Adding ACS image-scan and image-check

Add README, samples

Add image check task, fix lint issues

Fix READMEs

Add spec description

Fix task name

Fix task name in sample

Convert ClusterTask to Task

Resolve typo in parameters

Enclose code in code block

Move insecure-skip-tls-verify to parameter

Address Catlin output

Author:    Neil Carpenter <me@neilcar.com>
Date:      Fri Jul 16 11:46:48 2021 -0400

Initial commit of stackrox-image-check and stackrox-image-scan

Initial commit

Add README, samples

Add image check task, fix lint issues

Fix READMEs

Add spec description

Enclose code in code block

Updated Changes as requested by review - Added OWNERS file - Changed Image FQDN - Rebased git history to make linear - Linted

Update owners file with spaces

Empty Commit - Refresh for update on owner update

Updated PR: 1 Fixed Comment - https://github.com/tektoncd/catalog/pull/834#discussion_r731073440 2 Renamed stackrox-image-check.yml to yaml

Co-Authored-By: neilcar <926748+neilcar@users.noreply.github.com>

task/stackrox-image-check/0.1/README.md

@@ -0,0 +1,43 @@
+# StackRox/Red Hat Advanced Cluster Security Image Scan Task
+
+This tasks allows you to check an image against build-time policies and apply enforcement to fail builds.  It's a companion to the stackrox-image-scan task, which returns full vulnerability scan results for an image.
+
+## Prerequisites
+
+This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet) or [StackRox](https://www.stackrox.io/).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.  `samples\rox-secrets.yaml` shows how to create the appropriate secrets.
+
+## Install the Task
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/stackrox-image-scan/0.1/stackrox-image-scan.yaml
+```
+
+## Parameters
+
+- **rox_central_endpoint**: Secret containing the address:port tuple for StackRox Central (example - rox.stackrox.io:443)
+- **rox_api_token**: Secret containing the StackRox API token with CI permissions
+- **image**: Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+- **insecure-skip-tls-verify**: When set to `"true"`, skip verifying the TLS certs of the Central endpoint.  Defaults to `"false"`.
+
+## Usage
+
+StackRox/RHACS scans images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
+
+`samples\rox-pipeline.yaml` is a sample pipeline that takes the image to scan as a parameter.  Calling the task directly looks like this:
+
+```yaml
+  tasks:
+    - name: image-check
+      taskRef:
+        name: rox-image-check
+        kind: ClusterTask
+      params:
+        - name: image
+          value:  docker.io/stackrox/kube-linter:0.2.2
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+```
+
+If the image fails one or more enforced policies, this task will return a failure, causing the build to fail.

task/stackrox-image-check/0.1/samples/rox-pipeline.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: rox-pipeline
+  namespace: pipeline-demo
+spec:
+  description: Rox demo pipeline
+  params:
+    - name: image
+      type: string
+      description: |
+        Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+  tasks:
+    - name: image-check
+      taskRef:
+        name: stackrox-image-check
+        kind: ClusterTask
+      params:
+        - name: image
+          value: $(params.image)
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets

task/stackrox-image-check/0.1/samples/rox-secrets.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+stringData:
+  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
+  # The address:port tuple for StackRox Central (example - rox.stackrox.io:443)
+  # This must include the port number
+  rox_api_token: "{{ rox_api_token }}"
+  # StackRox API token with CI permissions
+  # Refer to below
+  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
+kind: Secret
+metadata:
+  name: roxsecrets
+  namespace: pipeline-demo
+type: Opaque

task/stackrox-image-check/0.1/stackrox-image-check.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: stackrox-image-check
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/tags: security
+    tekton.dev/categories: Security
+    tekton.dev/displayName: "Policy check an image with StackRox/RHACS"
+    tekton.dev/platforms: "linux/amd64"
+    tekton.dev/pipelines.minVersion: "0.18.0"
+spec:
+  description: >-
+    Policy check an image with StackRox/RHACS
+
+    This tasks allows you to check an image against build-time policies
+    and apply enforcement to fail builds.  It's a companion to the
+    stackrox-image-scan task, which returns full vulnerability scan
+    results for an image.
+  params:
+    - name: rox_central_endpoint
+      type: string
+      description: |
+        Secret containing the address:port tuple for StackRox Central)
+        (example - rox.stackrox.io:443)
+    - name: rox_api_token
+      type: string
+      description: Secret containing the StackRox API token with CI permissions
+    - name: image
+      type: string
+      description: |
+        Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+    - name: insecure-skip-tls-verify
+      type: string
+      description: |
+        When set to `"true"`, skip verifying the TLS certs of the Central
+        endpoint.  Defaults to `"false"`.
+      default: "false"
+  results:
+    - name: check_output
+      description: Output of `roxctl image check`
+  steps:
+    - name: rox-image-check
+      image: docker.io/centos@sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
+      env:
+        - name: ROX_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: $(params.rox_api_token)
+              key: rox_api_token
+        - name: ROX_CENTRAL_ENDPOINT
+          valueFrom:
+            secretKeyRef:
+              name: $(params.rox_central_endpoint)
+              key: rox_central_endpoint
+      script: |
+        #!/usr/bin/env bash
+        set +x
+        curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" \
+          "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" \
+          --output ./roxctl  \
+          > /dev/null
+        chmod +x ./roxctl  > /dev/null
+        ./roxctl image check \
+          $( [ "$(params.insecure-skip-tls-verify)" = "true" ] && \
+          echo -n "--insecure-skip-tls-verify") \
+          -e "$ROX_CENTRAL_ENDPOINT" --image "$(params.image)"

task/stackrox-image-check/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- neilcar
+- MoOyeg
+reviewers:
+- neilcar
+- MoOyeg

task/stackrox-image-scan/0.1/README.md

@@ -0,0 +1,44 @@
+# StackRox/Red Hat Advanced Cluster Security Image Scan Task
+
+This tasks allows you to return full vulnerability scan results for an image in JSON, CSV, or Pretty format.  It's a companion to the stackrox-image-check task, which checks an image against build-time policies.
+
+## Prerequisites
+
+This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet) or [StackRox](https://www.stackrox.io/).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.  `samples\rox-secrets.yaml` shows how to create the appropriate secrets.
+
+## Install the Task
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/stackrox-image-scan/0.1/stackrox-image-scan.yaml
+```
+
+## Parameters
+
+- **rox_central_endpoint**: Secret containing the address:port tuple for StackRox Central (example - rox.stackrox.io:443)
+- **rox_api_token**: Secret containing the StackRox API token with CI permissions
+- **image**: Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+- **output_format**:  Output format (json | csv | pretty).  This parameter is optional -- if omitted, the default format it JSON.
+- **insecure-skip-tls-verify**: When set to `"true"`, skip verifying the TLS certs of the Central endpoint.  Defaults to `"false"`.
+
+## Usage
+
+StackRox/RHACS scans images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
+
+`samples\rox-pipeline.yaml` is a sample pipeline that takes the image to scan as a parameter.  Calling the task directly looks like this:
+
+```yaml
+  tasks:
+    - name: image-scan
+        taskRef:
+        name: rox-image-scan
+        kind: ClusterTask
+        params:
+            - name: image
+            value: docker.io/stackrox/kube-linter:0.2.2
+            - name: rox_api_token
+            value: roxsecrets
+            - name: rox_central_endpoint
+            value: roxsecrets
+            - name: output_format
+            value: pretty
+```

task/stackrox-image-scan/0.1/samples/rox-pipeline.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: rox-pipeline
+  namespace: pipeline-demo
+spec:
+  description: Rox demo pipeline
+  params:
+    - name: image
+      type: string
+      description: |
+        Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+  tasks:
+    - name: image-scan
+      taskRef:
+        name: rox-image-scan
+        kind: ClusterTask
+      params:
+        - name: image
+          value: $(params.image)
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+        - name: output_format
+          value: pretty

task/stackrox-image-scan/0.1/samples/rox-secrets.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+stringData:
+  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
+  # The address:port tuple for StackRox Central (example - rox.stackrox.io:443)
+  # This must include the port number
+  rox_api_token: "{{ rox_api_token }}"
+  # StackRox API token with CI permissions
+  # Refer to below
+  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
+kind: Secret
+metadata:
+  name: roxsecrets
+  namespace: pipeline-demo
+type: Opaque

task/stackrox-image-scan/0.1/stackrox-image-scan.yaml

@@ -0,0 +1,70 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: stackrox-image-scan
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/tags: security
+    tekton.dev/categories: Security
+    tekton.dev/displayName: "Scan an image with StackRox/RHACS"
+    tekton.dev/platforms: "linux/amd64"
+    tekton.dev/pipelines.minVersion: "0.18.0"
+spec:
+  description: >-
+    Scan an image with StackRox/RHACS
+    This tasks allows you to return full vulnerability scan results for an image
+    in JSON, CSV, or Pretty format.
+    It's a companion to the stackrox-image-check task,
+    which checks an image against build-time policies.
+  params:
+    - name: rox_central_endpoint
+      type: string
+      description: |
+        Secret containing the address:port tuple for StackRox Central
+        (example - rox.stackrox.io:443)
+    - name: rox_api_token
+      type: string
+      description: Secret containing the StackRox API token with CI permissions
+    - name: image
+      type: string
+      description: |
+        Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
+    - name: output_format
+      type: string
+      description: Output format (json | csv | pretty)
+      default: json
+    - name: insecure-skip-tls-verify
+      type: string
+      description: |
+        When set to `"true"`, skip verifying the TLS certs of the Central
+        endpoint.  Defaults to `"false"`.
+      default: "false"
+  steps:
+    - name: rox-image-scan
+      image: docker.io/centos@sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc
+      env:
+        - name: ROX_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: $(params.rox_api_token)
+              key: rox_api_token
+        - name: ROX_CENTRAL_ENDPOINT
+          valueFrom:
+            secretKeyRef:
+              name: $(params.rox_central_endpoint)
+              key: rox_central_endpoint
+      script: |
+        #!/usr/bin/env bash
+        set +x
+        export NO_COLOR="True"
+        curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" \
+          "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" \
+          --output ./roxctl  > /dev/null; echo "Getting roxctl"
+        chmod +x ./roxctl > /dev/null
+        ./roxctl image scan \
+          $( [ "$(params.insecure-skip-tls-verify)" = "true" ] && \
+          echo -n "--insecure-skip-tls-verify") \
+          -e "$ROX_CENTRAL_ENDPOINT" --image "$(params.image)" \
+          --format "$(params.output_format)"

task/stackrox-image-scan/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- neilcar
+- MoOyeg
+reviewers:
+- neilcar
+- MoOyeg