diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index c54180b7da..ba574b2adc 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -153,6 +153,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### sast-snyk-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -242,6 +251,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### sast-snyk-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 506cb0d6c4..a5b9464514 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -150,6 +150,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### sast-snyk-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -192,9 +201,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -239,6 +248,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### sast-snyk-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index c3dfd9ea7b..1c4fb6e445 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -78,6 +78,15 @@ |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### show-sbom-rhdh:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -114,8 +123,8 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image| +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest ; acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; rpms-signature-scan:0.1:image-url ; update-deployment:0.1:image| |SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -128,6 +137,12 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### show-sbom-rhdh:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 19a50c4dd4..59369a9dac 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -145,6 +145,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -190,9 +199,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -231,6 +240,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index af516ca278..6306b17120 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -115,6 +115,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |DOCKER_AUTH| unused, should be removed in next task version| | | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -148,9 +157,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -184,6 +193,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE| |BASE_IMAGE_REPOSITORY| Base image repository URL.| | |TEST_OUTPUT| Tekton task test output.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ## Workspaces |name|description|optional|used in tasks diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index b20fcc34d0..2f74a10f82 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -113,6 +113,15 @@ |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### s2i-java:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -203,13 +212,19 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### s2i-java:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### sast-snyk-check:0.2 task results diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 0aac6f48b2..61839f6b81 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -113,6 +113,15 @@ |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### s2i-nodejs:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -203,13 +212,19 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### s2i-nodejs:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| ### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index cd73c857ac..bdab87c31f 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -103,6 +103,15 @@ |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|fail-unsigned| [true \ false] If true fail if unsigned RPMs were found| false| | +|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | ### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -170,6 +179,12 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | ### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -177,9 +192,9 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.1:image-url| ## Workspaces |name|description|optional|used in tasks diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 6e8ff4d61b..6f8841811f 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -265,7 +265,21 @@ spec: workspaces: - name: workspace workspace: workspace - + - name: rpms-signature-scan + when: + - input: $(params.skip-checks) + operator: in + values: ["false"] + runAfter: + - build-container + taskRef: + name: rpms-signature-scan + version: "0.1" + params: + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) finally: - name: show-sbom taskRef: