Merge branch 'main' into add_preflight_task

.tekton/tasks/ec-checks.yaml

@@ -24,7 +24,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:48269e4d72f3e28210dc34f3f336b696ae2cb8ac4ae3cafb41d3ae33f497d74a
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3bed976c747bddc406966beeed484b838649e21b0d38eb113a49790ae4512e6e
     script: |
       set -euo pipefail
 
@@ -38,7 +38,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:48269e4d72f3e28210dc34f3f336b696ae2cb8ac4ae3cafb41d3ae33f497d74a
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3bed976c747bddc406966beeed484b838649e21b0d38eb113a49790ae4512e6e
     script: |
       set -euo pipefail
 

pipelines/docker-build-rhtap/patch.yaml

@@ -14,6 +14,11 @@
     name: stackrox-secret
     type: string
     default: "rox-api-token"
+- op: add
+  path: /spec/results/-
+  value:
+    name: ACS_SCAN_OUTPUT
+    value: $(tasks.acs-image-scan.results.SCAN_OUTPUT)
 - op: replace
   path: /spec/tasks/3/taskRef
   value:

pipelines/enterprise-contract-everything.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:89acb91d7ef53943d4220f9b1445352f96fa4a38ee4df6196d653c093d0abf56
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:bfa038ebb99229bddf98b0f50cb90b78c525163a95039f5120098872e3964b3e
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat-no-hermetic.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:89acb91d7ef53943d4220f9b1445352f96fa4a38ee4df6196d653c093d0abf56
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:bfa038ebb99229bddf98b0f50cb90b78c525163a95039f5120098872e3964b3e
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:89acb91d7ef53943d4220f9b1445352f96fa4a38ee4df6196d653c093d0abf56
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:bfa038ebb99229bddf98b0f50cb90b78c525163a95039f5120098872e3964b3e
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-slsa3.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:89acb91d7ef53943d4220f9b1445352f96fa4a38ee4df6196d653c093d0abf56
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:bfa038ebb99229bddf98b0f50cb90b78c525163a95039f5120098872e3964b3e
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract.yaml

@@ -66,7 +66,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:89acb91d7ef53943d4220f9b1445352f96fa4a38ee4df6196d653c093d0abf56
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:bfa038ebb99229bddf98b0f50cb90b78c525163a95039f5120098872e3964b3e
           - name: name
             value: verify-enterprise-contract
           - name: kind

task/clair-scan/0.1/clair-scan.yaml

@@ -42,7 +42,7 @@ spec:
 
         clair-action report --image-ref=$imageanddigest --db-path=/tmp/matcher.db --format=quay | tee /tekton/home/clair-result.json || true
     - name: conftest-vulnerabilities
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/clamav-scan/0.1/clamav-scan.yaml

@@ -24,7 +24,7 @@ spec:
 
   steps:
     - name: extract-and-scan-image
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/deprecated-image-check/0.1/deprecated-image-check.yaml

@@ -30,7 +30,7 @@ spec:
   steps:
     # Download Pyxis metadata about the image
     - name: query-pyxis
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
@@ -61,7 +61,7 @@ spec:
 
     # Run the tests and save output
     - name: run-conftest
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/deprecated-image-check/0.2/deprecated-image-check.yaml

@@ -30,7 +30,7 @@ spec:
   steps:
     # Download Pyxis metadata about the image
     - name: query-pyxis
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
@@ -61,7 +61,7 @@ spec:
 
     # Run the tests and save output
     - name: run-conftest
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/deprecated-image-check/0.3/deprecated-image-check.yaml

@@ -29,7 +29,7 @@ spec:
 
   steps:
     - name: check-images
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/fbc-related-image-check/0.1/fbc-related-image-check.yaml

@@ -17,7 +17,7 @@ spec:
     - name: workspace
   steps:
     - name: check-related-images
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/fbc-validation/0.1/fbc-validation.yaml

@@ -26,7 +26,7 @@ spec:
     - name: workspace
   steps:
     - name: extract-and-check-binaries
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/inspect-image/0.1/inspect-image.yaml

@@ -33,7 +33,7 @@ spec:
     - name: source
   steps:
   - name: inspect-image
-    image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+    image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/sast-snyk-check/0.1/sast-snyk-check.yaml

@@ -28,7 +28,7 @@ spec:
         optional: true
   steps:
     - name: sast-snyk-check
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
       # the cluster will set imagePullPolicy to IfNotPresent
       # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/sbom-json-check/0.1/sbom-json-check.yaml

@@ -18,7 +18,7 @@ spec:
       name: TEST_OUTPUT
   steps:
   - name: sbom-json-check
-    image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+    image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.

task/tkn-bundle/0.1/tkn-bundle.yaml

@@ -39,7 +39,7 @@ spec:
     - name: TASK_FILE
       value: tekton_task_files
   steps:
-  - image: quay.io/redhat-appstudio/hacbs-test:latest@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+  - image: quay.io/redhat-appstudio/hacbs-test:latest@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
     name: modify-task-files
     env:
     - name: CONTEXT

task/verify-signed-rpms/0.1/verify-signed-rpms.yaml

@@ -48,7 +48,7 @@ spec:
           --workdir "${WORKDIR}" \
           --status-path "${WORKDIR}"/status
     - name: output-results
-      image: quay.io/redhat-appstudio/hacbs-test:v1.2.1@sha256:f351461c26733bf65cd6cddd5933114c9a4a1e2b5546f7505ddc95a2fa44c709
+      image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
       volumeMounts:
         - name: workdir
           mountPath: "$(params.WORKDIR)"