Roxctl scan pipeline example
Create a secret in the namespace with ROXCTL endpoint and apitoken
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: roxsecrets
type: Opaque
stringData:
rox_api_token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3dGswIiwiRHlwIjoiSldUIn0.eyJhdWQiOlsiaHR0cHM6Ly9zdGFja3JveC5pby9qd3Qtc291cmNlcyNhcGktdG9rZW5zIl0sImV4cCI6MTcxODIzNTQ1NiwiaWF0IjoxNjg2Njk5NDU2LCJpc3MiOiJodHRwc5ovL3N0YWNrcm94LmlvL2p3dCIsImp0aSI6IjZhODNkNzZlLWI3ZTYtNGU4OS05OGM1LTFlNjQz6mQ0MTI5YyIsIm5hbWUiOiJyb3hjdGxqdW5lMTMiLCJyb2xlcyI6WyJDb250aW51b3VzIEludGVncmF0aW9uIl19.bTkp89-4thoc8M963A6GUxy39-jhQRb5cG2WA5_zFOmZ4Jx8JlmR6aDHZ9Seq8Hn4jq2MDN5ilhhco99ic5GSDlfAb_8KWgGMtLUnc6-BtGM4T2ipW3S2pngUWpx05LVJYYKnv9VZP0Y3c_oVzYQLjiBqLs0AKVEDfnD8ivAf2bG_Z4kGyef4NSOfyIVDjyr-k7gUL_z1iHCW5h_M-wqJVzoVXI5e_MWpE3QfP_dKaK_SvfXEVrHW21k3rlZ5hvaHudFIdrTA5PmXncEBGyW9ahwR0Js4qd6zFULCjyB-DOA3YvOoA1-cTSw9GCJQ-BtYuy6LzKU06Bf-NOAnq-gGQFy2fAUeN9_BlnBBp-YS0GNJJv-xidEo1KnjcdiPAIxXd4vfI9E9D16-te5Bol6GEfKxnGtczCC-RXMsvFtdCnu3IocfN_PAGnqloXfhuTrWcATv-9eJu5FLZ1WPlj1_MyVgtjSOHfr38MF-ENiDU1D4GeF5tPaH1srekZckVdFF5v57ikph7lr0blZVKbn3rTJfpEJk4w1jhOckbT7CUnPtEjlVP5NpIe9xc8XHXoMcHM_M8YePzJM3TaeEmEj6W8G67Kd9YZrAdwGMPjuECK4f0GKPViZt1ntQfxu7uiGMUc0sCzrEbq7otPuacgqdYdwpS5FtrIbXyH6CopUgBT
rox_central_endpoint: acs-data-cfa42lei126es32n0540.acs.rhcloud.com:443
EOF
Create the roxctl task.
apiVersion: tekton.dev/v1
kind: Task
metadata:
annotations:
task.output.location: results
task.results.format: application/json
task.results.key: SCAN_OUTPUT
name: roxctl
spec:
params:
- default: 'quay.io/bsutter/partnercatalog:v1'
description: Image to be scanned
name: image
type: string
results:
- description: The common vulnerabilities and exposures (CVE) result format
name: SCAN_OUTPUT
type: string
steps:
- computeResources: {}
env:
- name: ROX_CENTRAL_ENDPOINT
valueFrom:
secretKeyRef:
key: rox_central_endpoint
name: roxsecrets
- name: ROX_API_TOKEN
valueFrom:
secretKeyRef:
key: rox_api_token
name: roxsecrets
image: 'quay.io/lrangine/crda-maven:11.0'
name: roxctl-scan
script: |
#!/bin/sh
jq --version
curl -k -L -H "Authorization: Bearer $ROX_API_TOKEN" https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux --output ./roxctl
chmod +x ./roxctl
./roxctl image scan --insecure-skip-tls-verify -e $ROX_CENTRAL_ENDPOINT --image $(params.image) --output json > roxctl_output.json
cat roxctl_output.json > $(workspaces.reports.path)/image-scan
- computeResources: {}
image: 'quay.io/lrangine/crda-maven:11.0'
name: export-vulnerabilities
script: |
#!/bin/sh
jq -rce \
"{vulnerabilities:{
critical: (.result.summary.CRITICAL),
high: (.result.summary.IMPORTANT),
medium: (.result.summary.MODERATE),
low: (.result.summary.LOW)
}}" $(workspaces.reports.path)/image-scan | tee $(results.SCAN_OUTPUT.path)
- computeResources: {}
image: 'quay.io/lrangine/crda-maven:11.0'
name: report
script: |
#!/bin/sh
cat $(workspaces.reports.path)/image-scan
workspaces:
- name: reports
Create a ROXCTL pipeline
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: scan-pipeline
spec:
results:
- description: The common vulnerabilities and exposures (CVE) result
name: SCAN_OUTPUT
value: $(tasks.roxctl.results.SCAN_OUTPUT)
tasks:
- name: roxctl
taskRef:
kind: Task
name: roxctl
workspaces:
- name: reports
workspace: reports
workspaces:
- name: reports
Create a ROXCTL pipelinerun
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: roxctl-60kbv3
spec:
pipelineRef:
name: a-b-roxctl-d-e
taskRunTemplate:
serviceAccountName: pipeline
timeouts:
pipeline: 1h0m0s
workspaces:
- emptyDir: {}
name: reports