-    version="0.0.1-todo"
+    name="rhacs-scanner-slim-rhel8"
 
 ENV ROX_SLIM_MODE="true"
 
@@ -80,19 +82,8 @@ FROM scanner-base as scanner
 
 LABEL \
     com.redhat.component="rhacs-scanner-container" \
-    com.redhat.license_terms="https://www.redhat.com/agreements" \
-    description="This image supports image scanning for RHACS" \
-    io.k8s.description="This image supports image scanning for RHACS" \
     io.k8s.display-name="scanner" \
-    io.openshift.tags="rhacs,scanner,stackrox" \
-    maintainer="Red Hat, Inc." \
-    name="rhacs-scanner-rhel8" \
-    source-location="https://github.com/stackrox/scanner" \
-    summary="The image scanner for RHACS" \
-    url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
-    # We must set version label to prevent inheriting value set in the base stage.
-    # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible.
-    version="0.0.1-todo"
+    name="rhacs-scanner-rhel8"
 
 ENV NVD_DEFINITIONS_DIR="/nvd_definitions"
 ENV K8S_DEFINITIONS_DIR="/k8s_definitions"

From b977d622f38820786c5aad6f65004dd6beb4c2ad Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 14:06:46 +0100
Subject: [PATCH 11/22] download all

---
 .tekton/scanner-slim-pull-request.yaml | 2 ++
 .tekton/scanner-slim-push.yaml         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index f21ca2865..3bbd4434f 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -241,6 +241,8 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 5de7ae2c3..95e42d900 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -240,6 +240,8 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:

From 75c764737adc81cc5fcc2ff836aef9a4f0875108 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 14:54:07 +0100
Subject: [PATCH 12/22] re-org builder stages

---
 .tekton/scanner-slim-pull-request.yaml |  2 --
 .tekton/scanner-slim-push.yaml         |  2 --
 image/scanner/rhel/konflux.Dockerfile  | 19 +++++++++++--------
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 3bbd4434f..f21ca2865 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -241,8 +241,6 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
-                  nvd-definitions.zip \
-                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 95e42d900..5de7ae2c3 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -240,8 +240,6 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
-                  nvd-definitions.zip \
-                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:
diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index e593e2575..c66bf34b9 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=latest
 
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder-slim
 
 ENV CGO_ENABLED=1
 ENV GOFLAGS=""
@@ -13,9 +13,7 @@ WORKDIR /src
 
 RUN scripts/konflux/fail-build-if-git-is-dirty.sh
 
-RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
-    unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
-    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
+RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe
 
 RUN echo -n "version: " && scripts/konflux/version.sh && \
     go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair
@@ -44,10 +42,10 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
-COPY --from=builder /src/image/scanner/scripts /
-COPY --from=builder /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
+COPY --from=builder-slim /src/image/scanner/scripts /
+COPY --from=builder-slim /src/image/scanner/bin/scanner ./
+COPY --chown=65534:65534 --from=builder-slim "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=builder-slim /src/image/scanner/dump/genesis_manifests.json ./
 
 RUN microdnf upgrade --nobest && \
     microdnf install xz && \
@@ -78,6 +76,11 @@ LABEL \
 
 ENV ROX_SLIM_MODE="true"
 
+FROM builder-slim as builder
+
+RUN unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
+    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
+
 FROM scanner-base as scanner
 
 LABEL \

From 1d4ab16dd540e4e82d44aededdbf6044f933e85f Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Mon, 4 Mar 2024 16:07:02 +0100
Subject: [PATCH 13/22] rename intermediate stages for better understanding

---
 image/scanner/rhel/konflux.Dockerfile | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index c66bf34b9..a38e7c436 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -2,7 +2,8 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=latest
 
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder-slim
+# Compiling scanner binaries and staging repo2cpe and genesis manifests
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder-common
 
 ENV CGO_ENABLED=1
 ENV GOFLAGS=""
@@ -23,7 +24,8 @@ RUN echo -n "version: " && scripts/konflux/version.sh && \
 # files of the dump and the manifest.
 COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-base
+# Common base for scanner slim and full
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-common
 
 LABEL \
     com.redhat.license_terms="https://www.redhat.com/agreements" \
@@ -42,10 +44,10 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
-COPY --from=builder-slim /src/image/scanner/scripts /
-COPY --from=builder-slim /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder-slim "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 --from=builder-slim /src/image/scanner/dump/genesis_manifests.json ./
+COPY --from=builder-common /src/image/scanner/scripts /
+COPY --from=builder-common /src/image/scanner/bin/scanner ./
+COPY --chown=65534:65534 --from=builder-common "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=builder-common /src/image/scanner/dump/genesis_manifests.json ./
 
 RUN microdnf upgrade --nobest && \
     microdnf install xz && \
@@ -67,7 +69,8 @@ USER 65534:65534
 
 ENTRYPOINT ["/entrypoint.sh"]
 
-FROM scanner-base as scanner-slim
+# Scanner Slim
+FROM scanner-common as scanner-slim
 
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
@@ -76,12 +79,14 @@ LABEL \
 
 ENV ROX_SLIM_MODE="true"
 
-FROM builder-slim as builder
+# Extension of common to full builder
+FROM builder-common as builder
 
 RUN unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
     unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
 
-FROM scanner-base as scanner
+# Scanner (full)
+FROM scanner-common as scanner
 
 LABEL \
     com.redhat.component="rhacs-scanner-container" \

From 5707337e369a4d56341e930db6dccb4c9ed4e083 Mon Sep 17 00:00:00 2001
From: "red-hat-konflux[bot]"
 <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Date: Tue, 5 Mar 2024 15:37:12 +0100
Subject: [PATCH 14/22] chore(deps): update rhtap references
 (tm/scanner-slim-konflux-onboarding) (#1432)

Co-authored-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com>
---
 .tekton/scanner-db-pull-request.yaml   | 4 ++--
 .tekton/scanner-db-push.yaml           | 4 ++--
 .tekton/scanner-pull-request.yaml      | 4 ++--
 .tekton/scanner-push.yaml              | 4 ++--
 .tekton/scanner-slim-pull-request.yaml | 4 ++--
 .tekton/scanner-slim-push.yaml         | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml
index 3082567f2..8ab0d6625 100644
--- a/.tekton/scanner-db-pull-request.yaml
+++ b/.tekton/scanner-db-pull-request.yaml
@@ -206,7 +206,7 @@ spec:
             - name: name
               value: git-clone
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
             - name: kind
               value: task
           resolver: bundles
@@ -279,7 +279,7 @@ spec:
             - name: name
               value: buildah
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
             - name: kind
               value: task
           resolver: bundles
diff --git a/.tekton/scanner-db-push.yaml b/.tekton/scanner-db-push.yaml
index ecd950da0..45bf3b708 100644
--- a/.tekton/scanner-db-push.yaml
+++ b/.tekton/scanner-db-push.yaml
@@ -204,7 +204,7 @@ spec:
             - name: name
               value: git-clone
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
             - name: kind
               value: task
           resolver: bundles
@@ -277,7 +277,7 @@ spec:
             - name: name
               value: buildah
             - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
             - name: kind
               value: task
           resolver: bundles
diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml
index 014e7f3ae..3b63f727c 100644
--- a/.tekton/scanner-pull-request.yaml
+++ b/.tekton/scanner-pull-request.yaml
@@ -199,7 +199,7 @@ spec:
         - name: name
           value: git-clone
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
         - name: kind
           value: task
         resolver: bundles
@@ -279,7 +279,7 @@ spec:
         - name: name
           value: buildah
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index 218d81bc6..bfc6f1584 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -198,7 +198,7 @@ spec:
         - name: name
           value: git-clone
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
         - name: kind
           value: task
         resolver: bundles
@@ -278,7 +278,7 @@ spec:
         - name: name
           value: buildah
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index f21ca2865..faba70272 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -196,7 +196,7 @@ spec:
         - name: name
           value: git-clone
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
         - name: kind
           value: task
         resolver: bundles
@@ -273,7 +273,7 @@ spec:
         - name: name
           value: buildah
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
         - name: kind
           value: task
         resolver: bundles
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 5de7ae2c3..6c77923e1 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -195,7 +195,7 @@ spec:
         - name: name
           value: git-clone
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:982e53397367ea9680b5cc543f5cbfc8e90124ffb463551eea33e4477d0a7ec6
+          value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
         - name: kind
           value: task
         resolver: bundles
@@ -272,7 +272,7 @@ spec:
         - name: name
           value: buildah
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:8a016b58a1f273d6b01045eeb982c370e79bf050e85e0c16eca970789704643a
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
         - name: kind
           value: task
         resolver: bundles

From a33719f80a4fd4971218508106d3f9ff3652c420 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 5 Mar 2024 16:00:02 +0100
Subject: [PATCH 15/22] retrigger


From 84ee52c28170994964e568651cd9adaa568d1156 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 09:09:05 +0100
Subject: [PATCH 16/22] ROX-20750: Onboard scanner-db-slim to Konflux (#1436)

Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux <rhtap@redhat.com>
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
---
 .tekton/scanner-db-pull-request.yaml      |   4 +
 .tekton/scanner-db-push.yaml              |   4 +
 .tekton/scanner-db-slim-pull-request.yaml | 416 ++++++++++++++++++++++
 .tekton/scanner-db-slim-push.yaml         | 414 +++++++++++++++++++++
 image/db/rhel/konflux.Dockerfile          |  27 +-
 5 files changed, 858 insertions(+), 7 deletions(-)
 create mode 100644 .tekton/scanner-db-slim-pull-request.yaml
 create mode 100644 .tekton/scanner-db-slim-push.yaml

diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml
index 8ab0d6625..6570d53a3 100644
--- a/.tekton/scanner-db-pull-request.yaml
+++ b/.tekton/scanner-db-pull-request.yaml
@@ -43,6 +43,8 @@ spec:
       value: ''
     - name: build-source-image
       value: 'true'
+    - name: build-target-stage
+      value: scanner-db
 
   workspaces:
     - name: workspace
@@ -271,6 +273,8 @@ spec:
             value: $(params.image-expires-after)
           - name: COMMIT_SHA
             value: $(tasks.clone-repository.results.commit)
+          - name: TARGET_STAGE
+            value: scanner-db
         runAfter:
           - prefetch-dependencies
           - fetch-sql-definitions
diff --git a/.tekton/scanner-db-push.yaml b/.tekton/scanner-db-push.yaml
index 45bf3b708..94c97f24b 100644
--- a/.tekton/scanner-db-push.yaml
+++ b/.tekton/scanner-db-push.yaml
@@ -41,6 +41,8 @@ spec:
       value: ''
     - name: build-source-image
       value: 'true'
+    - name: build-target-stage
+      value: scanner-db
 
   workspaces:
     - name: workspace
@@ -269,6 +271,8 @@ spec:
             value: $(params.image-expires-after)
           - name: COMMIT_SHA
             value: $(tasks.clone-repository.results.commit)
+          - name: TARGET_STAGE
+            value: $(params.build-target-stage)
         runAfter:
           - prefetch-dependencies
           - fetch-sql-definitions
diff --git a/.tekton/scanner-db-slim-pull-request.yaml b/.tekton/scanner-db-slim-pull-request.yaml
new file mode 100644
index 000000000..7c4895f92
--- /dev/null
+++ b/.tekton/scanner-db-slim-pull-request.yaml
@@ -0,0 +1,416 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    # TODO(ROX-21073): re-enable for all PR branches
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("konflux") || source_branch.contains("rhtap"))
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: scanner-db-slim
+    pipelines.appstudio.openshift.io/type: build
+  name: scanner-db-slim-on-pull-request
+  namespace: rh-acs-tenant
+
+spec:
+
+  params:
+    - name: dockerfile
+      value: image/db/rhel/konflux.Dockerfile
+    - name: git-url
+      value: '{{source_url}}'
+    - name: image-expires-after
+      value: '13w'
+    - name: output-image
+      value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:on-pr-{{revision}}
+    - name: path-context
+      value: .
+    - name: revision
+      value: '{{revision}}'
+    - name: rebuild
+      value: 'true'
+    # TODO(ROX-20234): Enable hermetic builds
+    # - name: hermetic
+    #   value: "true"
+    # No language dependencies are required for scanner-db-slim image.
+    - name: prefetch-input
+      value: ''
+    - name: build-source-image
+      value: 'true'
+    - name: build-target-stage
+      value: scanner-db-slim
+
+  workspaces:
+    - name: workspace
+      volumeClaimTemplate:
+        metadata:
+          creationTimestamp: null
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+        status: { }
+    - name: git-auth
+      secret:
+        secretName: '{{ git_auth_secret }}'
+
+  pipelineSpec:
+
+    finally:
+      - name: show-sbom
+        params:
+          - name: IMAGE_URL
+            value: $(tasks.build-container.results.IMAGE_URL)
+        taskRef:
+          params:
+            - name: name
+              value: show-sbom
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8
+            - name: kind
+              value: task
+          resolver: bundles
+      - name: show-summary
+        params:
+          - name: pipelinerun-name
+            value: $(context.pipelineRun.name)
+          - name: git-url
+            value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
+          - name: image-url
+            value: $(params.output-image)
+          - name: build-task-status
+            value: $(tasks.build-container.status)
+        taskRef:
+          params:
+            - name: name
+              value: summary
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+            - name: kind
+              value: task
+          resolver: bundles
+
+    params:
+      - description: Source Repository URL
+        name: git-url
+        type: string
+      - default: ""
+        description: Revision of the Source Repository
+        name: revision
+        type: string
+      - description: Fully Qualified Output Image
+        name: output-image
+        type: string
+      - default: .
+        description: Path to the source code of an application's component from where
+          to build image.
+        name: path-context
+        type: string
+      - default: Dockerfile
+        description: Path to the Dockerfile inside the context specified by parameter
+          path-context
+        name: dockerfile
+        type: string
+      - default: "false"
+        description: Force rebuild image
+        name: rebuild
+        type: string
+      - default: "false"
+        description: Skip checks against built image
+        name: skip-checks
+        type: string
+      - default: "false"
+        description: Execute the build with network isolation
+        name: hermetic
+        type: string
+      - default: ""
+        description: Build dependencies to be prefetched by Cachi2
+        name: prefetch-input
+        type: string
+      - default: "false"
+        description: Java build
+        name: java
+        type: string
+      - default: ""
+        description: Image tag expiration time, time values could be something like
+          1h, 2d, 3w for hours, days, and weeks, respectively.
+        name: image-expires-after
+        type: string
+      - default: "false"
+        description: Build a source image.
+        name: build-source-image
+        type: string
+
+    results:
+      - description: ""
+        name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - description: ""
+        name: IMAGE_DIGEST
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - description: ""
+        name: CHAINS-GIT_URL
+        value: $(tasks.clone-repository.results.url)
+      - description: ""
+        name: CHAINS-GIT_COMMIT
+        value: $(tasks.clone-repository.results.commit)
+      - description: ""
+        name: JAVA_COMMUNITY_DEPENDENCIES
+        value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+
+    workspaces:
+      - name: workspace
+      - name: git-auth
+
+    tasks:
+
+      - name: init
+        params:
+          - name: image-url
+            value: $(params.output-image)
+          - name: rebuild
+            value: $(params.rebuild)
+          - name: skip-checks
+            value: $(params.skip-checks)
+        taskRef:
+          params:
+            - name: name
+              value: init
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b
+            - name: kind
+              value: task
+          resolver: bundles
+
+      - name: clone-repository
+        params:
+          - name: url
+            value: $(params.git-url)
+          - name: revision
+            value: $(params.revision)
+          # A shallow repo clone is sufficient for scanner-db-slim build.
+          - name: depth
+            value: "1"
+          - name: fetchTags
+            value: "false"
+        runAfter:
+          - init
+        taskRef:
+          params:
+            - name: name
+              value: git-clone
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: output
+            workspace: workspace
+          - name: basic-auth
+            workspace: git-auth
+
