Skip to content

Commit

Permalink
Modify buildah task to allow creating SAST scan tasks via kustomize
Browse files Browse the repository at this point in the history
  • Loading branch information
mmorhun committed Oct 25, 2024
1 parent bb0f4aa commit d7b02b4
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 10 deletions.
15 changes: 13 additions & 2 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,6 @@ spec:
value: $(params.BUILD_ARGS_FILE)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: HERMETIC
Expand Down Expand Up @@ -251,6 +249,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
script: |
#!/bin/bash
set -e
Expand All @@ -265,6 +265,10 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modifyed Dockerfile.
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -463,6 +467,13 @@ spec:
echo "Adding the entitlement to the build"
fi
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<<"$ADDITIONAL_VOLUME_MOUNTS"
ADDITIONAL_SECRET_PATH="/additional-secret"
ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
Expand Down
17 changes: 14 additions & 3 deletions task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -168,8 +168,6 @@ spec:
value: $(params.BUILD_ARGS_FILE)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: ENTITLEMENT_SECRET
value: $(params.ENTITLEMENT_SECRET)
- name: HERMETIC
Expand Down Expand Up @@ -230,6 +228,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
name: build
script: |-
Expand Down Expand Up @@ -299,6 +299,10 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modifyed Dockerfile.
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -497,6 +501,13 @@ spec:
echo "Adding the entitlement to the build"
fi
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<<"$ADDITIONAL_VOLUME_MOUNTS"
ADDITIONAL_SECRET_PATH="/additional-secret"
ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
Expand Down Expand Up @@ -568,7 +579,6 @@ spec:
-e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
-e HERMETIC="$HERMETIC" \
-e IMAGE="$IMAGE" \
Expand All @@ -583,6 +593,7 @@ spec:
-e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \
-e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \
-e COMMIT_SHA="$COMMIT_SHA" \
-e DOCKERFILE="$DOCKERFILE" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
Expand Down
17 changes: 14 additions & 3 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,6 @@ spec:
value: source
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
Expand Down Expand Up @@ -212,6 +210,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
name: build
script: |-
Expand Down Expand Up @@ -281,6 +281,10 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modifyed Dockerfile.
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -475,6 +479,13 @@ spec:
echo "Adding the entitlement to the build"
fi
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<< "$ADDITIONAL_VOLUME_MOUNTS"
ADDITIONAL_SECRET_PATH="/additional-secret"
ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
Expand Down Expand Up @@ -545,7 +556,6 @@ spec:
-e HERMETIC="$HERMETIC" \
-e SOURCE_CODE_DIR="$SOURCE_CODE_DIR" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e IMAGE="$IMAGE" \
-e TLSVERIFY="$TLSVERIFY" \
-e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
Expand All @@ -561,6 +571,7 @@ spec:
-e SQUASH="$SQUASH" \
-e SKIP_UNUSED_STAGES="$SKIP_UNUSED_STAGES" \
-e COMMIT_SHA="$COMMIT_SHA" \
-e DOCKERFILE="$DOCKERFILE" \
-v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
-v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \
Expand Down
15 changes: 13 additions & 2 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,6 @@ spec:
value: source
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
- name: IMAGE
value: $(params.IMAGE)
- name: TLSVERIFY
Expand Down Expand Up @@ -182,6 +180,8 @@ spec:
env:
- name: COMMIT_SHA
value: $(params.COMMIT_SHA)
- name: DOCKERFILE
value: $(params.DOCKERFILE)
args:
- --build-args
- $(params.BUILD_ARGS[*])
Expand All @@ -202,6 +202,10 @@ spec:
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
elif [ -e "$DOCKERFILE" ]; then
# Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and also need to provide modified Dockerfile.
dockerfile_path="$DOCKERFILE"
elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
echo "Fetch Dockerfile from $DOCKERFILE"
dockerfile_path=$(mktemp --suffix=-Dockerfile)
Expand Down Expand Up @@ -396,6 +400,13 @@ spec:
echo "Adding the entitlement to the build"
fi
# ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
# This is primarily used in instrumented builds for SAST scanning and analyzing.
# Instrumented builds use this step as their base and add some other tools.
while read -r volume_mount; do
VOLUME_MOUNTS+=("--volume=$volume_mount")
done <<< "$ADDITIONAL_VOLUME_MOUNTS"
ADDITIONAL_SECRET_PATH="/additional-secret"
ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
Expand Down

0 comments on commit d7b02b4

Please sign in to comment.