{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-ugnfpa?rev=1225300b8c50ee6bb903a5593ebc3193a343eb2e", "build.appstudio.redhat.com/commit_sha": "1225300b8c50ee6bb903a5593ebc3193a343eb2e", "build.appstudio.redhat.com/target_branch": "base-btewhq", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-btewhq", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "74384039355", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-qbwbtq", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://54.200.175.221:9443/ns/build-e2e-ugba/pipelinerun/gh-test-custom-branch-hotnxg-on-push-8rksp", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-btewhq\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-hotnxg-on-push", "pipelinesascode.tekton.dev/pull-request": "2", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-ugnfpa", "pipelinesascode.tekton.dev/repository": "github.com.redhat-appstudio-qe.devfile-sample-hello-world-ugnfpa", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2", "pipelinesascode.tekton.dev/sha": "1225300b8c50ee6bb903a5593ebc3193a343eb2e", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-hotnxg\n\nkonflux-ci e2e-tests update gh-test-custom-branch-hotnxg", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-ugnfpa/commit/1225300b8c50ee6bb903a5593ebc3193a343eb2e", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-btewhq", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-ugnfpa", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-ugnfpa", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-ugba/results/70378668-03a3-4c4c-b461-0ba12fa8ef96/records/e85099bb-7cbc-41aa-a729-1e2cc676a227", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-ugnfpa\",\"commit\":\"1225300b8c50ee6bb903a5593ebc3193a343eb2e\",\"eventType\":\"push\",\"pull_request-id\":2}", "results.tekton.dev/result": "build-e2e-ugba/results/70378668-03a3-4c4c-b461-0ba12fa8ef96", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "test.appstudio.openshift.io/pr-status": "merged" }, "creationTimestamp": "2026-05-05T09:21:10Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-05T09:21:52Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-zqah", "appstudio.openshift.io/component": "gh-test-custom-branch-hotnxg", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "74384039355", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-hotnxg-on-push", "pipelinesascode.tekton.dev/pull-request": "2", "pipelinesascode.tekton.dev/repository": "thub.com.redhat-appstudio-qe.devfile-sample-hello-world-ugnfpa", "pipelinesascode.tekton.dev/sha": "1225300b8c50ee6bb903a5593ebc3193a343eb2e", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-ugnfpa", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-hotnxg-on-push-8rksp", "tekton.dev/pipelineRun": "gh-test-custom-branch-hotnxg-on-push-8rksp", "tekton.dev/pipelineRunUID": "70378668-03a3-4c4c-b461-0ba12fa8ef96", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan" }, "name": "gh-test-custom-branch-hotnxg-on-push-8rksp-clamav-scan", "namespace": "build-e2e-ugba", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-hotnxg-on-push-8rksp", "uid": "70378668-03a3-4c4c-b461-0ba12fa8ef96" } ], "resourceVersion": "18847", "uid": "e85099bb-7cbc-41aa-a729-1e2cc676a227" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-hotnxg", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-05T09:21:38Z", "conditions": [ { "lastTransitionTime": "2026-05-05T09:21:38Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-hotnxg-on-push-8rksp-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e\", \"digests\": [\"sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777972894\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-05-05T09:21:11Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:d0f8397cce419ed333ffd392dd65bfa274e2942ed266fe8d72b6acb6fad8616f", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "containerd://31e2bd477210265484ded840fe44886b150b3d992c02cc7b37a261f55bbb751a", "exitCode": 0, "finishedAt": "2026-05-05T09:21:34Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e\\\", \\\"digests\\\": [\\\"sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777972894\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-05T09:21:18Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://d915d4fdcb30b2f27af8f561794096e5060154f940e6db23d2c8962236895ec0", "exitCode": 0, "finishedAt": "2026-05-05T09:21:37Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e\\\", \\\"digests\\\": [\\\"sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777972894\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-05T09:21:35Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e" }, { "name": "IMAGE_DIGEST", "value": "sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-ugba/gh-test-custom-branch-hotnxg:1225300b8c50ee6bb903a5593ebc3193a343eb2e" }, { "name": "IMAGE_DIGEST", "value": "sha256:65b910b185f141b61d996d0229855413a6506173134db48cb902e722fea335a6" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }