Skip to content

Commit

Permalink
Use the referrers API for attaching results
Browse files Browse the repository at this point in the history
This makes them findable with oras discover.

Signed-off-by: Ralph Bean <[email protected]>
  • Loading branch information
ralphbean committed Jun 17, 2024
1 parent e621567 commit d326fec
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 23 deletions.
16 changes: 5 additions & 11 deletions task/clamav-scan/0.1/clamav-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@ spec:
description: Tekton task test output.
- name: IMAGES_PROCESSED
description: Images processed in the task.
- name: RESULT_URI
description: OCI pullspec where the full clamav output can be found.
params:
- name: image-digest
description: Image digest to scan.
Expand Down Expand Up @@ -145,7 +143,7 @@ spec:
- mountPath: /work
name: work
- name: upload
image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f
image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e
env:
- name: IMAGE_URL
value: $(params.image-url)
Expand All @@ -155,12 +153,6 @@ spec:
script: |
#!/usr/bin/env bash
IFS=':' read -ra REPO <<< "$IMAGE_URL"
REPO="${REPO[0]}"
DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -)
SUFFIX=clamav
RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}"
cd logs
for UPLOAD_FILE in $(find . -name "clamscan-result*.log"); do
Expand All @@ -171,8 +163,10 @@ spec:
MEDIA_TYPE=application/vnd.konflux.test_output+json
args+=("${UPLOAD_FILE}:${MEDIA_TYPE}")
done
retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${args[@]}"
echo "${RESULT_URI}" > $(results.RESULT_URI.path)
select-oci-auth $IMAGE_URL > auth.json
oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-api "${IMAGE_URL}" "${args[@]}"
oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-tag "${IMAGE_URL}" "${args[@]}"
volumeMounts:
- mountPath: /work
name: work
Expand Down
16 changes: 4 additions & 12 deletions task/sast-snyk-check/0.1/sast-snyk-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ spec:
results:
- description: Tekton task test output.
name: TEST_OUTPUT
- description: OCI pullspec where the full SARIF result can be found.
name: RESULT_URI
params:
- name: SNYK_SECRET
description: Name of secret which contains Snyk token.
Expand Down Expand Up @@ -97,7 +95,7 @@ spec:
fi
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
- name: upload
image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f
image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
env:
- name: IMAGE_URL
Expand All @@ -113,16 +111,10 @@ spec:
fi
UPLOAD_FILE=sast_snyk_check_out.json
SUFFIX=sarif
MEDIA_TYPE=application/sarif+json
IFS=':' read -ra REPO <<< "$IMAGE_URL"
REPO="${REPO[0]}"
DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -)
RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}"
retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
echo "${RESULT_URI}" > $(results.RESULT_URI.path)
select-oci-auth $IMAGE_URL > auth.json
oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-api "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
oras attach --no-tty --registry-config "auth.json" --distribution-spec v1.1-referrers-tag "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
workspaces:
- name: workspace

0 comments on commit d326fec

Please sign in to comment.