Tekton
Tekton is a formidable and whippy open-source framework for generating CI/CD systems, granting developers to build, test, and deploy across cloud providers and on-premise systems.
- Standardization: Tekton standardizes CI/CD tooling and processes across vendors, languages, and deployment environments. It works well with Jenkins, Knative, and many other common CI/CD tools.
- Built-in best practices: Tekton lets you create CI/CD systems quickly, giving you scalable, serverless, cloud-native execution out of the box.
- Maximum flexibility: Tekton abstracts the fundamental functioning so that you can choose the build, test, and deploy workflow based on your team’s requirements.
Tekton Hub
Tekton Hub grants a central hub for exploring and sharing Tekton resources across many distributed Tekton catalogs hosted by various organizations and teams. Hub currently displays a curated set of community-contributed tasks from the Community Catalog. It allows resources to be searched by name or its “display name”, filtered by categories (cloud, cli, GitHub, etc…), and rated by users.
Red Hat Advanced Cluster Security Image Check Task
This task allows you to check an image against build-time policies and apply enforcement to fail builds. It's a companion to the rhacs-image-scan task, which sends full vulnerability scan results for an image.
Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using roxctl
.
Prerequisites
This task requires an active installation of Red Hat Advanced Cluster Security (RHACS). It also requires the configuration of secrets for the Central endpoint and an API token with at least CI privileges.
Install the Task
kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
Parameters
-
image
: Full name of image to scan. Eg:gcr.io/rox/sample:5.0-rc1
,$(params.IMAGE)
- ,
$(params.IMAGE)@$(tasks.buildah.results.IMAGE\_DIGEST)
-
insecure-skip-tls-verify
: Skip verification of the TLS certs for the Central endpoint and registry. Eg:"true"
,"false"
. -
output_format
: Eg:table
,csv
,json
,junit
-
rox_central_endpoint
: Secret containing theaddress:port
tuple for StackRox Central. Eg:rox-central-endpoint
-
rox_api_token
: Secret containing the StackRox API token with CI permissions. Eg:rox-API-token
Usage
Checks images that have been pushed to a registry. This enables scanning irrespective of whether the build is using old-style Docker-based methods, hosted/SaaS-based methods where the Docker socket may not be directly available, or rootless methods like kaniko
and buildah
.
If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
kubectl create secret generic rox-api-token --from-literal=rox_api_token="$ROX_API_TOKEN"
kubectl create secret generic rox-central-endpoint --from-literal=rox_central_endpoint=central.stackrox.svc:443
Eg:
tasks:
- name: image-check
taskRef:
name: rhacs-image-check
kind: Task
params:
- name: image
value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
runAfter:
- image-scan
Samples:
- secrets.yaml example secret
- pipeline.yaml demonstrates use in a pipeline.
- pipelinerun.yaml demonstrates use in a pipelinerun.
Skipping TLS Verify is currently required. The TLS trust bundle not working for quay.io etc.
Top comments (0)