+      - name: prefetch-dependencies
+        params:
+          - name: input
+            value: $(params.prefetch-input)
+        runAfter:
+          - clone-repository
+        taskRef:
+          params:
+            - name: name
+              value: prefetch-dependencies
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e
+            - name: kind
+              value: task
+          resolver: bundles
+        workspaces:
+          - name: source
+            workspace: workspace
+
+      - name: build-container
+        params:
+          - name: IMAGE
+            value: $(params.output-image)
+          - name: DOCKERFILE
+            value: $(params.dockerfile)
+          - name: CONTEXT
+            value: $(params.path-context)
+          - name: HERMETIC
+            value: $(params.hermetic)
+          - name: PREFETCH_INPUT
+            value: $(params.prefetch-input)
+          - name: IMAGE_EXPIRES_AFTER
+            value: $(params.image-expires-after)
+          - name: COMMIT_SHA
+            value: $(tasks.clone-repository.results.commit)
+          - name: TARGET_STAGE
+            value: $(params.build-target-stage)
+        runAfter:
+          - prefetch-dependencies
+        taskRef:
+          params:
+            - name: name
+              value: buildah
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: source
+            workspace: workspace
+
+      - name: build-source-image
+        params:
+          - name: BINARY_IMAGE
+            value: $(params.output-image)
+          - name: BASE_IMAGES
+            value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: source-build
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+          - input: $(params.build-source-image)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: workspace
+            workspace: workspace
+
+      - name: deprecated-base-image-check
+        params:
+          - name: BASE_IMAGES_DIGESTS
+            value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: deprecated-image-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: clair-scan
+        params:
+          - name: image-digest
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+          - name: image-url
+            value: $(tasks.build-container.results.IMAGE_URL)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: clair-scan
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: sast-snyk-check
+        runAfter:
+          - clone-repository
+        taskRef:
+          params:
+            - name: name
+              value: sast-snyk-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+        workspaces:
+          - name: workspace
+            workspace: workspace
+
+      - name: clamav-scan
+        params:
+          - name: image-digest
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+          - name: image-url
+            value: $(tasks.build-container.results.IMAGE_URL)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: clamav-scan
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: sbom-json-check
+        params:
+          - name: IMAGE_URL
+            value: $(tasks.build-container.results.IMAGE_URL)
+          - name: IMAGE_DIGEST
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: sbom-json-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+  taskRunTemplate: { }
+
+status: { }
diff --git a/.tekton/scanner-db-slim-push.yaml b/.tekton/scanner-db-slim-push.yaml
new file mode 100644
index 000000000..b70df0da7
--- /dev/null
+++ b/.tekton/scanner-db-slim-push.yaml
@@ -0,0 +1,414 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: acs
+    appstudio.openshift.io/component: scanner-db-slim
+    pipelines.appstudio.openshift.io/type: build
+  name: scanner-db-slim-on-push
+  namespace: rh-acs-tenant
+
+spec:
+
+  params:
+    - name: dockerfile
+      value: image/db/rhel/konflux.Dockerfile
+    - name: git-url
+      value: '{{source_url}}'
+    - name: image-expires-after
+      value: '13w'
+    - name: output-image
+      value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner-db-slim:{{revision}}
+    - name: path-context
+      value: .
+    - name: revision
+      value: '{{revision}}'
+    - name: rebuild
+      value: 'true'
+    # TODO(ROX-20234): Enable hermetic builds
+    # - name: hermetic
+    #   value: "true"
+    # No language dependencies are required for scanner-db-slim image.
+    - name: prefetch-input
+      value: ''
+    - name: build-source-image
+      value: 'true'
+    - name: build-target-stage
+      value: scanner-db-slim
+
+  workspaces:
+    - name: workspace
+      volumeClaimTemplate:
+        metadata:
+          creationTimestamp: null
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+        status: { }
+    - name: git-auth
+      secret:
+        secretName: '{{ git_auth_secret }}'
+
+  pipelineSpec:
+
+    finally:
+      - name: show-sbom
+        params:
+          - name: IMAGE_URL
+            value: $(tasks.build-container.results.IMAGE_URL)
+        taskRef:
+          params:
+            - name: name
+              value: show-sbom
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8
+            - name: kind
+              value: task
+          resolver: bundles
+      - name: show-summary
+        params:
+          - name: pipelinerun-name
+            value: $(context.pipelineRun.name)
+          - name: git-url
+            value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
+          - name: image-url
+            value: $(params.output-image)
+          - name: build-task-status
+            value: $(tasks.build-container.status)
+        taskRef:
+          params:
+            - name: name
+              value: summary
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:789b3b20a7de149213d6fa7ac05af13229b1c34f74e1b93d1b42eb3d3df2d0d8
+            - name: kind
+              value: task
+          resolver: bundles
+
+    params:
+      - description: Source Repository URL
+        name: git-url
+        type: string
+      - default: ""
+        description: Revision of the Source Repository
+        name: revision
+        type: string
+      - description: Fully Qualified Output Image
+        name: output-image
+        type: string
+      - default: .
+        description: Path to the source code of an application's component from where
+          to build image.
+        name: path-context
+        type: string
+      - default: Dockerfile
+        description: Path to the Dockerfile inside the context specified by parameter
+          path-context
+        name: dockerfile
+        type: string
+      - default: "false"
+        description: Force rebuild image
+        name: rebuild
+        type: string
+      - default: "false"
+        description: Skip checks against built image
+        name: skip-checks
+        type: string
+      - default: "false"
+        description: Execute the build with network isolation
+        name: hermetic
+        type: string
+      - default: ""
+        description: Build dependencies to be prefetched by Cachi2
+        name: prefetch-input
+        type: string
+      - default: "false"
+        description: Java build
+        name: java
+        type: string
+      - default: ""
+        description: Image tag expiration time, time values could be something like
+          1h, 2d, 3w for hours, days, and weeks, respectively.
+        name: image-expires-after
+        type: string
+      - default: "false"
+        description: Build a source image.
+        name: build-source-image
+        type: string
+
+    results:
+      - description: ""
+        name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - description: ""
+        name: IMAGE_DIGEST
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - description: ""
+        name: CHAINS-GIT_URL
+        value: $(tasks.clone-repository.results.url)
+      - description: ""
+        name: CHAINS-GIT_COMMIT
+        value: $(tasks.clone-repository.results.commit)
+      - description: ""
+        name: JAVA_COMMUNITY_DEPENDENCIES
+        value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
+
+    workspaces:
+      - name: workspace
+      - name: git-auth
+
+    tasks:
+
+      - name: init
+        params:
+          - name: image-url
+            value: $(params.output-image)
+          - name: rebuild
+            value: $(params.rebuild)
+          - name: skip-checks
+            value: $(params.skip-checks)
+        taskRef:
+          params:
+            - name: name
+              value: init
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b
+            - name: kind
+              value: task
+          resolver: bundles
+
+      - name: clone-repository
+        params:
+          - name: url
+            value: $(params.git-url)
+          - name: revision
+            value: $(params.revision)
+          # A shallow repo clone is sufficient for scanner-db-slim build.
+          - name: depth
+            value: "1"
+          - name: fetchTags
+            value: "false"
+        runAfter:
+          - init
+        taskRef:
+          params:
+            - name: name
+              value: git-clone
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ddc1b741a59e24817b24f190aab820700b6a8cf78cdd1827c403375bdba8aeee
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: output
+            workspace: workspace
+          - name: basic-auth
+            workspace: git-auth
+
+      - name: prefetch-dependencies
+        params:
+          - name: input
+            value: $(params.prefetch-input)
+        runAfter:
+          - clone-repository
+        taskRef:
+          params:
+            - name: name
+              value: prefetch-dependencies
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:e29adab9f66415b3be2e89e154c03ec685900fdad90051a555d7d027f94f874e
+            - name: kind
+              value: task
+          resolver: bundles
+        workspaces:
+          - name: source
+            workspace: workspace
+
+      - name: build-container
+        params:
+          - name: IMAGE
+            value: $(params.output-image)
+          - name: DOCKERFILE
+            value: $(params.dockerfile)
+          - name: CONTEXT
+            value: $(params.path-context)
+          - name: HERMETIC
+            value: $(params.hermetic)
+          - name: PREFETCH_INPUT
+            value: $(params.prefetch-input)
+          - name: IMAGE_EXPIRES_AFTER
+            value: $(params.image-expires-after)
+          - name: COMMIT_SHA
+            value: $(tasks.clone-repository.results.commit)
+          - name: TARGET_STAGE
+            value: $(params.build-target-stage)
+        runAfter:
+          - prefetch-dependencies
+        taskRef:
+          params:
+            - name: name
+              value: buildah
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:cfb32c9f1ec9c217bc81389d6aeacdb9e7a092a7fa86d4fed7b6fbb2612f5c1d
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: source
+            workspace: workspace
+
+      - name: build-source-image
+        params:
+          - name: BINARY_IMAGE
+            value: $(params.output-image)
+          - name: BASE_IMAGES
+            value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: source-build
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:e831f3e10362ecb21910f45ff48c3af1c0c8bea4858ca25f4f436153499f9802
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(tasks.init.results.build)
+            operator: in
+            values: [ "true" ]
+          - input: $(params.build-source-image)
+            operator: in
+            values: [ "true" ]
+        workspaces:
+          - name: workspace
+            workspace: workspace
+
+      - name: deprecated-base-image-check
+        params:
+          - name: BASE_IMAGES_DIGESTS
+            value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: deprecated-image-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:ba55ff56b8718406278d72fd5e3de88da110dd4391aa7581923b8d219a29f841
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: clair-scan
+        params:
+          - name: image-digest
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+          - name: image-url
+            value: $(tasks.build-container.results.IMAGE_URL)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: clair-scan
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:5097b69c7b8ed19bbc09b3b119214305ed382a185aece344806875e6c43203b8
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: sast-snyk-check
+        runAfter:
+          - clone-repository
+        taskRef:
+          params:
+            - name: name
+              value: sast-snyk-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+        workspaces:
+          - name: workspace
+            workspace: workspace
+
+      - name: clamav-scan
+        params:
+          - name: image-digest
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+          - name: image-url
+            value: $(tasks.build-container.results.IMAGE_URL)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: clamav-scan
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:628847d30ce0dc05ce9c62ae1161ba54d27de125b59e867d485ca0e0c68e11e4
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+      - name: sbom-json-check
+        params:
+          - name: IMAGE_URL
+            value: $(tasks.build-container.results.IMAGE_URL)
+          - name: IMAGE_DIGEST
+            value: $(tasks.build-container.results.IMAGE_DIGEST)
+        runAfter:
+          - build-container
+        taskRef:
+          params:
+            - name: name
+              value: sbom-json-check
+            - name: bundle
+              value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:e5202b2f610fcf36793e410336bd5b9764999abb29b3cd29007f6c68dd7725af
+            - name: kind
+              value: task
+          resolver: bundles
+        when:
+          - input: $(params.skip-checks)
+            operator: in
+            values: [ "false" ]
+
+  taskRunTemplate: { }
+
+status: { }
diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index d848356fd..8f35d7266 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -1,14 +1,11 @@
-FROM registry.redhat.io/rhel8/postgresql-12:latest
+FROM registry.redhat.io/rhel8/postgresql-12:latest AS scanner-db-common
 
