{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/commit_sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/pull_request_number": "34016",
                    "build.appstudio.redhat.com/target_branch": "multi-component-base-jzrdyy",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "multi-component-base-jzrdyy",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ilmovz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-cgrq/pipelinerun/python-component-hdgtwb-on-pull-request-w4fxw",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-jzrdyy\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-hdgtwb-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae/records/afa8dedd-ffc4-48a0-ac31-27f2386d5f48",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"bfc20b4e77f447e1d61efd741eb0ec572322efad\",\"eventType\":\"pull_request\",\"pull_request-id\":34016}",
                    "results.tekton.dev/result": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-hdgtwb"
                },
                "creationTimestamp": "2026-07-08T16:11:20Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:24Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-positive-mc-uwfd",
                    "appstudio.openshift.io/component": "python-component-hdgtwb",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRun": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRunUID": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "8de675c46c76ff37c178c9ad73d027d5c09461b2e7ee76c218df8b9378954e"
                },
                "name": "pyta3e4f0c351ed37cb00af4986e7e9d55d-deprecated-base-image-check",
                "namespace": "build-e2e-cgrq",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-hdgtwb-on-pull-request-w4fxw",
                        "uid": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae"
                    }
                ],
                "resourceVersion": "32656",
                "uid": "afa8dedd-ffc4-48a0-ac31-27f2386d5f48"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-hdgtwb",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:11:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:11:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyta3e4f0c351ed37cb00af49866dd2264070c5b01a4cc82e5bd83fa9d4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\", \"digests\": [\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:11:34+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:20Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bccfdae163da8e3fb8f48cbac5bb6a51df9cddb9cef79b994a123b592b477efe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:34Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\\\", \\\"digests\\\": [\\\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:11:34+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck disable=SC1091 # /utils.sh is only available in the container image at runtime\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n \"$IMAGE_URL\" | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=\"${imagewithouttag}@${IMAGE_DIGEST}\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=\"/tmp/sbom-${arch}.json\"\n    arch_imageanddigest=\"${imagewithouttag}@${arch_sha}\"\n\n    # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n    mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n    export DOCKER_CONFIG=/tmp/auth\n\n    # Get base images from SBOM\n    if ! cosign download sbom \"$arch_imageanddigest\" \u003e \"${SBOM_FILE_PATH}\"; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo \"$IMAGE_WITH_TAG\" | cut -d \":\" -f1 \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c \"$BASE_IMAGE\"\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=\"/tmp/${IMAGE_REPOSITORY}\"\n  mkdir -p \"${IMAGE_REPO_PATH}\"\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o \"${IMAGE_REPO_PATH}/repository_data.json\" -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail \"${IMAGE_REPO_PATH}/repository_data.json\" \\\n    --policy \"$POLICY_DIR\" --namespace \"$POLICY_NAMESPACE\" \\\n    --output=json | tee \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\"\n\n    failures_num=$(jq -r '.[].failures|length' \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\")\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\")\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/commit_sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/pull_request_number": "34016",
                    "build.appstudio.redhat.com/target_branch": "multi-component-base-jzrdyy",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "multi-component-base-jzrdyy",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ilmovz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-cgrq/pipelinerun/python-component-hdgtwb-on-pull-request-w4fxw",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-jzrdyy\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-hdgtwb-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae/records/d6376749-1b43-4764-8259-774229ac61e9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"bfc20b4e77f447e1d61efd741eb0ec572322efad\",\"eventType\":\"pull_request\",\"pull_request-id\":34016}",
                    "results.tekton.dev/result": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-hdgtwb"
                },
                "creationTimestamp": "2026-07-08T16:11:20Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:24Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-positive-mc-uwfd",
                    "appstudio.openshift.io/component": "python-component-hdgtwb",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRun": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRunUID": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan-min",
                    "test.appstudio.openshift.io/pr-group-sha": "8de675c46c76ff37c178c9ad73d027d5c09461b2e7ee76c218df8b9378954e"
                },
                "name": "python-component-hdgtwb-on-pull-request-w4fxw-clamav-scan",
                "namespace": "build-e2e-cgrq",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-hdgtwb-on-pull-request-w4fxw",
                        "uid": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae"
                    }
                ],
                "resourceVersion": "32681",
                "uid": "d6376749-1b43-4764-8259-774229ac61e9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-hdgtwb",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:908e356d7a3bc3e472a9075a1ce1370486361007b3a86e3f61c2a6af7136a335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-hdgtwb-on-pull-request-w4fxw-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "908e356d7a3bc3e472a9075a1ce1370486361007b3a86e3f61c2a6af7136a335"
                        },
                        "entryPoint": "clamav-scan-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\", \"digests\": [\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783527173\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:20Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:f852c36fbe312f177d30582a06b4e8332fa7cc87b2849773b97620e7be275612",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b02cd827331ad41c7bed3c522c07e8149f149a2c1094b5bd326a7eb331323f43",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:53Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\\\", \\\"digests\\\": [\\\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783527173\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f8dca0e4111d0f0a6d3c061e33d5fa52c924921a49d64d3d7f80a510d3fe1f89",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\\\", \\\"digests\\\": [\\\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783527173\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck disable=SC1091 # /utils.sh is only available in the container image at runtime\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo \"$IMAGE_URL\" | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=\"${imagewithouttag}@${IMAGE_DIGEST}\"\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=\"content-${arch}\"\n    mkdir -p \"$destination\"\n    arch_imageanddigest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    if ! retry oc image extract --confirm --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee \"/tekton/results/TEST_OUTPUT\"\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ ${#args[@]} -eq 0 ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/commit_sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/pull_request_number": "34016",
                    "build.appstudio.redhat.com/target_branch": "multi-component-base-jzrdyy",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "multi-component-base-jzrdyy",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ilmovz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-cgrq/pipelinerun/python-component-hdgtwb-on-pull-request-w4fxw",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-jzrdyy\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-hdgtwb-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae/records/dd041315-4ccf-4c79-a3bc-a149292e04bd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"bfc20b4e77f447e1d61efd741eb0ec572322efad\",\"eventType\":\"pull_request\",\"pull_request-id\":34016}",
                    "results.tekton.dev/result": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-hdgtwb"
                },
                "creationTimestamp": "2026-07-08T16:11:20Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:24Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-positive-mc-uwfd",
                    "appstudio.openshift.io/component": "python-component-hdgtwb",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRun": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRunUID": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "8de675c46c76ff37c178c9ad73d027d5c09461b2e7ee76c218df8b9378954e"
                },
                "name": "python-component-hdgtwb-on-pull-request-w4fxw-sast-shell-check",
                "namespace": "build-e2e-cgrq",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-hdgtwb-on-pull-request-w4fxw",
                        "uid": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae"
                    }
                ],
                "resourceVersion": "32660",
                "uid": "dd041315-4ccf-4c79-a3bc-a149292e04bd"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                    },
                    {
                        "name": "TARGET_DIRS",
                        "value": "."
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb@sha256:c9cb7bbab72305b634e83717c57844c45d6d62ac402e18b96271a4fa9cbfdea6"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-hdgtwb",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:11:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:11:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-hdgtwb-on-c222dd93c2b129f9337fa08fa66c6537-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0"
                        },
                        "entryPoint": "sast-shell-check-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:11:36+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:20Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1485af8e62944274e460e27d55fbc23b628c71563ef3dd44a31ad3a5ac52988e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://71abf4a251270785a1918a0923f9bd9d4fa4fe0a5a60cbd11405935d6379c662",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:36Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:11:36+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6cb6c5d7e54ce1ee05859bb4075454d005b0486ab17b8c98ac675eff5e9804f1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:40Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:11:36+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb@sha256:c9cb7bbab72305b634e83717c57844c45d6d62ac402e18b96271a4fa9cbfdea6=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n  PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n  read -r quota period \u003c/sys/fs/cgroup/cpu.max\n  if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n    export SC_JOBS=$(((quota + period - 1) / period))\n    echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n  fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n  --mode=json\n  --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n  --remove-duplicates\n  --embed-context=3\n  --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n  # predefined list of shellcheck important findings\n  CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n  CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n  CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n  CSGREP_OPTS+=(\n    --event=\"$CSGREP_EVENT_FILTER\"\n  )\nelse\n  CSGREP_OPTS+=(\n    --event=\"error|warning\"\n  )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n  echo \"Error occurred while running 'run-shellcheck.sh'\"\n  note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n  KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n  # Default location only reachable from internal Konflux instances, check reachable first\n  echo -n \"INFO: Probing ${PROBE_URL}... \"\n  if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n    echo \"INFO: Trying to clone known-false-positives..\"\n    git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n  fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n  echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n  echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n  # build initial csfilter-kfp command\n  csfilter_kfp_cmd=(\n    csfilter-kfp\n    --verbose\n    --kfp-dir=\"${KFP_DIR}\"\n    --project-nvr=\"${PROJECT_NAME}\"\n  )\n\n  if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n    csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n  fi\n\n  # Execute the command and capture any errors\n  set +e\n  \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n  status=$?\n  set -e\n  if [ \"$status\" -ne 0 ]; then\n    echo \"WARN: failed to filter known false positives\" \u003e\u00262\n  else\n    mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n    echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n  fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n  echo 'No image-url or image-digest param provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n  if [ ! -f \"${UPLOAD_FILE}\" ]; then\n    echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n    continue\n  fi\n\n  # Determine the media type based on the file extension\n  if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n    MEDIA_TYPE=\"application/json\"\n  else\n    MEDIA_TYPE=\"application/sarif+json\"\n  fi\n\n  echo \"Selecting auth\"\n  select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n  echo \"Attaching to ${IMAGE_URL}\"\n  if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n    echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n    exit 1\n  fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/commit_sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "build.appstudio.redhat.com/pull_request_number": "34016",
                    "build.appstudio.redhat.com/target_branch": "multi-component-base-jzrdyy",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "multi-component-base-jzrdyy",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ilmovz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-cgrq/pipelinerun/python-component-hdgtwb-on-pull-request-w4fxw",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-jzrdyy\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-hdgtwb-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-hdgtwb",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae/records/2cbe5a02-d5aa-4ee9-9f0e-fb6359cf1d7b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"bfc20b4e77f447e1d61efd741eb0ec572322efad\",\"eventType\":\"pull_request\",\"pull_request-id\":34016}",
                    "results.tekton.dev/result": "build-e2e-cgrq/results/026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-hdgtwb"
                },
                "creationTimestamp": "2026-07-08T16:11:20Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:24Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-positive-mc-uwfd",
                    "appstudio.openshift.io/component": "python-component-hdgtwb",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "85919828220",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-hdgtwb-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "34016",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component",
                    "pipelinesascode.tekton.dev/sha": "bfc20b4e77f447e1d61efd741eb0ec572322efad",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "sample-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRun": "python-component-hdgtwb-on-pull-request-w4fxw",
                    "tekton.dev/pipelineRunUID": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae",
                    "tekton.dev/pipelineTask": "tpa-scan",
                    "tekton.dev/task": "tpa-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "8de675c46c76ff37c178c9ad73d027d5c09461b2e7ee76c218df8b9378954e"
                },
                "name": "python-component-hdgtwb-on-pull-request-w4fxw-tpa-scan",
                "namespace": "build-e2e-cgrq",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-hdgtwb-on-pull-request-w4fxw",
                        "uid": "026f62d7-4b9d-4e0a-b4dd-7d8f5221cdae"
                    }
                ],
                "resourceVersion": "32667",
                "uid": "2cbe5a02-d5aa-4ee9-9f0e-fb6359cf1d7b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-hdgtwb",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "tpa-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:8375c9e4ee2ee417881120187be1281c50b85a8b23d8d24785e1dc96a3018c8e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:11:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:11:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-hdgtwb-on-pull-request-w4fxw-tpa-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "8375c9e4ee2ee417881120187be1281c50b85a8b23d8d24785e1dc96a3018c8e"
                        },
                        "entryPoint": "tpa-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\", \"digests\": [\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\":\"sha256:9a5005b9b984e78bad4a66cdc3fd8752e5eb1ddd70e2e9a5eb5894e61c8fa057\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":5,\"high\":49,\"medium\":92,\"low\":15,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:11:44+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:21Z",
                "steps": [
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a3428326442def9b670ad7ad385f8d8aa33637300cea15abee6656b989c3025e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7edbee7139922c6324d76623dd07d0d01e8cc26cb4864818235a1e8e68b28b63",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:42Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b418b67a684b25d43943bef7b79b11911dd49f67a7194839b579e77a2aed5b6b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:44Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad\\\", \\\"digests\\\": [\\\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c\\\":\\\"sha256:9a5005b9b984e78bad4a66cdc3fd8752e5eb1ddd70e2e9a5eb5894e61c8fa057\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":5,\\\"high\\\":49,\\\"medium\\\":92,\\\"low\\\":15,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:11:44+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform which will be scanned by this task.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "https://exhort.stage.devshift.net/api/v5/analysis",
                            "description": "The url of the TPA instance which will be used for scanning.",
                            "name": "tpa-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "TPA scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:8b1c005b02a15c6340d90e305991a1481c0f4197b8fc97b3aa0dde457a7b145c"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                },
                                {
                                    "name": "TPA_URL",
                                    "value": "https://exhort.stage.devshift.net/api/v5/analysis"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n\ntpa_scan() {\n  local sbom_file=${1}\n  local arch=${2}\n  local sbom_format\n\n  sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n  retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee  \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-${arch}.sha\"\n  local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n  local arch_sha=\"\"\n\n  if [ -e \"${sha_file}\" ]; then\n    arch_sha=$(\u003c\"${sha_file}\")\n    arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n  else\n    echo \"Couldn't find the SHA file for the requested architecture.\"\n    exit 1\n  fi\n\n  echo \"Selecting auth\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  # Attempt to download the SBOM file via cosign\n\n  if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n    echo \"Unable to download SBOM for the architecture ${arch}.\"\n    exit 1\n  fi\n\n  if [ -e \"${sbom_file_path}\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n\n    echo \"Running TPA scan on $arch image manifest...\"\n    tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  else\n    echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n    exit 1\n  fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 1\n      ;;\n  esac\n\n  run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_tpa_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-cgrq/python-component-hdgtwb:on-pr-bfc20b4e77f447e1d61efd741eb0ec572322efad"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n  echo 'No TPA reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n  exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n  fi\n\n  #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.redhat.com/nudged-components": "gh-multi-component-child-jqzf",
                    "build.appstudio.redhat.com/nudging-commit": "build-nudge-parent-fsxlvo?rev=5dca2567dd136d66b4ffc4b31811e9848fa0abe5",
                    "build.appstudio.redhat.com/nudging-component": "gh-multi-component-parent-jqzf",
                    "build.appstudio.redhat.com/nudging-image": "quay.io/redhat-appstudio-qe/build-e2e-hekd/gh-multi-component-parent-jqzf:5dca2567dd136d66b4ffc4b31811e9848fa0abe5",
                    "build.appstudio.redhat.com/nudging-pipeline": "gh-multi-component-parent-jqzf-on-push-x2vsq",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-hekd/results/74fa95c2-940b-47d8-bf1b-5094fb9aba41/records/9914c35c-7117-4447-9fab-3a763fe0a3f0",
                    "results.tekton.dev/result": "build-e2e-hekd/results/74fa95c2-940b-47d8-bf1b-5094fb9aba41",
                    "results.tekton.dev/stored": "true"
                },
                "creationTimestamp": "2026-07-08T15:59:24Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "build.appstudio.redhat.com/type": "nudge",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "renovate-pipeline-1783526364-da281",
                    "tekton.dev/pipelineRun": "renovate-pipeline-1783526364-da281",
                    "tekton.dev/pipelineRunUID": "74fa95c2-940b-47d8-bf1b-5094fb9aba41",
                    "tekton.dev/pipelineTask": "renovate"
                },
                "name": "renovate-pipeline-1783526364-da281-renovate",
                "namespace": "build-e2e-hekd",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "renovate-pipeline-1783526364-da281",
                        "uid": "74fa95c2-940b-47d8-bf1b-5094fb9aba41"
                    }
                ],
                "resourceVersion": "24372",
                "uid": "9914c35c-7117-4447-9fab-3a763fe0a3f0"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-gh-multi-component-parent-jqzf",
                "taskSpec": {
                    "steps": [
                        {
                            "command": [
                                "bash",
                                "-c",
                                "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_f477db5673 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-jqzf-66046.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_hekd_gh_multi_component_parent_jqzf_8997e721af','password':'${TOKEN_b2b8541cd6}'}]\" renovate"
                            ],
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                }
                            ],
                            "envFrom": [
                                {
                                    "prefix": "TOKEN_",
                                    "secretRef": {
                                        "name": "renovate-pipeline-1783526364-da281"
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31",
                            "name": "renovate",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "seccompProfile": {
                                    "type": "RuntimeDefault"
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/configs",
                                    "name": "renovate-pipeline-1783526364-da281"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "name": "renovate-pipeline-1783526364-da281"
                            },
                            "name": "renovate-pipeline-1783526364-da281"
                        }
                    ]
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:02:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:02:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "renovate-pipeline-1783526364-da281-renovate-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    }
                },
                "startTime": "2026-07-08T15:59:26Z",
                "steps": [
                    {
                        "container": "step-renovate",
                        "imageID": "quay.io/konflux-ci/mintmaker-renovate-image@sha256:67d26b20533790565a2949a3f732d595dda9378fea506f1cba88ca17cef13873",
                        "name": "renovate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://762e8d0c9c8b2ba5c4c226baa0ac7bae542c2f328aefa11d637c7ae434abaf5d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:02:46Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:02:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "steps": [
                        {
                            "command": [
                                "bash",
                                "-c",
                                "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_f477db5673 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-jqzf-66046.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_hekd_gh_multi_component_parent_jqzf_8997e721af','password':'${TOKEN_b2b8541cd6}'}]\" renovate"
                            ],
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "LOG_LEVEL",
                                    "value": "debug"
                                }
                            ],
                            "envFrom": [
                                {
                                    "prefix": "TOKEN_",
                                    "secretRef": {
                                        "name": "renovate-pipeline-1783526364-da281"
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31",
                            "name": "renovate",
                            "securityContext": {
                                "allowPrivilegeEscalation": false,
                                "capabilities": {
                                    "drop": [
                                        "ALL"
                                    ]
                                },
                                "runAsNonRoot": true,
                                "seccompProfile": {
                                    "type": "RuntimeDefault"
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/configs",
                                    "name": "renovate-pipeline-1783526364-da281"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "name": "renovate-pipeline-1783526364-da281"
                            },
                            "name": "renovate-pipeline-1783526364-da281"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/026419eb-8db9-4c43-b342-07d2f0cd4bc8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "gh-92bb91c6d10045b0e46e15c89540f1ae-deprecated-base-image-check",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32377",
                "uid": "026419eb-8db9-4c43-b342-07d2f0cd4bc8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-92bb91c6d10045b0e46e15c8b0f130c7b175345060e334920cd19ea8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\", \"digests\": [\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-07-08T16:12:02+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:47Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cd7c270297ef295bda554d2e158ff1b29145b1113dcdfeb0ebda483bbae910c8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:02Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\\\", \\\"digests\\\": [\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:02+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck disable=SC1091 # /utils.sh is only available in the container image at runtime\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n \"$IMAGE_URL\" | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=\"${imagewithouttag}@${IMAGE_DIGEST}\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=\"/tmp/sbom-${arch}.json\"\n    arch_imageanddigest=\"${imagewithouttag}@${arch_sha}\"\n\n    # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n    mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n    export DOCKER_CONFIG=/tmp/auth\n\n    # Get base images from SBOM\n    if ! cosign download sbom \"$arch_imageanddigest\" \u003e \"${SBOM_FILE_PATH}\"; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo \"$IMAGE_WITH_TAG\" | cut -d \":\" -f1 \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c \"$BASE_IMAGE\"\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=\"/tmp/${IMAGE_REPOSITORY}\"\n  mkdir -p \"${IMAGE_REPO_PATH}\"\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o \"${IMAGE_REPO_PATH}/repository_data.json\" -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail \"${IMAGE_REPO_PATH}/repository_data.json\" \\\n    --policy \"$POLICY_DIR\" --namespace \"$POLICY_NAMESPACE\" \\\n    --output=json | tee \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\"\n\n    failures_num=$(jq -r '.[].failures|length' \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\")\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' \"${IMAGE_REPO_PATH}/deprecated_image_check_output.json\")\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/006ab85c-14bd-49f4-945d-3f476726c47a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan-min"
                },
                "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj-clamav-scan",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32397",
                "uid": "006ab85c-14bd-49f4-945d-3f476726c47a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:908e356d7a3bc3e472a9075a1ce1370486361007b3a86e3f61c2a6af7136a335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-test-custom-branch-yzhzel-on-push-rjfkj-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "908e356d7a3bc3e472a9075a1ce1370486361007b3a86e3f61c2a6af7136a335"
                        },
                        "entryPoint": "clamav-scan-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\", \"digests\": [\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783527167\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:47Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:f852c36fbe312f177d30582a06b4e8332fa7cc87b2849773b97620e7be275612",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://420dd8c1dc36a3259cf54436c53a2f4a2ed10ebc0c65801fa6c9041b5cd18818",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:47Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\\\", \\\"digests\\\": [\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783527167\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b68d89b0f21b9f740619f70a08ca246ae2048ccebefc43619978c058b2ad3170",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:51Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\\\", \\\"digests\\\": [\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783527167\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck disable=SC1091 # /utils.sh is only available in the container image at runtime\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo \"$IMAGE_URL\" | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=\"${imagewithouttag}@${IMAGE_DIGEST}\"\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=\"content-${arch}\"\n    mkdir -p \"$destination\"\n    arch_imageanddigest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    if ! retry oc image extract --confirm --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee \"/tekton/results/TEST_OUTPUT\"\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ ${#args[@]} -eq 0 ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/1aac0f96-03df-43eb-912c-2b2bfacb7b8a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj-rpms-signature-scan",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32389",
                "uid": "1aac0f96-03df-43eb-912c-2b2bfacb7b8a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-test-custom-branch-yzhze89ef6f3a92c5eedb865d488da8be60a6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\", \"digests\": [\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:12:07+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:49Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://04655edb2cf81b7af29f30426a18b8238bc98b41842e267f1d057899b10aa431",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:06Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://888e4d89f78761bcbb43f791991584d75387316a8d05cddf13732e900dabfac6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:08Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\\\", \\\"digests\\\": [\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:07+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/4b5202c0-6f56-4d86-a545-6bcfd45a1675",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check-oci-ta-min"
                },
                "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj-sast-shell-check",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32393",
                "uid": "4b5202c0-6f56-4d86-a545-6bcfd45a1675"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    },
                    {
                        "name": "TARGET_DIRS",
                        "value": "."
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel@sha256:746f37fb801f278dbc6f48440c50d010d96f9891adab97102e8cc8d7118e8c8f"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-test-custom-branch-yzhzel-on-push-rjfkj-sast-shell-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecfae10944b45b91988ddc6311c7232bf2c98ba73c5fc6261861ecfd33434db0"
                        },
                        "entryPoint": "sast-shell-check-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:12:05+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:47Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0a789c57b6411aef5f739234ac64458c6da8cea55ff030335d77561f0279446d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:58Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e7ceb190c49dfefd6b4e437281fd62a7ed5a01d9a7a3c7dc5f01a0c4da4e2bb6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:05+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://97086c0f10a110033d01f1815a6ce64f691b2251447b8c80fd04adbca0b11d90",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:05+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel@sha256:746f37fb801f278dbc6f48440c50d010d96f9891adab97102e8cc8d7118e8c8f=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n  PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n  read -r quota period \u003c/sys/fs/cgroup/cpu.max\n  if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n    export SC_JOBS=$(((quota + period - 1) / period))\n    echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n  fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n  --mode=json\n  --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n  --remove-duplicates\n  --embed-context=3\n  --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n  # predefined list of shellcheck important findings\n  CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n  CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n  CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n  CSGREP_OPTS+=(\n    --event=\"$CSGREP_EVENT_FILTER\"\n  )\nelse\n  CSGREP_OPTS+=(\n    --event=\"error|warning\"\n  )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n  echo \"Error occurred while running 'run-shellcheck.sh'\"\n  note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n  KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n  # Default location only reachable from internal Konflux instances, check reachable first\n  echo -n \"INFO: Probing ${PROBE_URL}... \"\n  if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n    echo \"INFO: Trying to clone known-false-positives..\"\n    git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n  fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n  echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n  echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n  # build initial csfilter-kfp command\n  csfilter_kfp_cmd=(\n    csfilter-kfp\n    --verbose\n    --kfp-dir=\"${KFP_DIR}\"\n    --project-nvr=\"${PROJECT_NAME}\"\n  )\n\n  if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n    csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n  fi\n\n  # Execute the command and capture any errors\n  set +e\n  \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n  status=$?\n  set -e\n  if [ \"$status\" -ne 0 ]; then\n    echo \"WARN: failed to filter known false positives\" \u003e\u00262\n  else\n    mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n    echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n  fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n  echo 'No image-url or image-digest param provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n  if [ ! -f \"${UPLOAD_FILE}\" ]; then\n    echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n    continue\n  fi\n\n  # Determine the media type based on the file extension\n  if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n    MEDIA_TYPE=\"application/json\"\n  else\n    MEDIA_TYPE=\"application/sarif+json\"\n  fi\n\n  echo \"Selecting auth\"\n  select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n  echo \"Attaching to ${IMAGE_URL}\"\n  if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n    echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n    exit 1\n  fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/8dfeeca0-1777-429c-8b98-28a39e22bf92",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check-oci-ta-min"
                },
                "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj-sast-unicode-check",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32387",
                "uid": "8dfeeca0-1777-429c-8b98-28a39e22bf92"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    },
                    {
                        "name": "TARGET_DIRS",
                        "value": "."
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel@sha256:746f37fb801f278dbc6f48440c50d010d96f9891adab97102e8cc8d7118e8c8f"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-test-custom-branch-yzhze01279babe5eea4a71eea51a53f913ff7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "96badf0b06d83fc1e7cf50048f94091e257819ee537f063830541f9c97295200"
                        },
                        "entryPoint": "sast-unicode-check-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:12:00+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:48Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ea0b99805f0fd277b9443a12de96e65ef7ef1ec70a31ea21050b3193f8073b6e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:11:58Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9c6ebbea89b7181a7b624d22b08d1243425b420706c9ed62ef6d10870aad7224",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:00+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:59Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://57998e9c0d67a90535d697e14860cd17edf4f2985a4bc7bf326bf8acff1bff53",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:02Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:00+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel@sha256:746f37fb801f278dbc6f48440c50d010d96f9891adab97102e8cc8d7118e8c8f=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/var/workdir"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n  PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n  ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n  \u003eraw_sast_unicode_check_out.txt \\\n  2\u003eraw_sast_unicode_check_out.log ||\n  FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n  echo \"Failed to run find-unicode-control command\" \u003e\u00262\n  cat raw_sast_unicode_check_out.log\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n  echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n  --mode=json\n  --remove-duplicates\n  --embed-context=3\n  --set-scan-prop=\"${SCAN_PROP}\"\n  --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n  echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n  cat processed_sast_unicode_check_out.err\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n  KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n  # Default location only reachable from internal Konflux instances, check reachable first\n  echo -n \"INFO: Probing ${PROBE_URL}... \"\n  if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n    echo \"INFO: Trying to clone known-false-positives..\"\n    git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n  fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n  echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n  mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n  echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n  # Build initial csfilter-kfp command\n  csfilter_kfp_cmd=(\n    csfilter-kfp\n    --verbose\n    --kfp-dir=\"${KFP_DIR}\"\n    --project-nvr=\"${PROJECT_NAME}\"\n  )\n\n  # Append --record-excluded option if RECORD_EXCLUDED is true\n  if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n    csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n  fi\n\n  # Execute the command and capture any errors\n  set +e\n  \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n  status=$?\n  set -e\n  if [ \"$status\" -ne 0 ]; then\n    echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n  else\n    echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n  fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n  note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n  note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-unicode-check test failed because of the following issues:\"\n  cat sast_unicode_check_out.json\n  TEST_OUTPUT=\n  parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n  if [ ! -f \"${UPLOAD_FILE}\" ]; then\n    echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n    continue\n  fi\n\n  if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n    MEDIA_TYPE=application/json\n  else\n    MEDIA_TYPE=application/sarif+json\n  fi\n\n  echo \"Selecting auth\"\n  select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n  echo \"Attaching to ${IMAGE_URL}\"\n  retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf?rev=0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/commit_sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "build.appstudio.redhat.com/target_branch": "base-zmwpiw",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tlgpcf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://localhost:9443/ns/build-e2e-tgco/pipelinerun/gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-zmwpiw\"",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "incoming",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-bwbcqf/commit/0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/source-branch": "base-zmwpiw",
                    "pipelinesascode.tekton.dev/source-repo-url": "",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f/records/e9ea21b5-1f90-4844-9569-070110745a8e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-bwbcqf\",\"commit\":\"0b8966f654b92a5d9a54563e7d992d5da5ffb987\",\"eventType\":\"incoming\"}",
                    "results.tekton.dev/result": "build-e2e-tgco/results/581f53f1-956b-4f98-81ae-87512432087f",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux"
                },
                "creationTimestamp": "2026-07-08T16:11:47Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-08T16:13:15Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "build-suite-test-application-arnl",
                    "appstudio.openshift.io/component": "gh-test-custom-branch-yzhzel",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "85920088888",
                    "pipelinesascode.tekton.dev/event-type": "incoming",
                    "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-yzhzel-on-push",
                    "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-bwbcqf",
                    "pipelinesascode.tekton.dev/sha": "0b8966f654b92a5d9a54563e7d992d5da5ffb987",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-bwbcqf",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRun": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                    "tekton.dev/pipelineRunUID": "581f53f1-956b-4f98-81ae-87512432087f",
                    "tekton.dev/pipelineTask": "tpa-scan",
                    "tekton.dev/task": "tpa-scan"
                },
                "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj-tpa-scan",
                "namespace": "build-e2e-tgco",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "gh-test-custom-branch-yzhzel-on-push-rjfkj",
                        "uid": "581f53f1-956b-4f98-81ae-87512432087f"
                    }
                ],
                "resourceVersion": "32385",
                "uid": "e9ea21b5-1f90-4844-9569-070110745a8e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                    }
                ],
                "serviceAccountName": "build-pipeline-gh-test-custom-branch-yzhzel",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "tpa-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:8375c9e4ee2ee417881120187be1281c50b85a8b23d8d24785e1dc96a3018c8e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-08T16:12:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-08T16:12:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "gh-test-custom-branch-yzhzel-on-push-rjfkj-tpa-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "8375c9e4ee2ee417881120187be1281c50b85a8b23d8d24785e1dc96a3018c8e"
                        },
                        "entryPoint": "tpa-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\", \"digests\": [\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\":\"sha256:3069a659c00d6e20a17a752030caacbb5d7cb4e69a9e75920c1791726188265a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-08T16:12:08+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-08T16:11:49Z",
                "steps": [
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://205381d36bbf09a9c84280e2519c85e70a7e42b18611200300f7e042b04bd24a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:11:59Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://104d381b3c44694b78f61931a85c07b1249b454e5a2a89f2f0e8a37094047037",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e680d07ed3e2516fcbd2b8cc35683b84eab96547d3009bc7f7efd407d8e0cf62",
                            "exitCode": 0,
                            "finishedAt": "2026-07-08T16:12:08Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987\\\", \\\"digests\\\": [\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112\\\":\\\"sha256:3069a659c00d6e20a17a752030caacbb5d7cb4e69a9e75920c1791726188265a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-08T16:12:08+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-08T16:12:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform which will be scanned by this task.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "https://exhort.stage.devshift.net/api/v5/analysis",
                            "description": "The url of the TPA instance which will be used for scanning.",
                            "name": "tpa-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "TPA scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:509b92556719ccd470985db3226532ff1ffd17b81d91d9cf792a64340865f112"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                },
                                {
                                    "name": "TPA_URL",
                                    "value": "https://exhort.stage.devshift.net/api/v5/analysis"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n\ntpa_scan() {\n  local sbom_file=${1}\n  local arch=${2}\n  local sbom_format\n\n  sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n  retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee  \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-${arch}.sha\"\n  local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n  local arch_sha=\"\"\n\n  if [ -e \"${sha_file}\" ]; then\n    arch_sha=$(\u003c\"${sha_file}\")\n    arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n  else\n    echo \"Couldn't find the SHA file for the requested architecture.\"\n    exit 1\n  fi\n\n  echo \"Selecting auth\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  # Attempt to download the SBOM file via cosign\n\n  if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n    echo \"Unable to download SBOM for the architecture ${arch}.\"\n    exit 1\n  fi\n\n  if [ -e \"${sbom_file_path}\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n\n    echo \"Running TPA scan on $arch image manifest...\"\n    tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  else\n    echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n    exit 1\n  fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 1\n      ;;\n  esac\n\n  run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_tpa_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/build-e2e-tgco/gh-test-custom-branch-yzhzel:0b8966f654b92a5d9a54563e7d992d5da5ffb987"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n  echo 'No TPA reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n  exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n  fi\n\n  #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
