Debug School

Cover image for RH ACS Image Check on Tekton
Suyash Sambhare
Suyash Sambhare

Posted on

RH ACS Image Check on Tekton


Tekton is a formidable and whippy open-source framework for generating CI/CD systems, granting developers to build, test, and deploy across cloud providers and on-premise systems.

  • Standardization: Tekton standardizes CI/CD tooling and processes across vendors, languages, and deployment environments. It works well with Jenkins, Knative, and many other common CI/CD tools.
  • Built-in best practices: Tekton lets you create CI/CD systems quickly, giving you scalable, serverless, cloud-native execution out of the box.
  • Maximum flexibility: Tekton abstracts the fundamental functioning so that you can choose the build, test, and deploy workflow based on your team’s requirements.

Tekton Hub

Tekton Hub grants a central hub for exploring and sharing Tekton resources across many distributed Tekton catalogs hosted by various organizations and teams. Hub currently displays a curated set of community-contributed tasks from the Community Catalog. It allows resources to be searched by name or its “display name”, filtered by categories (cloud, cli, GitHub, etc…), and rated by users.

Red Hat Advanced Cluster Security Image Check Task

This task allows you to check an image against build-time policies and apply enforcement to fail builds. It's a companion to the rhacs-image-scan task, which sends full vulnerability scan results for an image.
Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using roxctl.


This task requires an active installation of Red Hat Advanced Cluster Security (RHACS). It also requires the configuration of secrets for the Central endpoint and an API token with at least CI privileges.

Install the Task

kubectl apply -f
Enter fullscreen mode Exit fullscreen mode


  1. image: Full name of image to scan. Eg:, $(params.IMAGE)
  2. , $(params.IMAGE)@$(tasks.buildah.results.IMAGE\_DIGEST)
  3. insecure-skip-tls-verify: Skip verification of the TLS certs for the Central endpoint and registry. Eg: "true", "false".
  4. output_format: Eg: table, csv, json, junit
  5. rox_central_endpoint: Secret containing the address:port tuple for StackRox Central. Eg: rox-central-endpoint
  6. rox_api_token: Secret containing the StackRox API token with CI permissions. Eg: rox-API-token



Checks images that have been pushed to a registry. This enables scanning irrespective of whether the build is using old-style Docker-based methods, hosted/SaaS-based methods where the Docker socket may not be directly available, or rootless methods like kaniko and buildah.

If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.

kubectl create secret generic rox-api-token --from-literal=rox_api_token="$ROX_API_TOKEN"
kubectl create secret generic rox-central-endpoint --from-literal=rox_central_endpoint=central.stackrox.svc:443


        - name: image-check
            name: rhacs-image-check
            kind: Task
            - name: image
              value: "$(params.IMAGE)@$("
          - image-scan
Enter fullscreen mode Exit fullscreen mode


Skipping TLS Verify is currently required. The TLS trust bundle not working for etc.


Top comments (0)