mirror/catalog
1
0
Fork 0
mirror of https://github.com/tektoncd/catalog.git synced 2024-11-21 05:55:35 +00:00
Code Issues Releases Activity
main
catalog/task/stackrox-image-check/0.1
History
Quan Zhang e294e1246b [TEP-0110] Update Tekton Catalog installation instructions 
Prior to this change, the installation instructions directly use the resource urls in the Catalog repo, which results in tight coupling between the organization and how users fetch resources (as described in TEP-0110). This commit updates the installation guide to install Tekton Catalog resources via Tekton Hub Api: https://github.com/tektoncd/hub/pull/539

This change decouples the Tekton Catalog organization from resouces resolution, which enables Tekton Catalog reorganization.
2022-08-16 16:25:52 +01:00
..
samples Adding ACS image-scan and image-check 2022-02-03 18:45:06 +00:00
README.md [TEP-0110] Update Tekton Catalog installation instructions 2022-08-16 16:25:52 +01:00
stackrox-image-check.yaml Adding ACS image-scan and image-check 2022-02-03 18:45:06 +00:00

README.md

StackRox/Red Hat Advanced Cluster Security Image Scan Task

This tasks allows you to check an image against build-time policies and apply enforcement to fail builds. It's a companion to the stackrox-image-scan task, which returns full vulnerability scan results for an image.

Prerequisites

This task requires an active installation of Red Hat Advanced Cluster Security (RHACS) or StackRox. It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges. samples\rox-secrets.yaml shows how to create the appropriate secrets.

Install the Task

kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/stackrox-image-scan/0.1/raw

Parameters

  • rox_central_endpoint: Secret containing the address:port tuple for StackRox Central (example - rox.stackrox.io:443)
  • rox_api_token: Secret containing the StackRox API token with CI permissions
  • image: Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)
  • insecure-skip-tls-verify: When set to "true", skip verifying the TLS certs of the Central endpoint. Defaults to "false".

Usage

StackRox/RHACS scans images that have been pushed to a registry. This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like kaniko and buildah.

samples\rox-pipeline.yaml is a sample pipeline that takes the image to scan as a parameter. Calling the task directly looks like this:

  tasks:
    - name: image-check
      taskRef:
        name: rox-image-check
        kind: ClusterTask
      params:
        - name: image
          value:  docker.io/stackrox/kube-linter:0.2.2
        - name: rox_api_token
          value: roxsecrets
        - name: rox_central_endpoint
          value: roxsecrets

If the image fails one or more enforced policies, this task will return a failure, causing the build to fail.