buildah-sast: upload SAST results

konflux-ci · Oct 25, 2024 · b5ac097 · b5ac097
1 parent 535258d
commit b5ac097
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/task/buildah-sast/0.2/patch.yaml b/task/buildah-sast/0.2/patch.yaml
@@ -65,6 +65,13 @@
       /usr/lib64/cswrap:/usr/lib64/cswrap
       /usr/libexec/csgrep-static:/usr/libexec/csgrep-static
 
+  # Additional parameter
+- op: add
+  path: /spec/params/-
+  value:
+    name: IMAGE_URL
+    type: string
+
 # Add prepare and postprocess steps
   # Prepare step
 - op: add
@@ -150,15 +157,23 @@
       requests:
         memory: 0.5Gi
         cpu: '0.5'
+    env:
+      - name: IMAGE_URL
+        value: $(params.IMAGE_URL)
     workingDir: $(workspaces.source.path)
     script: |
       set -x
       sast_dir="/shared/sast-results"
       ls -l "$sast_dir"
 
       # read the collected SAST scanning results
+      UPLOAD_FILE=gcc-analyzer.sarif
       (set -x && cd "$sast_dir" && csgrep --mode=sarif --event=^warning --remove-duplicates ./*) \
-        | tee sast.sarif | csgrep
-
-      # buildah push quay.io/results-image
-      echo "buildah push quay.io/results-image"
+        | tee "${UPLOAD_FILE}" | csgrep
+
+      # upload scan results
+      MEDIA_TYPE=application/sarif+json
+      echo "Selecting auth"
+      select-oci-auth "${IMAGE_URL}" > "${HOME}/auth.json"
+      echo "Attaching to ${IMAGE_URL}"
+      oras attach --no-tty --registry-config "${HOME}/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"