-
Add a task into our codebase to scan our built images.
cd /projects/tech-exercise cat <<'EOF' > tekton/templates/tasks/rox-image-scan.yaml apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: rox-image-scan spec: workspaces: - name: output params: - name: ROX_SECRET type: string description: Secret containing the Stackrox endpoint and token as (username and password) default: rox-auth - name: IMAGE type: string description: Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1) - name: OUTPUT_FORMAT type: string description: Output format (json | csv | table) default: json - name: WORK_DIRECTORY description: Directory to start build in (handle multiple branches) steps: - name: rox-image-scan image: registry.access.redhat.com/ubi8/ubi-minimal:latest workingDir: $(workspaces.output.path)/$(params.WORK_DIRECTORY) env: - name: ROX_API_TOKEN valueFrom: secretKeyRef: name: $(params.ROX_SECRET) key: password - name: ROX_ENDPOINT valueFrom: secretKeyRef: name: $(params.ROX_SECRET) key: username script: | #!/usr/bin/env bash set +x export NO_COLOR="True" curl -k -L -H "Authorization: Bearer $ROX_API_TOKEN" https://$ROX_ENDPOINT/api/cli/download/roxctl-linux --output roxctl > /dev/null; echo "Getting roxctl" chmod +x roxctl > /dev/null ./roxctl image scan --insecure-skip-tls-verify -e $ROX_ENDPOINT:443 --image $(params.IMAGE) -o $(params.OUTPUT_FORMAT) EOF
-
Its not real unless its in git
# git add, commit, push your changes.. cd /projects/tech-exercise git add . git commit -m "馃悺 ADD - rox-image-scan-task 馃悺" git push
-
Lets try this in our pipeline. Edit
maven-pipeline.yaml
and add a step definition that runs after the bake image task. Be sure to adjust the helm-package task torunAfter
the image-scan task:# Image Scan - name: image-scan runAfter: - bake taskRef: name: rox-image-scan workspaces: - name: output workspace: shared-workspace params: - name: IMAGE value: "$(tasks.bake.results.IMAGE)" - name: WORK_DIRECTORY value: "$(params.APPLICATION_NAME)/$(params.GIT_BRANCH)" - name: OUTPUT_FORMAT value: table
So you'll have a pipeline definition like this:
... # Image Scan - name: image-scan runAfter: - bake taskRef: name: rox-image-scan ... ... - name: helm-package taskRef: name: helm-package runAfter: <- make sure you update this鉂椻潡 - image-scan <- make sure you update this鉂椻潡 ...
-
Check in these changes.
# git add, commit, push your changes.. cd /projects/tech-exercise git add . git commit -m "馃攽 ADD - image-scan step to pipeline 馃攽" git push
-
Trigger a pipeline build.
cd /projects/pet-battle-api git commit --allow-empty -m "馃┐ test image-scan step 馃┐" git push
馃獎 Observe the pet-battle-api pipeline running with the image-scan task.
?> Tip We could extend the previous check by changing the output format to json and installing and using the jq command. For example, to check the image scan output and return a results when the riskScore and topCvss are below a certain value say. These are better handled as Build Policy within ACS which we can check next.
-
Lets add another step to our rox-image-scan task to check for any build time violations.
cd /projects/tech-exercise cat <<'EOF' >> tekton/templates/tasks/rox-image-scan.yaml - name: rox-image-check image: registry.access.redhat.com/ubi8/ubi-minimal:latest workingDir: $(workspaces.output.path)/$(params.WORK_DIRECTORY) env: - name: ROX_API_TOKEN valueFrom: secretKeyRef: name: $(params.ROX_SECRET) key: password - name: ROX_ENDPOINT valueFrom: secretKeyRef: name: $(params.ROX_SECRET) key: username script: | #!/usr/bin/env bash set +x export NO_COLOR="True" curl -k -L -H "Authorization: Bearer $ROX_API_TOKEN" https://$ROX_ENDPOINT/api/cli/download/roxctl-linux --output roxctl > /dev/null;echo "Getting roxctl" chmod +x roxctl > /dev/null ./roxctl image check --insecure-skip-tls-verify -e $ROX_ENDPOINT:443 --image $(params.IMAGE) -o json if [ $? -eq 0 ]; then echo "馃 no issues found 馃"; exit 0; else echo "馃洃 image checks failed 馃洃"; exit 1; fi EOF
-
Its not real unless its in git
# git add, commit, push your changes.. cd /projects/tech-exercise git add . git commit -m "馃悺 ADD - rox-image-check-task 馃悺" git push
-
Trigger a pipeline run
cd /projects/pet-battle-api git commit --allow-empty -m "馃┐ test image-check step 馃┐" git push
-
Our Pipeline should look like this now with two
image-scan
steps.馃獎 Observe the pet-battle-api pipeline running with the image-scan task.
Let's run through a scenario where we break/fix the build using a build policy violation.
-
Let's try breaking a Build Policy within ACS by triggering the Build policy we enabled earlier.
-
Edit the
pet-battle-api/Dockerfile.jvm
and add the following line underEXPOSE 8080
:EXPOSE 22
-
Check in this change and watch the build that is triggered.
# git add, commit, push your changes.. cd /projects/pet-battle-api git add . git commit -m "馃悏 Expose port 22 馃悏" git push
-
This should now fail on the image-scan/rox-image-check task.
-
Back in ACS we can also see the failure in the Violations view.
-
Remove the
EXPOSE 22
from theDockerfile.jvm
and check it in to make the build pass.cd /projects/pet-battle-api git add . git commit -m "馃惂 FIX - Security violation, remove port 22 exposure 馃惂" git push
馃獎 Observe the pet-battle-api pipeline running successfully again.