 LABEL \
-    com.redhat.component="rhacs-scanner-db-container" \
     com.redhat.license_terms="https://www.redhat.com/agreements" \
     description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \
     io.k8s.description="Scanner Database Image for Red Hat Advanced Cluster Security for Kubernetes" \
-    io.k8s.display-name="scanner-db" \
     io.openshift.tags="rhacs,scanner-db,stackrox" \
     maintainer="Red Hat, Inc." \
-    name="rhacs-scanner-db-rhel8" \
     source-location="https://github.com/stackrox/scanner" \
     summary="Scanner DB for RHACS" \
     url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \
@@ -38,9 +35,6 @@ RUN dnf upgrade -y --nobest && \
     rm -rf /var/cache/dnf /var/cache/yum && \
     chmod +x /usr/local/bin/docker-entrypoint.sh
 
-COPY blob-pg-definitions.sql.gz \
-     /docker-entrypoint-initdb.d/definitions.sql.gz
-
 ENV PG_MAJOR=12 \
     PGDATA="/var/lib/postgresql/data/pgdata"
 
@@ -50,3 +44,22 @@ EXPOSE 5432
 CMD ["postgres", "-c", "config_file=/etc/postgresql.conf"]
 
 USER 70:70
+
+FROM scanner-db-common AS scanner-db-slim
+
+LABEL \
+    com.redhat.component="rhacs-scanner-db-slim-container" \
+    io.k8s.display-name="scanner-db-slim" \
+    name="rhacs-scanner-db-slim-rhel8"
+
+ENV ROX_SLIM_MODE="true"
+
+FROM scanner-db-common AS scanner-db
+
+LABEL \
+    com.redhat.component="rhacs-scanner-db-container" \
+    io.k8s.display-name="scanner-db" \
+    name="rhacs-scanner-db-rhel8"
+
+COPY blob-pg-definitions.sql.gz \
+     /docker-entrypoint-initdb.d/definitions.sql.gz

From f28ae5e2952b379062f1ff956ba90b87d81e4831 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 09:13:17 +0100
Subject: [PATCH 17/22] use build-target-stage parameter

---
 .tekton/scanner-db-pull-request.yaml   | 2 +-
 .tekton/scanner-pull-request.yaml      | 4 +++-
 .tekton/scanner-push.yaml              | 4 +++-
 .tekton/scanner-slim-pull-request.yaml | 4 +++-
 .tekton/scanner-slim-push.yaml         | 2 +-
 5 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml
index 6570d53a3..42b39c121 100644
--- a/.tekton/scanner-db-pull-request.yaml
+++ b/.tekton/scanner-db-pull-request.yaml
@@ -274,7 +274,7 @@ spec:
           - name: COMMIT_SHA
             value: $(tasks.clone-repository.results.commit)
           - name: TARGET_STAGE
-            value: scanner-db
+            value: $(params.build-target-stage)
         runAfter:
           - prefetch-dependencies
           - fetch-sql-definitions
diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml
index 3b63f727c..ddc3d80ea 100644
--- a/.tekton/scanner-pull-request.yaml
+++ b/.tekton/scanner-pull-request.yaml
@@ -37,6 +37,8 @@ spec:
     value: '{"type": "gomod", "path": "."}'
   - name: build-source-image
     value: 'true'
+  - name: build-target-stage
+    value: scanner
 
   workspaces:
   - name: workspace
@@ -270,7 +272,7 @@ spec:
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
       - name: TARGET_STAGE
-        value: scanner
+        value: $(params.build-target-stage)
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index bfc6f1584..b568357c7 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -36,6 +36,8 @@ spec:
     value: '{"type": "gomod", "path": "."}'
   - name: build-source-image
     value: 'true'
+  - name: build-target-stage
+    value: scanner
 
