Skip to content
This repository has been archived by the owner on Jul 28, 2023. It is now read-only.

Provide an option to halt builds based on container scan results #39

Open
jtmulvey opened this issue Nov 13, 2019 · 5 comments
Open

Provide an option to halt builds based on container scan results #39

jtmulvey opened this issue Nov 13, 2019 · 5 comments
Assignees
@jtmulvey @teddyjtorres
Labels
security

Comments

@jtmulvey
Copy link
Contributor

We need to provide the ability to set a failure criteria in the container vulnerability scanning task which would result in the termination of the build. The build results, along with the scan output are then available for review using the Tekton dashboard/UI/
@teddyjtorres teddyjtorres mentioned this issue Dec 5, 2019
Closed
@teddyjtorres
Copy link
Member

Current pipelines in https://github.com/kabanero-io/collections/tree/master/incubator/common/pipelines/default run the scan at the end of the pipeline, which makes it unnecessary to stop. If a PipelineRun needs to be cancelled, it has to be done as documented in https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#cancelling-a-pipelinerun. It needs to be designed where the PipelineRun cancellation is needed in relation to the build, push, and deploy tasks, possibly breaking up some of the existing tasks, like https://github.com/kabanero-io/collections/blob/master/incubator/common/pipelines/default/build-push-task.yaml .

@teddyjtorres
Copy link
Member

It was determined that https://github.com/kabanero-io/collections/blob/master/incubator/common/pipelines/default/build-push-task.yaml cannot be broken up since the push step pushes the image to the registry that is later used to pull the image from for scanning. Otherwise, an intermediate registry may be needed. Other multi-step tasks may be broken up, or the scanning must be integrated in those tasks.

@teddyjtorres
Copy link
Member

teddyjtorres commented Feb 18, 2020
edited
Loading

The build-deploy-pl.yaml pipeline template was updated to use a conditional for the deploy-task as follows,

  • name: deploy-task
    conditions:
    • conditionRef: StackId-deployment-condition

Thus, a possible design for this issue is to return a code, as an output parameter, from the image-scan-task that the StackId-deployment-condition will examine to determine if the image can be deployed. Other alternatives can be explored.

@teddyjtorres
Copy link
Member

Possible failure criteria would include the SCAP result categories,

  1. Non-Compliant/Vulnerable/Unpatched
  2. Compliant/Non-Vulnerable/Patched
  3. Error
  4. Unknown
  5. Other (Inventory/Miscellaneous class or Not Applicable/Not Evaluated result)

There needs to be an task input parameter indicating how many entries in those categories would cause this task to fail.

@marikaj123
Copy link
Member

@teddyjtorres - Any idea at what Kabanero release would the fix become available?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jtmulvey jtmulvey

@teddyjtorres teddyjtorres

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtmulvey @teddyjtorres @marikaj123