Skip to content

Instantly share code, notes, and snippets.

@zregvart

zregvart/attestation.json

Created July 6, 2022 13:37
Show Gist options
  • Save zregvart/d24dc612dfe4e9f6134d338394c767ae to your computer and use it in GitHub Desktop.
Save zregvart/d24dc612dfe4e9f6134d338394c767ae to your computer and use it in GitHub Desktop.
Download ZIP
Raw
attestation.json
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "quay.io/hacbs-contract-demo/single-container-app",
"digest": {
"sha256": "57f9cdf27ccc397621bba237946dc528b919810ac06c91c0d9cc19f3f5067271"
}
}
],
"predicate": {
"builder": {
"id": "https://tekton.dev/chains/v2"
},
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"invocation": {
"configSource": {},
"parameters": {
"dockerfile": "\"Dockerfile\"",
"git-url": "\"https://github.com/jduimovich/single-container-app\"",
"output-image": "\"quay.io/hacbs-contract-demo/single-container-app:62c06bf\"",
"path-context": "\".\"",
"rebuild": "\"true\"",
"revision": "\"\""
}
},
"buildConfig": {
"tasks": [
{
"name": "appstudio-init",
"ref": {
"name": "init",
"kind": "Task"
},
"startedOn": "2022-06-23T10:21:44Z",
"finishedOn": "2022-06-23T10:22:08Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/bin/bash\necho \"App Studio Build Initialize: $(params.image-url)\"\necho\necho \"Determine if Image Already Exists\"\n# Build the image when image does not exists or rebuild is set to true\nif ! skopeo inspect --no-tags docker://$(params.image-url) &>/dev/null || [ \"$(params.rebuild)\" == \"true\" ]; then\n echo -n \"true\" > $(results.build.path)\nelse\n echo -n \"false\" > $(results.build.path)\nfi\n",
"arguments": null,
"environment": {
"container": "appstudio-init",
"image": "registry.access.redhat.com/ubi8/skopeo@sha256:cc58da50c3842f5f2a4ba8781b60f6052919a5555a000cb4eb18a0bd0241b2b3"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"image-url": "\"$(params.output-image)\"",
"rebuild": "\"$(params.rebuild)\""
}
},
"results": [
{
"name": "build",
"value": "true"
}
]
},
{
"name": "clone-repository",
"after": [
"appstudio-init"
],
"ref": {
"name": "git-clone",
"kind": "Task"
},
"startedOn": "2022-06-23T10:22:09Z",
"finishedOn": "2022-06-23T10:22:40Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\"\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nEXIT_CODE=\"$?\"\nif [ \"${EXIT_CODE}\" != 0 ] ; then\n exit \"${EXIT_CODE}\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" > \"$(results.commit.path)\"\nprintf \"%s\" \"${PARAM_URL}\" > \"$(results.url.path)\"\n",
"arguments": null,
"environment": {
"container": "clone",
"image": "registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"deleteExisting": "\"true\"",
"depth": "\"1\"",
"gitInitImage": "\"registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1\"",
"httpProxy": "\"\"",
"httpsProxy": "\"\"",
"noProxy": "\"\"",
"refspec": "\"\"",
"revision": "\"$(params.revision)\"",
"sparseCheckoutDirectories": "\"\"",
"sslVerify": "\"true\"",
"subdirectory": "\"\"",
"submodules": "\"true\"",
"url": "\"$(params.git-url)\"",
"userHome": "\"/tekton/home\"",
"verbose": "\"true\""
}
},
"results": [
{
"name": "commit",
"value": "62c06bf8d6aa1d5d2c1c604303f11efa74180047"
},
{
"name": "url",
"value": "https://github.com/jduimovich/single-container-app"
}
]
},
{
"name": "appstudio-configure-build",
"after": [
"clone-repository"
],
"ref": {
"name": "configure-build",
"kind": "Task"
},
"startedOn": "2022-06-23T10:22:41Z",
"finishedOn": "2022-06-23T10:23:04Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\necho \"App Studio Configure Build\"\n\nDEST=/workspace/source/.dockerconfigjson\nDEF=/secret/default-push-secret/.dockerconfigjson\nAUTH=/workspace/registry-auth/.dockerconfigjson\nTMP=$(mktemp)\necho '{}' > $DEST\n# Set lowest priority on default shared secret\nFILES=\"$DEF\"\n# Use secrets from serviceAccount\ncd /tekton/creds-secrets\nfor file in $(ls); do\n if [ -f \"$file/.dockerconfigjson\" ]; then\n FILES=\"$FILES $file/.dockerconfigjson\"\n elif [ -f \"$file/.dockercfg\" ]; then\n # convert format from .dockercfg to .dockerconfigjson\n newformat=$(mktemp)\n jq '{\"auths\": .}' $file/.dockercfg > $newformat\n FILES=\"$FILES $newformat\"\n fi\ndone\n# set highest priority on registry-auth workspace\nFILES=\"$FILES $AUTH\"\necho \"Looking for Registry Auth Configs\"\n# Merge secrets into one file\nfor file in $FILES; do\n if [ -f \"$file\" ]; then\n echo \"$file found\"\n jq -M -s '.[0] * .[1]' $DEST $file > $TMP\n mv $TMP $DEST\n fi\ndone\necho -n $DEST > /tekton/results/registry-auth\necho -n \"--authfile $DEST\" > /tekton/results/buildah-auth-param\n",