   workspaces:
   - name: workspace
@@ -269,7 +271,7 @@ spec:
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
       - name: TARGET_STAGE
-        value: scanner
+        value: $(params.build-target-stage)
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index faba70272..0c38fee36 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -36,6 +36,8 @@ spec:
     value: '{"type": "gomod", "path": "."}'
   - name: build-source-image
     value: 'true'
+  - name: build-target-stage
+    value: scanner-slim
 
   workspaces:
   - name: workspace
@@ -264,7 +266,7 @@ spec:
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
       - name: TARGET_STAGE
-        value: scanner-slim
+        value: $(params.build-target-stage)
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 6c77923e1..0e582a089 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -263,7 +263,7 @@ spec:
       - name: COMMIT_SHA
         value: $(tasks.clone-repository.results.commit)
       - name: TARGET_STAGE
-        value: scanner-slim
+        value: $(params.build-target-stage)
       runAfter:
       - prefetch-dependencies
       - fetch-vuln-feed-data

From a3404e484eb02460abbfb8b44990bd237d8b0def Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 09:14:37 +0100
Subject: [PATCH 18/22] Apply suggestions from code review

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
---
 image/scanner/rhel/konflux.Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index a38e7c436..a4a173790 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -3,7 +3,7 @@ ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=latest
 
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder-common
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 AS builder-common
 
 ENV CGO_ENABLED=1
 ENV GOFLAGS=""
@@ -25,7 +25,7 @@ RUN echo -n "version: " && scripts/konflux/version.sh && \
 COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
 # Common base for scanner slim and full
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as scanner-common
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS scanner-common
 
 LABEL \
     com.redhat.license_terms="https://www.redhat.com/agreements" \
@@ -70,7 +70,7 @@ USER 65534:65534
 ENTRYPOINT ["/entrypoint.sh"]
 
 # Scanner Slim
-FROM scanner-common as scanner-slim
+FROM scanner-common AS scanner-slim
 
 LABEL \
     com.redhat.component="rhacs-scanner-slim-container" \
@@ -86,7 +86,7 @@ RUN unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
     unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
 
 # Scanner (full)
-FROM scanner-common as scanner
+FROM scanner-common AS scanner
 
 LABEL \
     com.redhat.component="rhacs-scanner-container" \

From 87d959b340a75cfb83f4d65c0f8d96fd5594d61a Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 09:18:05 +0100
Subject: [PATCH 19/22] unify builder stages

---
 image/scanner/rhel/konflux.Dockerfile | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile
index a4a173790..f8cf87f9b 100644
--- a/image/scanner/rhel/konflux.Dockerfile
+++ b/image/scanner/rhel/konflux.Dockerfile
@@ -3,7 +3,7 @@ ARG BASE_IMAGE=ubi8-minimal
 ARG BASE_TAG=latest
 
 # Compiling scanner binaries and staging repo2cpe and genesis manifests
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 AS builder-common
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 AS builder
 
 ENV CGO_ENABLED=1
 ENV GOFLAGS=""
@@ -14,7 +14,9 @@ WORKDIR /src
 
 RUN scripts/konflux/fail-build-if-git-is-dirty.sh
 
-RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe
+RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
+    unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
+    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
 
 RUN echo -n "version: " && scripts/konflux/version.sh && \
     go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair
@@ -44,10 +46,10 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
-COPY --from=builder-common /src/image/scanner/scripts /
-COPY --from=builder-common /src/image/scanner/bin/scanner ./
-COPY --chown=65534:65534 --from=builder-common "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
-COPY --chown=65534:65534 --from=builder-common /src/image/scanner/dump/genesis_manifests.json ./
+COPY --from=builder /src/image/scanner/scripts /
+COPY --from=builder /src/image/scanner/bin/scanner ./
+COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
+COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
 
 RUN microdnf upgrade --nobest && \
     microdnf install xz && \
@@ -79,12 +81,6 @@ LABEL \
 
 ENV ROX_SLIM_MODE="true"
 
-# Extension of common to full builder
-FROM builder-common as builder
-
-RUN unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
-    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
-
 # Scanner (full)
 FROM scanner-common AS scanner
 

From d00818d21797414f8193e0e0880c5ec2795ecbc0 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 10:02:47 +0100
Subject: [PATCH 20/22] fix prefetching

---
 .tekton/scanner-slim-pull-request.yaml | 2 ++
 .tekton/scanner-slim-push.yaml         | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 0c38fee36..73240e81a 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -243,6 +243,8 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 0e582a089..0ac5f634d 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -35,6 +35,8 @@ spec:
     value: '{"type": "gomod", "path": "."}'
   - name: build-source-image
     value: 'true'
+  - name: build-target-stage
+    value: scanner-slim
 
   workspaces:
   - name: workspace
@@ -240,6 +242,8 @@ spec:
               #!/usr/bin/env bash
               "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
                   "$(workspaces.source.path)/source" \
+                  nvd-definitions.zip \
+                  k8s-definitions.zip \
                   repo2cpe.zip \
                   genesis_manifests.json
       workspaces:

From f15a4715967c430b02439db0e5ea515d738a8785 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 12:14:38 +0100
Subject: [PATCH 21/22] add description for new parameter

---
 .tekton/scanner-db-pull-request.yaml      | 4 ++++
 .tekton/scanner-db-push.yaml              | 4 ++++
 .tekton/scanner-db-slim-pull-request.yaml | 4 ++++
 .tekton/scanner-db-slim-push.yaml         | 4 ++++
 .tekton/scanner-pull-request.yaml         | 4 ++++
 .tekton/scanner-push.yaml                 | 4 ++++
 .tekton/scanner-slim-pull-request.yaml    | 4 ++++
 .tekton/scanner-slim-push.yaml            | 4 ++++
 8 files changed, 32 insertions(+)

diff --git a/.tekton/scanner-db-pull-request.yaml b/.tekton/scanner-db-pull-request.yaml
index 42b39c121..ff019cfb9 100644
--- a/.tekton/scanner-db-pull-request.yaml
+++ b/.tekton/scanner-db-pull-request.yaml
@@ -148,6 +148,10 @@ spec:
         description: Build a source image.
         name: build-source-image
         type: string
+      - default: ""
+        description: Build stage to target in container build
+        name: build-target-stage
+        type: string
 
     results:
       - description: ""
diff --git a/.tekton/scanner-db-push.yaml b/.tekton/scanner-db-push.yaml
index 94c97f24b..87c492c62 100644
--- a/.tekton/scanner-db-push.yaml
+++ b/.tekton/scanner-db-push.yaml
@@ -146,6 +146,10 @@ spec:
         description: Build a source image.
         name: build-source-image
         type: string
+      - default: ""
+        description: Build stage to target in container build
+        name: build-target-stage
+        type: string
 
     results:
       - description: ""
diff --git a/.tekton/scanner-db-slim-pull-request.yaml b/.tekton/scanner-db-slim-pull-request.yaml
index 7c4895f92..99fd5acc3 100644
--- a/.tekton/scanner-db-slim-pull-request.yaml
+++ b/.tekton/scanner-db-slim-pull-request.yaml
@@ -147,6 +147,10 @@ spec:
         description: Build a source image.
         name: build-source-image
         type: string
+      - default: ""
+        description: Build stage to target in container build
+        name: build-target-stage
+        type: string
 
     results:
       - description: ""
diff --git a/.tekton/scanner-db-slim-push.yaml b/.tekton/scanner-db-slim-push.yaml
index b70df0da7..33beca4bc 100644
--- a/.tekton/scanner-db-slim-push.yaml
+++ b/.tekton/scanner-db-slim-push.yaml
@@ -145,6 +145,10 @@ spec:
         description: Build a source image.
         name: build-source-image
         type: string
+      - default: ""
+        description: Build stage to target in container build
+        name: build-target-stage
+        type: string
 
     results:
       - description: ""
diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml
index ddc3d80ea..5ca41ce7e 100644
--- a/.tekton/scanner-pull-request.yaml
+++ b/.tekton/scanner-pull-request.yaml
@@ -142,6 +142,10 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
+    - default: ""
+      description: Build stage to target in container build
+      name: build-target-stage
+      type: string
 
     results:
     - description: ""
diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml
index b568357c7..e5fbd04e2 100644
--- a/.tekton/scanner-push.yaml
+++ b/.tekton/scanner-push.yaml
@@ -141,6 +141,10 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
+    - default: ""
+      description: Build stage to target in container build
+      name: build-target-stage
+      type: string
 
     results:
     - description: ""
diff --git a/.tekton/scanner-slim-pull-request.yaml b/.tekton/scanner-slim-pull-request.yaml
index 73240e81a..e660ff9d5 100644
--- a/.tekton/scanner-slim-pull-request.yaml
+++ b/.tekton/scanner-slim-pull-request.yaml
@@ -141,6 +141,10 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
+    - default: ""
+      description: Build stage to target in container build
+      name: build-target-stage
+      type: string
     results:
     - description: ""
       name: IMAGE_URL
diff --git a/.tekton/scanner-slim-push.yaml b/.tekton/scanner-slim-push.yaml
index 0ac5f634d..423227db4 100644
--- a/.tekton/scanner-slim-push.yaml
+++ b/.tekton/scanner-slim-push.yaml
@@ -140,6 +140,10 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
+    - default: ""
+      description: Build stage to target in container build
+      name: build-target-stage
+      type: string
     results:
     - description: ""
       name: IMAGE_URL

From 429ed0991320564b560d19a22a45b3e69a28cee4 Mon Sep 17 00:00:00 2001
From: Tom Martensen <tmartens@redhat.com>
Date: Tue, 12 Mar 2024 12:17:22 +0100
Subject: [PATCH 22/22] Update image/db/rhel/konflux.Dockerfile

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
---
 image/db/rhel/konflux.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile
index 8f35d7266..7077477e5 100644
--- a/image/db/rhel/konflux.Dockerfile
+++ b/image/db/rhel/konflux.Dockerfile
@@ -61,5 +61,5 @@ LABEL \
     io.k8s.display-name="scanner-db" \
     name="rhacs-scanner-db-rhel8"
 
-COPY blob-pg-definitions.sql.gz \
+COPY --chown=0:0 blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz