{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/0210e516-d7b7-4c6f-ae17-533b5cde0110", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:14:59Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "coverity-availability-check", "tekton.dev/task": "coverity-availability-check" }, "name": "gl-ac0d9370ed341a29c9ab95a17e5bc4ae-coverity-availability-check", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60244", "uid": "0210e516-d7b7-4c6f-ae17-533b5cde0110" }, "spec": { "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "coverity-availability-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:21Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:21Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-ac0d9370ed341a29c9ab95a1232c2fca826ce2739165b70924bada8e-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5" }, "entryPoint": "coverity-availability-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check" } }, "results": [ { "name": "STATUS", "type": "string", "value": "failed" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-03-13T17:14:20+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:13:59Z", "steps": [ { "container": "step-coverity-availability-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "coverity-availability-check", "provenance": {}, "terminated": { "containerID": "containerd://7e3fc4b7ed9e902d1c064d5c733ca7048eb46309cb8e6c2466c01574e4e7bce0", "exitCode": 0, "finishedAt": "2026-03-13T17:14:20Z", "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:20+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:20Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.", "params": [ { "default": "cov-license", "description": "Name of secret which contains the Coverity license", "name": "COV_LICENSE", "type": "string" }, { "default": "auth-token-coverity-image", "description": "Name of secret which contains the authentication token for pulling the Coverity image.", "name": "AUTH_TOKEN_COVERITY_IMAGE", "type": "string" } ], "results": [ { "description": "Tekton task result output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Tekton task simple status to be later checked", "name": "STATUS", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "COV_LICENSE", "value": "cov-license" }, { "name": "AUTH_TOKEN_COVERITY_IMAGE", "value": "auth-token-coverity-image" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "coverity-availability-check", "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n echo \"Coverity license detected!\"\nelse\n echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n echo \"Authentication token detected!\"\nelse\n echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/etc/secrets/cov", "name": "cov-license", "readOnly": true }, { "mountPath": "/etc/secrets/auth/config.json", "name": "auth-token-coverity-image", "subPath": ".dockerconfigjson" } ] } ], "volumes": [ { "name": "cov-license", "secret": { "optional": true, "secretName": "cov-license" } }, { "name": "auth-token-coverity-image", "secret": { "optional": true, "secretName": "auth-token-coverity-image" } } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/ab02cfcd-e435-4db1-b2b8-ded2a1d87364", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "deprecated-base-image-check" }, "name": "gl-ac0d9370ed341a29c9ab95a17e5bc4ae-deprecated-base-image-check", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60255", "uid": "ab02cfcd-e435-4db1-b2b8-ded2a1d87364" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:18Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:18Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-ac0d9370ed341a29c9ab95a14803f8ba0885ed34eafc81a130bb188d-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"WARNING\",\"timestamp\":\"2026-03-13T17:14:17+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":0,\"failures\":0,\"warnings\":1}\n" } ], "startTime": "2026-03-13T17:13:58Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "provenance": {}, "terminated": { "containerID": "containerd://9804db2f780c8a7d9ab57037c0f3572f41e496c6fd9d3ee0aef2d6bd1411902f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:17Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"WARNING\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:17+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":1}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/7c24ebfc-bd23-4276-9451-e73cc4723ed8", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:14:59Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "apply-tags", "tekton.dev/task": "apply-tags" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-apply-tags", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60218", "uid": "7c24ebfc-bd23-4276-9451-e73cc4723ed8" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "apply-tags" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:510b6d2a3b188adeb716e49566b57d611ab36bd69a2794b5ddfc11dbf014c2ca" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:25Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:25Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-apply-tags-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "510b6d2a3b188adeb716e49566b57d611ab36bd69a2794b5ddfc11dbf014c2ca" }, "entryPoint": "apply-tags", "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags" } }, "startTime": "2026-03-13T17:14:02Z", "steps": [ { "container": "step-apply-additional-tags", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:a4bff739b5c0cb1c02b454c1b46ad54675f8df121efb5203fed19266a6b01639", "name": "apply-additional-tags", "provenance": {}, "terminated": { "containerID": "containerd://7dc4f2fcd54e4204656661554eea049cafed3d4d59f87939866a9b0902b72256", "exitCode": 0, "finishedAt": "2026-03-13T17:14:24Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:19Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Applies additional tags to the built image.", "params": [ { "description": "Image repository and tag reference of the the built image.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest of the built image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": [], "description": "Additional tags that will be applied to the image in the registry.", "name": "ADDITIONAL_TAGS", "type": "array" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5", "--digest", "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410", "--tags", "--tags-from-image-label", "konflux.additional-tags" ], "command": [ "konflux-build-cli", "image", "apply-tags" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:a4bff739b5c0cb1c02b454c1b46ad54675f8df121efb5203fed19266a6b01639", "name": "apply-additional-tags" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/593d7e5d-64dd-447e-90ba-b0391c791b7b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-03-13T17:13:46Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:14:59Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-build-image-index", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60215", "uid": "593d7e5d-64dd-447e-90ba-b0391c791b7b" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "COMMIT_SHA", "value": "b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "build-image-index" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:13:57Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:13:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempd712605b7a9ffa337298a2b8bd5ab446-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163" }, "entryPoint": "build-image-index", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "startTime": "2026-03-13T17:13:46Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "provenance": {}, "terminated": { "containerID": "containerd://d7201b8af2bcb9e772ba000f56499218220a28ea97f3ac5722fc85e53e6420c4", "exitCode": 0, "finishedAt": "2026-03-13T17:13:53Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:13:49Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "containerd://8444a3178308ef12b8b27c128fec040cd2d60c0dcee74f1aca53f6e9bd63b017", "exitCode": 0, "finishedAt": "2026-03-13T17:13:54Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:13:54Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "containerd://63f351fd6705b482d054bf788e4830ea7bfece82a8261fa20a926de90737c423", "exitCode": 0, "finishedAt": "2026-03-13T17:13:57Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:13:54Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "The commit the image is built from.", "name": "COMMIT_SHA", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "", "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "COMMIT_SHA", "value": "b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5@sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "250m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n TOADD=\"$i\"\n TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n #format is repository:tag@sha256:digest\n #we need to remove the tag, and just reference the digest\n #as tag + digest is not supported\n TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n fi\n if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation. Returning results for $TOADD.\"\n echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n exit 0\n fi\n\n echo \"Adding $TOADD\"\n buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n echo \"This will cause digest changes and break SBOM accessibility.\"\n echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image ${IMAGE} to registry\"\n exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:gl-test-custom-branch-sxempf-on-push-4prvw-build-image-index\"\nthen\n echo \"Failed to push image ${IMAGE%:*}:gl-test-custom-branch-sxempf-on-push-4prvw-build-image-index to registry\"\n exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n echo -n \"${IMAGE}@\"\n cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/de7ff6d8-cd4e-4561-ade1-366bd78f241c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-clair-scan", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60267", "uid": "de7ff6d8-cd4e-4561-ade1-366bd78f241c" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "clair-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:37Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:37Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, "entryPoint": "clair-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\":\"sha256:4bf8e94fa103ae042229a817c62f70a2c4f820e292104eb8b4819cda6816621e\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-03-13T17:14:36+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:13:58Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "provenance": {}, "terminated": { "containerID": "containerd://c938d5e7ab68ec3ef2541f309c93b512200d799137835bbf3a0c71375f67bf4a", "exitCode": 0, "finishedAt": "2026-03-13T17:14:28Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:21Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:ed65aa1c468bf7c2f9e0577afde97d64f09d0364bc824decd3ad4f8925216400", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://307f5e8fe7902054b8b27e5287726a7b88cf8a3ddb3163aa3d7a322619f413ca", "exitCode": 0, "finishedAt": "2026-03-13T17:14:31Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:28Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "containerd://e463c6fc840248e216e5949dd1758321130ebf296ea9adf7e4bb6c960ba33dea", "exitCode": 0, "finishedAt": "2026-03-13T17:14:34Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:31Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://90642ab8404f4e52b9f4738f7e15259a474cfb07b7d7d5052295c82abcab69b4", "exitCode": 0, "finishedAt": "2026-03-13T17:14:37Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\":\\\"sha256:4bf8e94fa103ae042229a817c62f70a2c4f820e292104eb8b4819cda6816621e\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:36+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:35Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "800m", "memory": "7Gi" }, "requests": { "cpu": "800m", "memory": "7Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/8863c527-6429-49f4-889b-deb034c8db5b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-clamav-scan", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60323", "uid": "8863c527-6429-49f4-889b-deb034c8db5b" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:45Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:45Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1773422081\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-03-13T17:13:59Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:1d537657c9972b65688599018c9641ec225c39d80fc448fada4cbf15ea142f0d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "containerd://3bd1b73d9c90ffa9d1dd9dfed0860c4688c77c43864349cd163f8aac8106a78e", "exitCode": 0, "finishedAt": "2026-03-13T17:14:41Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1773422081\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:21Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://b48af78e7470e491d0f867bbb44eb3c69e1ef55f4d109c5e92838e2219cfd49f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:44Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1773422081\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:41Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-337617f8e6", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/609015c8-5f8e-4212-8db6-ffa3fa995f01", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, appstudio" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "push-dockerfile", "tekton.dev/task": "push-dockerfile" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-push-dockerfile", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60291", "uid": "609015c8-5f8e-4212-8db6-ffa3fa995f01" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "push-dockerfile" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-fb61430fd4" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:26Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-push-dockerfile-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2" }, "entryPoint": "push-dockerfile", "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile" } }, "results": [ { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:9d8f0b46202a42afc569fda94c4cc6c89f7b0b1055a05f825baf4a97ac425bd5" } ], "startTime": "2026-03-13T17:14:02Z", "steps": [ { "container": "step-push", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0", "name": "push", "provenance": {}, "terminated": { "containerID": "containerd://5fa4ad80a4ceeef76df37e96d54cc86508fb090e5763baabf8f30904b0a61f59", "exitCode": 0, "finishedAt": "2026-03-13T17:14:25Z", "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf@sha256:9d8f0b46202a42afc569fda94c4cc6c89f7b0b1055a05f825baf4a97ac425bd5\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.", "params": [ { "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.", "name": "IMAGE", "type": "string" }, { "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile.", "name": "DOCKERFILE", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": ".dockerfile", "description": "Suffix of the Dockerfile image tag.", "name": "TAG_SUFFIX", "type": "string" }, { "default": "application/vnd.konflux.dockerfile", "description": "Artifact type of the Dockerfile image.", "name": "ARTIFACT_TYPE", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "results": [ { "description": "Digest-pinned image reference to the Dockerfile image.", "name": "IMAGE_REF", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--source", "source", "--context", ".", "--containerfile", "docker/Dockerfile", "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5", "--image-digest", "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410", "--artifact-type", "application/vnd.konflux.dockerfile", "--tag-suffix", ".dockerfile", "--result-path-image-ref", "/tekton/results/IMAGE_REF", "--alternative-filename", "Dockerfile" ], "command": [ "konflux-build-cli", "image", "push-containerfile" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0", "name": "push", "workingDir": "/workspace/workspace" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "Workspace containing the source code from where the Dockerfile is discovered.", "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/2966e782-bf8e-4a73-8052-b3b4081b87d3", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-rpms-signature-scan", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60328", "uid": "2966e782-bf8e-4a73-8052-b3b4081b87d3" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:21Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:21Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxemp693c38273db1b53bb06283cf9d9c3bc3-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-03-13T17:14:19+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:14:02Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "containerd://9e01d3f8c4ab61b987cef7322267c2959999097c53f70213ae1ba485f9a1d25b", "exitCode": 0, "finishedAt": "2026-03-13T17:14:18Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:09Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "provenance": {}, "terminated": { "containerID": "containerd://a4209a7c35a5867d1c5099a801ca1ea4bc8ce445e1c6611a2efe5d4de083a73f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:20Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:19+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:19Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-337617f8e6", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/994e4d42-5667-4b6d-85ec-2b3f8d38ae7d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-sast-shell-check", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60318", "uid": "994e4d42-5667-4b6d-85ec-2b3f8d38ae7d" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-fb61430fd4" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:26Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861" }, "entryPoint": "sast-shell-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-03-13T17:14:23+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:14:01Z", "steps": [ { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "containerd://2948562bc9e323ad6ebf1f51f1c282632fd0a57d99c8c5feb40f4e8e3cafad3b", "exitCode": 0, "finishedAt": "2026-03-13T17:14:23Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:23+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:22Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://b693e2f855603b5d36a957988d13954e2c6678958d5f00b58033ea5264189a5f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:23+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "8", "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c /sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-shell-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-shell-check" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-337617f8e6", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/a465ccd8-6593-45c1-8ae8-d98ea88926e4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "sast-snyk-check", "tekton.dev/task": "sast-snyk-check" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-sast-snyk-check", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60259", "uid": "a465ccd8-6593-45c1-8ae8-d98ea88926e4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "sast-snyk-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-fb61430fd4" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:20Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:20Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempf-on-push-4prvw-sast-snyk-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335" }, "entryPoint": "sast-snyk-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-03-13T17:14:18+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:13:58Z", "steps": [ { "container": "step-sast-snyk-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-snyk-check", "provenance": {}, "terminated": { "containerID": "containerd://f1f998a2e25579b3064e11f79072fed7066420809f6fc0c6e28e597f431e762f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:18Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:18+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:16Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://7704f717e2f736ae5f973bcc0fa248e5ce3f3de9657c29d8ad86b91bee5152ee", "exitCode": 0, "finishedAt": "2026-03-13T17:14:18Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:18+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:18Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.", "params": [ { "default": "snyk-secret", "description": "Name of secret which contains Snyk token.", "name": "SNYK_SECRET", "type": "string" }, { "default": "", "description": "Append arguments.", "name": "ARGS", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "description": "Digest of the image to scan.", "name": "image-digest", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "true", "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Write excluded records in file. Useful for auditing (defaults to false).", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "", "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.", "name": "IGNORE_FILE_PATHS", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "memory": "6Gi" }, "requests": { "cpu": "1", "memory": "6Gi" } }, "env": [ { "name": "SNYK_SECRET", "value": "snyk-secret" }, { "name": "ARGS" }, { "name": "IGNORE_FILE_PATHS" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } }, { "name": "TARGET_DIRS", "value": "." } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-snyk-check", "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n # SNYK token is provided\n SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n export SNYK_TOKEN\nelse\n # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n # shellcheck disable=SC2034\n to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n resolved_path=$(realpath -m \"$potential_path\")\n\n # Ensure resolved path is still within SOURCE_CODE_DIR\n if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\n\n # Ensure directory exists\n if [ ! -d \"$resolved_path\" ]; then\n echo \"Warning: Directory $resolved_path does not exist, skipping\"\n continue\n fi\n\n echo \"INFO: Scanning directory: $resolved_path\"\n # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n # shellcheck disable=SC2086\n snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n cmd_exit_code=$?\n # Track the exit code: if any snyk command fails, preserve the failure\n # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n # Error codes (2+) always override, warning codes (1,3) only if no previous error\n if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n SNYK_EXIT_CODE=$cmd_exit_code\n fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n echo \"WARN: No JSON output files were generated by snyk scan\"\n # Get snyk version for proper SARIF metadata\n SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n # Create a valid minimal SARIF structure using jq\n # Note: coverage array is required even when empty because downstream jq commands expect it\n jq -n --arg version \"$SNYK_VERSION\" '{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": {\n \"driver\": {\n \"name\": \"snyk\",\n \"version\": $version,\n \"informationUri\": \"https://snyk.io\"\n }\n },\n \"results\": [],\n \"properties\": {\n \"coverage\": []\n }\n }]\n }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n fi\n\n # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n (cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n | csgrep --mode=json --strip-path-prefix=\"source/\" \\\n \u003e sast_snyk_check_out_all_findings.json\n\n echo \"INFO: Initial results:\"\n csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n fi\n PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n # create the KFP clone directory regardless\n KFP_DIR=\"known-false-positives\"\n KFP_CLONED=\"0\"\n mkdir \"${KFP_DIR}\"\n\n # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n if [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\n fi\n\n if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n else\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n CMD=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n CMD+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n set +e\n \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\n echo \"INFO: Results after filtering:\"\n (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n fi\n\n # Generation of scan stats\n\n total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n # We make sure the values are 0 if no supported/total files are found\n if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n total_files=0\n fi\n\n if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n supported_files=0\n fi\n\n coverage_ratio=0\n if (( total_files \u003e 0 )); then\n coverage_ratio=$((supported_files * 100 / total_files))\n fi\n\n # embed stats in results file and convert to SARIF\n csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n --set-scan-prop snyk-scanned-files-success:\"${supported_files}\" \\\n --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n filtered_sast_snyk_check_out.json \u003e sast_snyk_check_out.sarif\n\n # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n # - \"error\" → importance level 1\n # - \"warning\" (or missing level) → importance level 0\n RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n else\n # Use all findings for Tekton task result\n RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n fi\n\n TEST_OUTPUT=\n parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\" || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-snyk-check test failed because of the following issues:\"\n cat stdout.txt\n note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/etc/secrets", "name": "snyk-secret", "readOnly": true }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-snyk-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n then\n echo \"Failed to attach to ${IMAGE_URL}\"\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-snyk-check" } ], "volumes": [ { "name": "snyk-secret", "secret": { "optional": true, "secretName": "snyk-secret" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-337617f8e6", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/6c08e3ef-5759-47bc-a20b-b91cc052c2ec", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:14:59Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check" }, "name": "gl-test-custom-branch-sxempf-on-push-4prvw-sast-unicode-check", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60225", "uid": "6c08e3ef-5759-47bc-a20b-b91cc052c2ec" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "workspace", "persistentVolumeClaim": { "claimName": "pvc-fb61430fd4" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:27Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxempe9c18b6c55abd9be5285ae834598e140-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477" }, "entryPoint": "sast-unicode-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-03-13T17:14:24+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-03-13T17:14:01Z", "steps": [ { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "containerd://3a6830494e3b33b8f96783c1406d5b21dc0f23049ef67a205eb365bb4677501f", "exitCode": 0, "finishedAt": "2026-03-13T17:14:24Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:24+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:23Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://63cf7d9d48d37579fe30b5e039ca15bcbc915c1b105de668a093ddfe3843fd86", "exitCode": 0, "finishedAt": "2026-03-13T17:14:27Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-03-13T17:14:24+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:25Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "/workspace/workspace" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log \\\n || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/workspace/workspace/hacbs/sast-unicode-check" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "IMAGE_DIGEST", "value": "sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/workspace/workspace/hacbs/sast-unicode-check" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "name": "workspace" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/tree/b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/commit_sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "build.appstudio.redhat.com/target_branch": "base-qbmwpi", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-qbmwpi", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kwtevk", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://52.11.17.101:9443/ns/build-e2e-qwjf/pipelinerun/gl-test-custom-branch-sxempf-on-push-4prvw", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-qbmwpi\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-sxempf' into 'base-qbmwpi'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz/-/commit/b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-qbmwpi", "pipelinesascode.tekton.dev/source-project-id": "80245652", "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-wsxzsz", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "80245652", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459/records/283d216f-8b85-406b-b3c2-8a1e167fd877", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-wsxzsz\",\"commit\":\"b53dfac8d719d750138ba9ade475be2685ee45a5\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-qwjf/results/22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-03-13T17:13:58Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-03-13T17:15:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-kiif", "appstudio.openshift.io/component": "gl-test-custom-branch-sxempf", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-sxempf-on-push", "pipelinesascode.tekton.dev/repository": "gl-test-custom-branch-sxempf", "pipelinesascode.tekton.dev/sha": "b53dfac8d719d750138ba9ade475be2685ee45a5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-wsxzsz", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRun": "gl-test-custom-branch-sxempf-on-push-4prvw", "tekton.dev/pipelineRunUID": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459", "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks", "tekton.dev/task": "ecosystem-cert-preflight-checks" }, "name": "gl-test-custom-branch-sxempf-on6a3720c16d05bdc6d685670a361caab6", "namespace": "build-e2e-qwjf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-sxempf-on-push-4prvw", "uid": "22c6f68a-72b3-49cb-8eeb-d3a074cd1459" } ], "resourceVersion": "60311", "uid": "283d216f-8b85-406b-b3c2-8a1e167fd877" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-sxempf", "taskRef": { "params": [ { "name": "name", "value": "ecosystem-cert-preflight-checks" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:945f8ba72381402ce6b00efa24a6eeb19a27ba68b445474c28ebfbfb21bb365f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-03-13T17:14:33Z", "conditions": [ { "lastTransitionTime": "2026-03-13T17:14:33Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-sxemp1033da3ce2d6517932a240fa2e0522ee-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "945f8ba72381402ce6b00efa24a6eeb19a27ba68b445474c28ebfbfb21bb365f" }, "entryPoint": "ecosystem-cert-preflight-checks", "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks" } }, "results": [ { "name": "ARTIFACT_TYPE", "type": "string", "value": "application" }, { "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "introspection" }, { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1773422071\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "startTime": "2026-03-13T17:13:58Z", "steps": [ { "container": "step-introspect", "imageID": "quay.io/konflux-ci/appstudio-utils@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "introspect", "provenance": {}, "results": [ { "name": "artifact-type", "type": "string", "value": "application" }, { "name": "artifact-type-set-by", "type": "string", "value": "introspection" } ], "terminated": { "containerID": "containerd://1b8521b9d5ab9422e6899df149a789d0a6b97119d5ad153b57c20a8b55f63558", "exitCode": 0, "finishedAt": "2026-03-13T17:14:23Z", "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:21Z" }, "terminationReason": "Completed" }, { "container": "step-generate-container-auth", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "generate-container-auth", "provenance": {}, "results": [ { "name": "auth-json-path", "type": "string", "value": "/auth/auth.json" } ], "terminated": { "containerID": "containerd://d8ba3d3656dd686b4dcf92cae4f2942462f4d05008f4e67ad787f59063f6131c", "exitCode": 0, "finishedAt": "2026-03-13T17:14:23Z", "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:23Z" }, "terminationReason": "Completed" }, { "container": "step-set-skip-for-bundles", "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "provenance": {}, "terminated": { "containerID": "containerd://6deb9f78795e9371a8a48434867a75effa2a397b96c0946fb7b4bf524a1b4f25", "exitCode": 0, "finishedAt": "2026-03-13T17:14:24Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:23Z" }, "terminationReason": "Skipped" }, { "container": "step-app-check", "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf", "name": "app-check", "provenance": {}, "terminated": { "containerID": "containerd://cf5f4b324854c4e82e88dcbca703d02d1f0c63204e460a9dbe37481bef11e3f3", "exitCode": 0, "finishedAt": "2026-03-13T17:14:31Z", "reason": "Completed", "startedAt": "2026-03-13T17:14:24Z" }, "terminationReason": "Completed" }, { "container": "step-app-set-outcome", "imageID": "quay.io/konflux-ci/appstudio-utils@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "app-set-outcome", "provenance": {}, "results": [ { "name": "images-processed", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\", \"digests\": [\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\"]}}" }, { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1773422071\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://0ae4533f7c97f29157ea1fb0c594cdc454bbe7f91674f3ed914b5737ee1dbe94", "exitCode": 0, "finishedAt": "2026-03-13T17:14:32Z", "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5\\\", \\\"digests\\\": [\\\"sha256:4ea8cbe430b0e22319db4675b1c3825d95194c2f9e6a4af82ac2bacf86bdc410\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1773422071\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":4,\\\"failures\\\":3,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:31Z" }, "terminationReason": "Completed" }, { "container": "step-final-outcome", "imageID": "quay.io/konflux-ci/appstudio-utils@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "final-outcome", "provenance": {}, "results": [ { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1773422071\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://3b74728b06bd88ba5a45eca0e0bf34cc31f6e95a41a2528aee3b4373841c5042", "exitCode": 0, "finishedAt": "2026-03-13T17:14:33Z", "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1773422071\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":4,\\\"failures\\\":3,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-03-13T17:14:33Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.", "params": [ { "description": "Image url to scan.", "name": "image-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "introspect", "description": "The type of artifact. Select from application, operatorbundle, or introspect.", "name": "artifact-type", "type": "string" }, { "default": "", "description": "The platform the image is built on.", "name": "platform", "type": "string" } ], "results": [ { "description": "Ecosystem checks pass or fail outcome.", "name": "TEST_OUTPUT", "type": "string", "value": "$(steps.final-outcome.results.test-output)" }, { "description": "The artifact type, either introspected or set.", "name": "ARTIFACT_TYPE", "type": "string", "value": "$(steps.introspect.results.artifact-type)" }, { "description": "How the artifact type was set.", "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "$(steps.introspect.results.artifact-type-set-by)" }, { "description": "Collected image digests", "name": "IMAGES_PROCESSED", "type": "string", "value": "$(steps.app-set-outcome.results.images-processed)" } ], "steps": [ { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "PARAM_ARTIFACT_TYPE", "value": "introspect" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "image": "quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "introspect", "results": [ { "description": "The type of artifact this task is considering.", "name": "artifact-type" }, { "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n", "name": "artifact-type-set-by" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n echo \"Artifact type will be determined by introspection.\"\n _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n # short circuit if the artifact type was set via parameter.\n echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n _CURRENT_ARCH=$(uname -m)\n _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n # to map them.\n case ${_CURRENT_ARCH} in\n \"aarch64\")\n _CURRENT_ARCH=\"arm64\"\n ;;\n \"x86_64\")\n _CURRENT_ARCH=\"amd64\"\n ;;\n *)\n ;;\n esac\n\n # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n else\n # If there is no image for the current OS and architecture, just use the first one in the list.\n _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n | jq '.Labels | keys | .[]' -r \\\n | { grep operators.operatorframework.io.bundle || true ;} \\\n | tee /tmp/ecosystem-image-labels\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n" }, { "computeResources": {}, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "generate-container-auth", "results": [ { "description": "Path to auth.json", "name": "auth-json-path" } ], "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n", "volumeMounts": [ { "mountPath": "/auth", "name": "auth" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "results": [ { "description": "A skipped tekton result for bundles.", "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/bundle", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "operatorbundle" ] } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "PFLT_DOCKERCONFIG", "value": "$(steps.generate-container-auth.results.auth-json-path)" }, { "name": "PFLT_KONFLUX", "value": "true" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" }, { "name": "PARAM_PLATFORM" } ], "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf", "name": "app-check", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n # Extract part after slash if present\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n\n # Validate against supported arch list. If it's not a known arch, return an error result\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n /usr/local/bin/preflight check container \"$image_url\"\nfi\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/auth", "name": "auth", "readOnly": true } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-qwjf/gl-test-custom-branch-sxempf:b53dfac8d719d750138ba9ade475be2685ee45a5" } ], "image": "quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "app-set-outcome", "results": [ { "description": "The overall outcome of this task.", "name": "test-output" }, { "description": "Processed image digests.", "name": "images-processed" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n # Check if results directory exits\n RESULT_JSON_PATH=artifacts/${ARCH}/results.json\n if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n continue\n fi\n # Process results\n if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{ result: $result,\n timestamp: $date,\n note: $note,\n successes: $successes|tonumber,\n failures: $failures|tonumber,\n warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c", "name": "final-outcome", "results": [ { "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/mount", "name": "pfltoutputdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "pfltoutputdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "auth" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }