From 062f8e94d04eeb04f81b58a7b3e9558be9522cf7 Mon Sep 17 00:00:00 2001 From: stakater-user Date: Fri, 27 Oct 2023 14:44:00 +0000 Subject: [PATCH] [skip ci] Add rendered and modified Helm chart --- .../stakater-rox-image-check-0.0.7.yaml | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 stakater-rox-image-check/rendered/stakater-rox-image-check-0.0.7.yaml diff --git a/stakater-rox-image-check/rendered/stakater-rox-image-check-0.0.7.yaml b/stakater-rox-image-check/rendered/stakater-rox-image-check-0.0.7.yaml new file mode 100644 index 0000000..efbeaa8 --- /dev/null +++ b/stakater-rox-image-check/rendered/stakater-rox-image-check-0.0.7.yaml @@ -0,0 +1,101 @@ +--- +# Source: stakater-rox-image-check/templates/clustertask.yaml +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: stakater-rox-image-check-0.0.7 +spec: + description: >- + Policy check an image with StackRox/RHACS + This tasks allows you to check an image against build-time policies and + apply enforcement to fail builds. It's a companion to the + stackrox-image-scan task, which returns full vulnerability scan results for + an image. + params: + - name: ROX_CENTRAL_ENDPOINT + description: | + Secret containing the address:port tuple for StackRox Central) + (example - rox.stackrox.io:443) + type: string + - name: ROX_API_TOKEN + description: Secret containing the StackRox API token with CI permissions + type: string + - name: IMAGE + description: | + Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1) + type: string + - name: INSECURE_SKIP_TLS_VERIFY + default: 'false' + description: | + When set to `"true"`, skip verifying the TLS certs of the Central + endpoint. Defaults to `"false"`. + type: string + - name: BUILD_IMAGE + default: 'true' + description: Flag specifying whether image should be built again. + type: string + - name: IGNORE_VULNERABILITIES + default: 'true' + description: Determines whether to ignore the errors reported by rhacs + results: + - description: Output of `roxctl image check` + name: check_output + + steps: + - env: + - name: ROX_API_TOKEN + valueFrom: + secretKeyRef: + key: rox-api-token + name: $(params.ROX_API_TOKEN) + - name: ROX_CENTRAL_ENDPOINT + valueFrom: + secretKeyRef: + key: rox-central-endpoint + name: $(params.ROX_CENTRAL_ENDPOINT) + image: >- + docker.io/centos@sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc + name: rox-image-check + resources: {} + script: | + #!/usr/bin/env bash + if [[ $(params.BUILD_IMAGE) == true ]]; then + set +x + + curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" \ + "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" \ + --output ./roxctl \ + > /dev/null + + chmod +x ./roxctl > /dev/null + + if [[ $(params.IGNORE_VULNERABILITIES) == false ]]; then + ./roxctl image check \ + $( [ "$(params.INSECURE_SKIP_TLS_VERIFY)" = "true" ] && \ + echo -n "--insecure-skip-tls-verify") \ + -e "$ROX_CENTRAL_ENDPOINT" --image "$(params.IMAGE)" + else + output=$(./roxctl image check \ + $( [ "$(params.INSECURE_SKIP_TLS_VERIFY)" = "true" ] && \ + echo -n "--insecure-skip-tls-verify") \ + -e "$ROX_CENTRAL_ENDPOINT" --image "$(params.IMAGE)" 2>&1) + + exit_code=$? + + echo "$output" + if [ $exit_code -ne 0 ]; then + echo "The command exited with a non-zero status: $exit_code" + fi + fi + output=$(./roxctl image check \ + $( [ "$(params.INSECURE_SKIP_TLS_VERIFY)" = "true" ] && \ + echo -n "--insecure-skip-tls-verify") \ + -e "$ROX_CENTRAL_ENDPOINT" --image "$(params.IMAGE)" 2>&1) + + exit_code=$? + + echo "$output" + if [ $exit_code -ne 0 ]; then + echo "The command exited with a non-zero status: $exit_code" + fi + fi