"arguments": null,
"environment": {
"container": "appstudio-configure-build",
"image": "quay.io/redhat-appstudio/appstudio-utils@sha256:e1d7e2bbff7032f078df41ab4d6345ada8474f615c0e93f6268ae9ba48a81b1d"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"shared-secret": "\"redhat-appstudio-user-workload\""
}
},
"results": [
{
"name": "buildah-auth-param",
"value": "--authfile /workspace/source/.dockerconfigjson"
},
{
"name": "registry-auth",
"value": "/workspace/source/.dockerconfigjson"
}
]
},
{
"name": "build-container",
"after": [
"appstudio-configure-build"
],
"ref": {
"name": "buildah",
"kind": "Task"
},
"startedOn": "2022-06-23T10:23:05Z",
"finishedOn": "2022-06-23T10:40:53Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "if [ -n \"$(params.MAVEN_MIRROR_URL)\" ] && grep -q '^RUN mvn' $(params.CONTEXT)/$(params.DOCKERFILE); then\n sed -i -e 's|RUN mvn|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>$(params.MAVEN_MIRROR_URL)</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; mvn -s /tmp/settings.yaml|g' $(params.CONTEXT)/$(params.DOCKERFILE)\n touch /var/lib/containers/java\nfi\nbuildah bud \\\n $(params.BUILD_EXTRA_ARGS) \\\n --tls-verify=$(params.TLSVERIFY) --no-cache \\\n --ulimit nofile=4096:4096 \\\n -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)\n",
"arguments": null,
"environment": {
"container": "build",
"image": "registry.access.redhat.com/ubi8/buildah@sha256:82aa9592f3262313ec52f7a2335641e2581b0d0d9807980846d0539bb77d0657"
},
"annotations": null
},
{
"entryPoint": "container=$(buildah from --pull-never $(params.IMAGE))\nbuildah mount $container | tee /workspace/container_path\necho $container > /workspace/container_name\n",
"arguments": null,
"environment": {
"container": "mount-container",
"image": "registry.access.redhat.com/ubi8/buildah@sha256:82aa9592f3262313ec52f7a2335641e2581b0d0d9807980846d0539bb77d0657"
},
"annotations": null
},
{
"entryPoint": "syft dir:$(workspaces.source.path) --file=$(workspaces.source.path)/sbom-source.json --output=cyclonedx-json\nfind $(cat /workspace/container_path) -xtype l -delete\nsyft dir:$(cat /workspace/container_path) --file=$(workspaces.source.path)/sbom-image.json --output=cyclonedx-json\n",
"arguments": null,
"environment": {
"container": "sbom-get",
"image": "quay.io/redhat-appstudio/syft@sha256:09afc449976230f66848c19bb5ccf344eb0eeb4ed50747e33b53aff49462c319"
},
"annotations": null
},
{
"entryPoint": "if [ -f /var/lib/containers/java ]; then\n /opt/jboss/container/java/run/run-java.sh path $(cat /workspace/container_path)\nfi\n",
"arguments": null,
"environment": {
"container": "analyse-dependencies-java-sbom",
"image": "quay.io/redhat-appstudio/hacbs-jvm-dependency-analyser@sha256:cc51b30502423416a595f4b294e7f7bd58536d3444ff2d0826a073b5087f6603"
},
"annotations": null
},
{
"entryPoint": "#!/bin/python3\nimport json\n\nwith open(\"./sbom-image.json\") as f:\n image_sbom = json.load(f)\n\nwith open(\"./sbom-source.json\") as f:\n source_sbom = json.load(f)\n\ndef get_identifier(component):\n return component[\"name\"] + '@' + component.get(\"version\", \"\")\n\nexisting_components = [get_identifier(component) for component in image_sbom[\"components\"]]\n\nfor component in source_sbom[\"components\"]:\n if get_identifier(component) not in existing_components:\n image_sbom[\"components\"].append(component)\n\nimage_sbom[\"components\"].sort(key=lambda c: get_identifier(c))\n\nwith open(\"./sbom-cyclonedx.json\", \"w\") as f:\n json.dump(image_sbom, f, indent=4)\n\npurls = [{\"purl\": component[\"purl\"]} for component in image_sbom[\"components\"] if \"purl\" in component]\npurl_content = {\"image_contents\": {\"dependencies\": purls}}\n\nwith open(\"sbom-purl.json\", \"w\") as output_file:\n json.dump(purl_content, output_file, indent=4)\n",
"arguments": null,
"environment": {
"container": "merge-sboms",
"image": "registry.redhat.io/ubi8/python-39@sha256:ad1e728e0ebeffae9159c29d5aeb373797264a7bc7e3166a3780e290e1b524a4"
},
"annotations": null
},
{
"entryPoint": "container=$(buildah from --pull-never $(params.IMAGE))\nbuildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/\nbuildah commit $container $(params.IMAGE)\nbuildah push \\\n $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \\\n --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \\\n docker://$(params.IMAGE)\ncat \"$(workspaces.source.path)\"/image-digest | tee $(results.IMAGE_DIGEST.path)\necho \"$(params.IMAGE)\" | tee $(results.IMAGE_URL.path)\n",
"arguments": null,
"environment": {
"container": "inject-sbom-and-push",
"image": "registry.access.redhat.com/ubi8/buildah@sha256:82aa9592f3262313ec52f7a2335641e2581b0d0d9807980846d0539bb77d0657"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"BUILDER_IMAGE": "\"registry.access.redhat.com/ubi8/buildah:8.6-12@sha256:82aa9592f3262313ec52f7a2335641e2581b0d0d9807980846d0539bb77d0657\"",
"BUILD_EXTRA_ARGS": "\"$(tasks.appstudio-configure-build.results.buildah-auth-param)\"",
"CONTEXT": "\"$(params.path-context)\"",
"DOCKERFILE": "\"$(params.dockerfile)\"",
"IMAGE": "\"$(params.output-image)\"",
"MAVEN_MIRROR_URL": "\"http://localhost:2000/maven2\"",
"PUSH_EXTRA_ARGS": "\"$(tasks.appstudio-configure-build.results.buildah-auth-param)\"",
"TLSVERIFY": "\"true\""
}
},
"results": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:57f9cdf27ccc397621bba237946dc528b919810ac06c91c0d9cc19f3f5067271"
},
{
"name": "IMAGE_URL",
"value": "quay.io/hacbs-contract-demo/single-container-app:62c06bf\n"
}
]
},
{
"name": "sanity-inspect-image",
"after": [
"build-container"
],
"ref": {
"name": "sanity-inspect-image",
"kind": "Task"
},
"startedOn": "2022-06-23T10:40:54Z",
"finishedOn": "2022-06-23T10:41:42Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "IMAGE_INSPECT=image_inspect.json\nBASE_IMAGE_INSPECT=base_image_inspect.json\nRAW_IMAGE_INSPECT=raw_image_inspect.json\n\necho \"Inspecting manifest for source image $(params.IMAGE_URL)\"\nskopeo inspect --no-tags docker://$(params.IMAGE_URL) > $IMAGE_INSPECT\nskopeo inspect --no-tags --raw docker://$(params.IMAGE_URL) > $RAW_IMAGE_INSPECT\n\necho \"Getting base image manifest for source image $(params.IMAGE_URL)\"\nBASE_IMAGE_NAME=\"$(jq -r \".annotations.\\\"org.opencontainers.image.base.name\\\"\" $RAW_IMAGE_INSPECT)\"\nBASE_IMAGE_DIGEST=\"$(jq -r \".annotations.\\\"org.opencontainers.image.base.digest\\\"\" $RAW_IMAGE_INSPECT)\"\nif [ $BASE_IMAGE_NAME == 'null' ]; then\n echo \"Cannot get base image info from 'annotations'\"\n echo \"Trying to get base image info from 'Labels'\"\n BASE_IMAGE_NAME=\"$(jq -r \".Labels.\\\"org.opencontainers.image.base.name\\\"\" $IMAGE_INSPECT)\"\n BASE_IMAGE_DIGEST=\"$(jq -r \".annotations.\\\"org.opencontainers.image.base.digest\\\"\" $IMAGE_INSPECT)\"\n if [ \"$BASE_IMAGE_NAME\" == 'null' ]; then\n echo \"Cannot get base image info from 'Labels', please check the source image $(params.IMAGE_URL)\"\n exit 0\n fi\nfi\nif [ -z \"$BASE_IMAGE_NAME\" ]; then\n echo \"Source image $(params.IMAGE_URL) is built from scratch, so there is no base image\"\n exit 0\nfi\nBASE_IMAGE=\"${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST\"\necho \"The base image is $BASE_IMAGE, get its manifest now\"\nskopeo inspect --no-tags docker://$BASE_IMAGE > $BASE_IMAGE_INSPECT || true\necho \"$BASE_IMAGE\" | tee $(results.BASE_IMAGE.path)\n\njq -r \".Name\" $BASE_IMAGE_INSPECT | cut -d\"/\" -f2,3 | tee $(results.BASE_IMAGE_REPOSITORY.path)\n",
"arguments": null,
"environment": {
"container": "inspect-image",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:43326f83b9aa7db155508826315ba87043ab6087e17f36c860eda0076230b20c"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"IMAGE_URL": "\"$(params.output-image)\""
}
},
"results": [
{
"name": "BASE_IMAGE",
"value": "quay.io/hacbs-contract-demo/single-container-app@sha256:e304cde8ef2b1d2d88e111ce2e219ec3c78fb3f49920aaa9570fc60271f63f78\n"
},
{
"name": "BASE_IMAGE_REPOSITORY",
"value": ""
}
]
},
{
"name": "sanity-label-check",
"after": [
"sanity-inspect-image"
],
"ref": {
"name": "sanity-label-check",
"kind": "Task"
},
"startedOn": "2022-06-23T10:41:44Z",
