Skip to content

Commit

Permalink
Add buildah-sast task prototype
Browse files Browse the repository at this point in the history
  • Loading branch information
mmorhun committed Oct 22, 2024
1 parent edef961 commit 4e29bae
Show file tree
Hide file tree
Showing 11 changed files with 799 additions and 11 deletions.
10 changes: 7 additions & 3 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,6 @@ spec:
value: $(params.BUILD_ARGS_FILE)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: HERMETIC
Expand Down Expand Up @@ -251,6 +249,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
script: |
#!/bin/bash
set -e
Expand All @@ -265,6 +265,8 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -378,10 +380,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS="$VOLUME_MOUNTS_FROM_ENV"
if [ -f "/var/workdir/cachi2/cachi2.env" ]; then
cp -r "/var/workdir/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/cachi2:/cachi2"
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand Down
4 changes: 3 additions & 1 deletion task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -412,10 +412,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS="$VOLUME_MOUNTS_FROM_ENV"
if [ -f "/var/workdir/cachi2/cachi2.env" ]; then
cp -r "/var/workdir/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/cachi2:/cachi2"
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand Down
12 changes: 8 additions & 4 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,6 @@ spec:
value: source
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
Expand Down Expand Up @@ -212,6 +210,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
image: quay.io/konflux-ci/buildah-task:latest@sha256:5cbd487022fb7ac476cbfdea25513b810f7e343ec48f89dc6a4e8c3c39fa37a2
name: build
script: |-
Expand Down Expand Up @@ -281,6 +281,8 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -388,10 +390,12 @@ spec:
BUILDAH_ARGS+=("--skip-unused-stages=false")
fi
VOLUME_MOUNTS="$VOLUME_MOUNTS_FROM_ENV"
if [ -f "$(workspaces.source.path)/cachi2/cachi2.env" ]; then
cp -r "$(workspaces.source.path)/cachi2" /tmp/
chmod -R go+rwX /tmp/cachi2
VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/cachi2:/cachi2"
# Read in the whole file (https://unix.stackexchange.com/questions/533277), then
# for each RUN ... line insert the cachi2.env command *after* any options like --mount
sed -E -i \
Expand Down Expand Up @@ -504,7 +508,6 @@ spec:
-e HERMETIC="$HERMETIC" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e IMAGE="$IMAGE" \
-e TLSVERIFY="$TLSVERIFY" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
Expand All @@ -520,6 +523,7 @@ spec:
-e SQUASH="$SQUASH" \
-e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
-e COMMIT_SHA="$COMMIT_SHA" \
-e DOCKERFILE="$DOCKERFILE" \
-v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
Expand Down
41 changes: 41 additions & 0 deletions task/buildah-sast-oci-ta/0.2/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# buildah-sast-oci-ta task

Buildah SAST scanning task

## Parameters
|name|description|default value|required|
|---|---|---|---|
|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false|
|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|
|IMAGE|Reference of the image buildah will produce.||true|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|LABELS|Additional key=value labels that should be applied to the image|[]|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false|
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|

## Results
|name|description|
|---|---|
|SAST_RESULT_URL|SAST scanning results artifact URL.|
|SCAN_OUTPUT|Short summary of SAST scan results.|
|TEST_OUTPUT|Tekton task test output.|

Loading

0 comments on commit 4e29bae

Please sign in to comment.