"finishedOn": "2022-06-23T10:42:29Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "CONFTEST_OPTIONS=\"\"\nif [ -s \"../sanity-inspect-image/base_image_inspect.json\" ]; then\n CONFTEST_OPTIONS=\"-d=../sanity-inspect-image/base_image_inspect.json\"\nfi\n\necho \"Running conftest using $(params.POLICY_DIR) policy, $(params.POLICY_NAMESPACE) namespace\"\n/usr/bin/conftest test --no-fail ../sanity-inspect-image/image_inspect.json \"${CONFTEST_OPTIONS}\" \\\n--policy $(params.POLICY_DIR) --namespace $(params.POLICY_NAMESPACE) \\\n--output=json 2> stderr.txt | tee sanity_label_check_output.json\n\nERR_MSG=\"$(cat stderr.txt)\"\nERR_MSG=\"${ERR_MSG:-unknown}\"\nHACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg ERR_MSG \"${ERR_MSG: 0: 3000}\" --null-input \\\n '{result: \"ERROR\", timestamp: $date, failures: [$ERR_MSG]}')\nHACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '.[] | { result: (if (.failures | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace,\n successes,\n failures: (.failures // [])|map(.metadata.details.name)\n }' sanity_label_check_output.json || true)\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "basic-sanity-checks-required-labels",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"POLICY_DIR": "\"/project/image/\"",
"POLICY_NAMESPACE": "\"required_checks\""
}
},
"results": [
{
"name": "HACBS_TEST_OUTPUT",
"value": "{\"result\":\"FAILURE\",\"timestamp\":\"1655980944\",\"namespace\":\"required_checks\",\"successes\":8,\"failures\":[\"name_label_required\",\"com_redhat_component_label_required!\",\"version_label_required\",\"description_label_required\",\"io_k8s_description_label_required\",\"vcs_ref_label_required\",\"vcs_type_label_required\",\"architecture_label_required\",\"com_redhat_build_host_label_required\",\"vendor_label_required\",\"release_label_required\",\"url_label_required\",\"build_date_label_required\",\"distribution_scope_label_required\"]}\n"
}
]
},
{
"name": "sanity-optional-label-check",
"after": [
"sanity-inspect-image"
],
"ref": {
"name": "sanity-label-check",
"kind": "Task"
},
"startedOn": "2022-06-23T10:41:44Z",
"finishedOn": "2022-06-23T10:42:29Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "CONFTEST_OPTIONS=\"\"\nif [ -s \"../sanity-inspect-image/base_image_inspect.json\" ]; then\n CONFTEST_OPTIONS=\"-d=../sanity-inspect-image/base_image_inspect.json\"\nfi\n\necho \"Running conftest using $(params.POLICY_DIR) policy, $(params.POLICY_NAMESPACE) namespace\"\n/usr/bin/conftest test --no-fail ../sanity-inspect-image/image_inspect.json \"${CONFTEST_OPTIONS}\" \\\n--policy $(params.POLICY_DIR) --namespace $(params.POLICY_NAMESPACE) \\\n--output=json 2> stderr.txt | tee sanity_label_check_output.json\n\nERR_MSG=\"$(cat stderr.txt)\"\nERR_MSG=\"${ERR_MSG:-unknown}\"\nHACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg ERR_MSG \"${ERR_MSG: 0: 3000}\" --null-input \\\n '{result: \"ERROR\", timestamp: $date, failures: [$ERR_MSG]}')\nHACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '.[] | { result: (if (.failures | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace,\n successes,\n failures: (.failures // [])|map(.metadata.details.name)\n }' sanity_label_check_output.json || true)\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "basic-sanity-checks-required-labels",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"POLICY_DIR": "\"/project/image/\"",
"POLICY_NAMESPACE": "\"optional_checks\""
}
},
"results": [
{
"name": "HACBS_TEST_OUTPUT",
"value": "{\"result\":\"FAILURE\",\"timestamp\":\"1655980944\",\"namespace\":\"optional_checks\",\"successes\":5,\"failures\":[\"maintainer_label_required\",\"summary_label_required\"]}\n"
}
]
},
{
"name": "deprecated-base-image-check",
"after": [
"sanity-inspect-image"
],
"ref": {
"name": "deprecated-image-check",
"kind": "Task"
},
"startedOn": "2022-06-23T10:41:46Z",
"finishedOn": "2022-06-23T10:42:40Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\necho \"Querying Pyxis for $(params.IMAGE_REPOSITORY)...\"\nhttp_code=$(curl -s -o $(workspaces.sanity-ws.path)/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/$(params.IMAGE_REGISTRY)/repository/$(params.IMAGE_REPOSITORY)\")\n\necho \"Response code: $http_code\"\necho -n $http_code > $(results.PYXIS_HTTP_CODE.path)\n",
"arguments": null,
"environment": {
"container": "query-pyxis",
"image": "registry.access.redhat.com/ubi8/ubi@sha256:1f89aefa39dbc96a47ae451d64f200a0013637cdbe048d1b9ef56c99976bb8c0"
},
"annotations": null
},
{
"entryPoint": "#!/usr/bin/env sh\nhttp_code=$(cat $(results.PYXIS_HTTP_CODE.path))\n\nif [ \"$http_code\" == \"200\" ];\nthen\n echo \"Running conftest using $(params.POLICY_DIR) policy, $(params.POLICY_NAMESPACE) namespace\"\n /usr/bin/conftest test --no-fail $(workspaces.sanity-ws.path)/repository_data.json \\\n --policy $(params.POLICY_DIR) --namespace $(params.POLICY_NAMESPACE) \\\n --output=json | tee $(workspaces.sanity-ws.path)/deprecated_image_check_output.json || echo \"Some tests failed\"\n echo \"Done!\"\n exit 0\nelif [ \"$http_code\" == \"404\" ];\nthen\n echo \"Image not found in Pyxis\"\nelse\n echo \"Unexpected error (HTTP code $http_code) occured during running conftest\"\nfi\n",
"arguments": null,
"environment": {
"container": "run-conftest",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
},
{
"entryPoint": "HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --null-input \\\n '{result: \"ERROR\", timestamp: $date}')\nHACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '.[] | { result: (if (.failures | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace,\n successes,\n failures: (.failures // [])|map(.metadata.details.name)\n }' $(workspaces.sanity-ws.path)/deprecated_image_check_output.json || true)\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "test-format-result",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"IMAGE_REGISTRY": "\"registry.access.redhat.com\"",
"IMAGE_REPOSITORY": "\"$(tasks.sanity-inspect-image.results.BASE_IMAGE_REPOSITORY)\"",
"POLICY_DIR": "\"/project/repository/\"",
"POLICY_NAMESPACE": "\"required_checks\""
}
},
"results": [
{
"name": "PYXIS_HTTP_CODE",
"value": "404"
},
{
"name": "HACBS_TEST_OUTPUT",
"value": "{\"result\":\"ERROR\",\"timestamp\":\"1655980959\"}\n"
}
]
},
{
"name": "get-clair-results",
"after": [
"build-container"
],
"ref": {
"name": "get-clair-scan",
"kind": "Task"
},
"startedOn": "2022-06-23T10:40:54Z",
"finishedOn": "2022-06-23T10:42:46Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\ntemp='$(params.SHA)'\nmodifiedSha=${temp//:/%3A}\n\n#ugly safety mechanism - need to be improved in future, bleh :(\n\nfunction safety_mechanism {\n\n#curl request\nhttp_code=$(curl -o $(workspaces.clair-ws.path)/clair-result.json -w '%{http_code}' -H \"Content-type: application/json\" -XGET https://quay.io/api/v1/repository/$(echo '$(params.PULLSPEC)' | sed \"s/\\(.*\\):.*/\\1/\" | sed \"s/^[^/]*\\///\")/manifest/$modifiedSha/security?vulnerabilities=true)\nscan_file=$(workspaces.clair-ws.path)/clair-result.json\n\nif [[ \"$http_code\" != \"200\" ]]\nthen\n echo \"Error, response code is not 200. Response code: $http_code\"\n echo \"Body of response: $(cat $scan_file)\"\n rm -f $scan_file\n exit 0\nfi\n\n#scan_file logic\nif [[ ($(jq '.data' $scan_file) == null) ]]\nthen\n retval=1\nelse\n retval=0\nfi\nreturn $retval\n}\n\nretval=$(safety_mechanism)\n\nfunction retry {\n local n=0\n local max=5\n # TODO Clair scan time varies too much at the moment, from 10 minutes to +5 hours. Decreasing delay.\n #local delay=60\n local delay=0\n while true; do\n \"$@\" && [ \"$retval\"==0 ] && break || {\n if [[ $n -lt $max ]]; then\n let n++\n echo \"Getting clair scan failed, because data were: $(jq '.data' $scan_file). Attempt $n/$max\"\n sleep $delay;\n else\n echo \"The clair scan has status $(jq '.status' $scan_file) and was not obtained in $n attempts.\"\n rm -f $scan_file\n exit 0\n fi\n }\n done\n}\n\nretry safety_mechanism\n",
"arguments": null,
"environment": {
"container": "get-vulnerabilities",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"PULLSPEC": "\"$(params.output-image)\"",
"SHA": "\"$(tasks.build-container.results.IMAGE_DIGEST)\""
}
}
},
{
"name": "conftest-clair",
"after": [
"get-clair-results"
],
"ref": {
"name": "conftest-clair",
"kind": "Task"
},
"startedOn": "2022-06-23T10:42:47Z",
"finishedOn": "2022-06-23T10:43:04Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "/usr/bin/conftest test --no-fail $(workspaces.conftest-ws.path)/clair-result.json \\\n--policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n--output=json | tee $(workspaces.conftest-ws.path)/clair-vulnerabilities.json\n",
"arguments": null,
"environment": {
"container": "conftest-vulnerabilities",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
},
{
"entryPoint": "HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --null-input \\\n '{result: \"ERROR\", timestamp: $date}')\nHACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '.[] | { result: (if (.failures | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace,\n successes,\n failures: (.failures // [])|map(.metadata.details.name)\n }' $(workspaces.conftest-ws.path)/clair-vulnerabilities.json || true)\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "test-format-result",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {}
},
"results": [
{
"name": "HACBS_TEST_OUTPUT",
"value": "{\"result\":\"ERROR\",\"timestamp\":\"1655980981\"}\n"
}
]
},
{
"name": "sast-go",
"after": [
"build-container"
],
"ref": {
"name": "sast-go",
"kind": "Task"
},
"startedOn": "2022-06-23T10:40:56Z",
"finishedOn": "2022-06-23T10:41:30Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "/usr/local/go/bin/gosec -no-fail -fmt=sarif -out=gosec_output.json $(workspaces.workspace.path)/... 2> gosec_output.txt || :\n\n# Test if any package was found\n# Even with -no-fail, gosec uses exit code 1 for several states,\n# including when there are no packages found.\nSKIP_MSG=\"No packages found\"\ntest_not_skipped=0\ngrep -q \"$SKIP_MSG\" gosec_output.txt || test_not_skipped=$?\n\nHACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --null-input \\\n '{result: \"ERROR\", timestamp: $date}')\n\nif [ -f gosec_output.json ];\nthen\n HACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) --arg tmp_not_skipped $test_not_skipped \\\n --arg SKIP_MESSAGE \"${SKIP_MSG}\" \\\n '{ result: (if (.runs[].results | length > 0) then \"FAILURE\" elif $tmp_not_skipped==\"0\" then \"SKIPPED\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace: \"default\",\n successes: 0,\n note: (if $tmp_not_skipped==\"0\" then $SKIP_MESSAGE else \"\" end),\n failures: (.runs[].results // [])|map(.message.text)\n }' gosec_output.json || true)\nelse\n HACBS_TEST_OUTPUT=$(jq -rc --arg date $(date +%s) --arg tmp_not_skipped $test_not_skipped --null-input \\\n --arg SKIP_MESSAGE \"${SKIP_MSG}\" \\\n '{ result: (if $tmp_not_skipped==\"0\" then \"SKIPPED\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace: \"default\",\n successes: 0,\n note: (if $tmp_not_skipped==\"0\" then $SKIP_MESSAGE else \"\" end),\n failures: 0\n }')\nfi\n\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "sast-go",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:dcffec734efe55096f1469bf444d8beea6dc00c80433f3f2018e9ce6a1fc5cfe"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {}
},
"results": [
{
"name": "HACBS_TEST_OUTPUT",
"value": "{\"result\":\"SKIPPED\",\"timestamp\":\"1655980881\",\"namespace\":\"default\",\"successes\":0,\"note\":\"No packages found\",\"failures\":0}\n"
}
]
},
{
"name": "sast-java-sec-check",
"after": [
"build-container"
],
"ref": {
"name": "sast-java-sec-check",
"kind": "Task"
},
"startedOn": "2022-06-23T10:40:57Z",
"finishedOn": "2022-06-23T10:42:27Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/bin/bash -x\n\npushd $(workspaces.workspace.path)\nif [ -f \"$(params.PATH_CONTEXT)/pom.xml\" ]; then\n mvn package -f $(params.PATH_CONTEXT)/\nelse\n echo \"pom.xml file doesn't exist in $(workspaces.workspace.path)/$(params.PATH_CONTEXT)\"\nfi\npopd\n\nJAR_PATH=`ls $(workspaces.workspace.path)/$(params.PATH_CONTEXT)/target/*.jar`\nif [ -n \"$JAR_PATH\" ]; then\n /home/findsecbugs-cli/findsecbugs.sh $(params.OPTIONAL_ARGS) $(params.OUTPUT_ONLY_ANALYZE) -$(params.OUTPUT_FORMAT) \\\n -output sast_java_sec_output.json $JAR_PATH 2> stderr.txt\n test_skipped=0\nelse\n echo \"jar file $JAR_PATH doesn't exist\" > stderr.txt\n test_skipped=1\nfi\n\nERR_MSG=\"$(cat stderr.txt)\"\nERR_MSG=\"${ERR_MSG:-unknown}\"\nHACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg MSG \"${ERR_MSG: 0: 3000}\"\n --arg test_skipped $test_skipped --null-input \\\n '{result: (if $test_skipped==\"1\" then \"SKIPPED\" else \"ERROR\" end),\n timestamp: $date,\n note: (if $test_skipped==\"1\" then $MSG else \"\" end),\n failures: (if $test_skipped==\"1\" then \"\" else [$MSG] end)}')\nHACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '{ result: (if (.runs[].results | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace: \"default\",\n successes: 0,\n note: \"\",\n failures: (.runs[].results | length)\n }' sast_java_sec_output.json || true)\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "java-sec-check",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:dcffec734efe55096f1469bf444d8beea6dc00c80433f3f2018e9ce6a1fc5cfe"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"OPTIONAL_ARGS": "\"\"",
"OUTPUT_FORMAT": "\"sarif\"",
"OUTPUT_ONLY_ANALYZE": "\"\"",
"PATH_CONTEXT": "\"$(params.path-context)\""
}
},
"results": [
{
"name": "HACBS_TEST_OUTPUT",
"value": "\n"
}
]
},
{
"name": "sast-snyk-check",
"after": [
"clone-repository"
],
"ref": {
"name": "sast-snyk-check",
"kind": "Task"
},
"startedOn": "2022-06-23T10:22:43Z",
"finishedOn": "2022-06-23T10:23:04Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\nSNYK_TOKEN=\"$(cat /etc/secrets/snyk_token)\"\nif [[ -z $SNYK_TOKEN ]]; then\n echo \"SNYK_TOKEN is empty and a secret 'test-team-snyk' which includes 'snyk_token' need to be created in test-team namespace\" | tee stdout.txt\n exit 0\nfi\nexport SNYK_TOKEN\nSNYK_EXIT_CODE=0\nsnyk code test $(params.ARGS) ../.. --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n HACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \\\n '{ result: (if (.runs[].results | length > 0) then \"FAILURE\" else \"SUCCESS\" end),\n timestamp: $date,\n namespace: \"default\",\n successes: 0,\n note: \"\",\n failures: (.runs[].results // [])|map(.message.text)\n }' sast_snyk_check_out.json || true)\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg SKIP_MESSAGE \"${SKIP_MSG}\" --null-input \\\n '{result: \"SKIPPED\", note: $SKIP_MESSAGE, timestamp: $date}')\nelse\n ERR_MSG=\"$(cat stdout.txt)\"\n HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg ERR_MESSAGE \"${ERR_MSG}\" --null-input \\\n '{result: \"ERROR\", timestamp: $date, failures: [$ERR_MESSAGE]}')\nfi\necho \"${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}\" | tee $(results.HACBS_TEST_OUTPUT.path)\n",
"arguments": null,
"environment": {
"container": "sast-snyk-check",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:dcffec734efe55096f1469bf444d8beea6dc00c80433f3f2018e9ce6a1fc5cfe"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"ARGS": "\"--all-projects --exclude=test*,vendor,deps\"",
"SHARED_SECRET": "\"test-team-snyk\""
}
}
},
{
"name": "clamav-scan",
"after": [
"build-container"
],
"ref": {
"name": "clamav-scan",
"kind": "Task"
},
"startedOn": "2022-06-23T10:40:59Z",
"finishedOn": "2022-06-23T10:55:29Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "imagewithouttag=$(echo '$(params.image-url)' | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@'$(params.image-digest)')\n\n[ -f /workspace/registry-auth/.dockerconfigjson ] && REGISTRY_ARGS=\"-a /workspace/registry-auth/.dockerconfigjson\"\nmkdir content\ncd content\noc image extract $REGISTRY_ARGS $imageanddigest\nclamscan -ri --max-scansize=250M | tee /tekton/home/clamscan-result.log\necho \"Executed-on: Scan was executed on version - $(clamscan --version)\" | tee -a /tekton/home/clamscan-result.log\n",
"arguments": null,
"environment": {
"container": "extract-and-scan-image",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:43326f83b9aa7db155508826315ba87043ab6087e17f36c860eda0076230b20c"
},
"annotations": null
},
{
"entryPoint": "#!/usr/bin/env python3.9\nimport json\nimport dateutil.parser as parser\n\nwith open(\"/tekton/home/clamscan-result.log\", \"r\") as file:\n clam_result_str = file.read()\n\ndef clam_result_str_to_json(clam_result_str):\n\n clam_result_list = clam_result_str.split(\"\\n\")\n clam_result_list.remove('')\n\n results_marker = \\\n clam_result_list.index(\"----------- SCAN SUMMARY -----------\")\n\n hit_list = clam_result_list[:results_marker]\n summary_list = clam_result_list[(results_marker + 1):]\n\n r_dict = { \"hits\": hit_list }\n for item in summary_list:\n # in case of blank lines\n if not item:\n continue\n split_index = [c == ':' for c in item].index(True)\n key = item[:split_index].lower()\n key = key.replace(\" \", \"_\")\n value = item[(split_index + 1):].strip(\" \")\n if (key == \"start_date\" or key == \"end_date\"):\n isodate = parser.parse(value)\n value = isodate.isoformat()\n r_dict[key] = value\n print(json.dumps(r_dict))\n with open('/tekton/home/clamscan-result.json', 'w') as f:\n print(json.dumps(r_dict), file=f)\n\ndef main():\n clam_result_str_to_json(clam_result_str)\n\nif __name__ == \"__main__\":\n main()\n",
"arguments": null,
"environment": {
"container": "modify-clam-output-to-json",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:43326f83b9aa7db155508826315ba87043ab6087e17f36c860eda0076230b20c"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"image-digest": "\"$(tasks.build-container.results.IMAGE_DIGEST)\"",
"image-url": "\"$(tasks.build-container.results.IMAGE_URL)\""
}
}
},
{
"name": "show-summary",
"after": [
"clamav-scan"
],
"ref": {
"name": "summary",
"kind": "Task"
},
"startedOn": "2022-06-23T10:55:29Z",
"finishedOn": "2022-06-23T10:55:49Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\necho\necho \"App Studio Build Summary:\"\necho\necho \"Build repository: $(params.git-url)\"\necho \"Generated Image is in : $(params.image-url)\"\necho\noc annotate pipelinerun $(params.pipeline-run-name) build.appstudio.openshift.io/repo=$(params.git-url)\noc annotate pipelinerun $(params.pipeline-run-name) build.appstudio.openshift.io/image=$(params.image-url)\n\necho \"Output is in the following annotations:\"\n\necho \"Build Repo is in 'build.appstudio.openshift.io/repo' \"\necho 'oc get pr $(params.pipeline-run-name) -o jsonpath=\"{.metadata.annotations.build\\.appstudio\\.openshift\\.io/repo}\"'\n\necho \"Build Image is in 'build.appstudio.openshift.io/image' \"\necho 'oc get pr $(params.pipeline-run-name) -o jsonpath=\"{.metadata.annotations.build\\.appstudio\\.openshift\\.io/image}\"'\n\necho End Summary\n",
"arguments": null,
"environment": {
"container": "appstudio-summary",
"image": "registry.redhat.io/openshift4/ose-cli@sha256:9a1ca7a36cfdd6c69398b35a7311db662ca7c652e6e8bd440a6331c12f89703a"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"git-url": "\"$(params.git-url)\"",
"image-url": "\"$(params.output-image)\"",
"pipeline-run-name": "\"$(context.pipelineRun.name)\""
}
}
},
{
"name": "hacbs-test-evaluation",
"after": [
"clamav-scan"
],
"ref": {
"name": "hacbs-test-evaluation",
"kind": "Task"
},
"startedOn": "2022-06-23T10:55:29Z",
"finishedOn": "2022-06-23T10:55:48Z",
"status": "Succeeded",
"steps": [
{
"entryPoint": "#!/usr/bin/env bash\n\n# sanity-label-check required checks\nFAILURES=$(jq '.[] | .failures // {} | .[] | .msg' sanity-label-check-required_checks/sanity_label_check_output.json)\nif [ -n \"$FAILURES\" ]; then\n echo sanity-label-check-required_checks test FAIL:\n echo \"$FAILURES\"\nelse\n echo sanity-label-check-required_checks test PASS\nfi\necho -------------\n\n# sanity-label-check optional checks\nFAILURES=$(jq '.[] | .failures // {} | .[] | .msg' sanity-label-check-optional_checks/sanity_label_check_output.json)\nif [ -n \"$FAILURES\" ]; then\n echo sanity-label-check-optional_checks test FAIL:\n echo \"$FAILURES\"\nelse\n echo sanity-label-check-optional_checks test PASS\nfi\necho -------------\n\n# sanity-inspect-image\nif [ ! -s sanity-inspect-image/base_image_inspect.json ]; then\n echo sanity-inspect-image test FAIL\n echo Unable to inspect base image - $(params.BASE_IMAGE)\nelse\n echo sanity-inspect-image test PASS\nfi\necho -------------\n",
"arguments": null,
"environment": {
"container": "summary",
"image": "quay.io/redhat-appstudio/hacbs-test@sha256:581f9e27c748f9900e32a152293b6dffbaa3e390775f3c36c3860c6ed6c87b73"
},
"annotations": null
}
],
"invocation": {
"configSource": {},
"parameters": {
"BASE_IMAGE": "\"$(tasks.sanity-inspect-image.results.BASE_IMAGE)\""
}
}
}
]
},
"metadata": {
"buildStartedOn": "2022-06-23T10:21:44Z",
"buildFinishedOn": "2022-06-23T10:55:49Z",
"completeness": {
"parameters": false,
"environment": false,
"materials": false
},
"reproducible": false
},
"materials": [
{
"uri": "git+https://github.com/jduimovich/single-container-app.git",
"digest": {
"sha1": "62c06bf8d6aa1d5d2c1c604303f11efa74180047"
}
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment