Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify buildah task to allow creating SAST scan tasks via kustomize #1525

Merged
merged 1 commit into from
Oct 25, 2024
Merged

Modify buildah task to allow creating SAST scan tasks via kustomize #1525

merged 1 commit into from
Oct 25, 2024

Conversation

mmorhun
Copy link
Collaborator

@mmorhun mmorhun commented Oct 22, 2024
edited
Loading

We need to modify buildah task in order to be able to create SAST scanning tasks that has identical build logic with the original buildah task, but also have ability to:

  • override the image used for the build step
  • override the computeResources requirements for the task
  • modify Dockerfile prior to running the buildah build
  • specify additional volume mounts for the buildah build
  • process the captured data after the container build
  • prevent the resulting image from being used as the task result
    Also
  • The instrumented build-container SAST task will be provided with the same inputs as the original build-container task
  • The instrumented build-container SAST task will be able to upload the SAST scanning results to image registry

SAST scan tasks can be created using the following kustomize file:

# Task name
- op: replace
  path: /metadata/name
  value: buildah-sast

# Task description
- op: replace
  path: /spec/description
  value: |-
    Buildah sast task builds source code to do SAST analysis.

# Replace task results
- op: replace
  path: /spec/results
  value:
    - description: Short summary of SAST scan results.
      name: SCAN_OUTPUT
    - description: Tekton task test output.
      name: TEST_OUTPUT
    - description: SAST scanning results artifact URL.
      name: SAST_RESULT_URL

###################
# Task steps
###################

# Remove all buildah task steps except build
- op: remove
  path: /spec/steps/5 # upload-sbom
- op: remove
  path: /spec/steps/4 # inject-sbom-and-push
- op: remove
  path: /spec/steps/3 # prepare-sboms
- op: remove
  path: /spec/steps/2 # analyse-dependencies-java-sbom
- op: remove
  path: /spec/steps/1 # sbom-syft-generate

# Tune the build step (the only one left).

  # Change build step image
- op: replace
  path: /spec/steps/0/image
  # New image shoould be based on quay.io/konflux-ci/buildah-task:latest or have all the tooling that the original image has.
  value: quay.io/konflux-ci/buildah-task:latest

  # Change build step resources
- op: replace
  path: /spec/steps/0/computeResources/limits/memory
  value: 10Gi
- op: replace
  path: /spec/steps/0/computeResources/requests/memory
  value: 5Gi

  # Replace Dockerfile location to not to change the original one
- op: replace
  path: /spec/steps/0/env/1/value
  value: /tekton/home/sast.Dockerfile

  # Additional volumes
- op: add
  path: /spec/steps/0/env/-
  value:
    name: ADDITIONAL_VOLUME_MOUNTS
    value: >-
       /tekton/home/sast-scan-results:/sast-scan-results

# Add prepare and postprocess steps
  # Prepare step
- op: add
  path: /spec/steps/0
  value:
    name: prepare
    image: quay.io/konflux-ci/buildah-task:latest
    computeResources:
      limits:
        memory: 1Gi
        cpu: '1'
      requests:
        memory: 0.5Gi
        cpu: '0.5'
    env:
    - name: DOCKERFILE
      value: $(params.DOCKERFILE)
    workingDir: $(workspaces.source.path)
    script: |
      # Dockerfile discovery logic is copied from buildah task
      SOURCE_CODE_DIR=source
      if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
      elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
      elif [ -e "$DOCKERFILE" ]; then
        dockerfile_path="$DOCKERFILE"
      elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
        echo "Fetch Dockerfile from $DOCKERFILE"
        dockerfile_path=$(mktemp --suffix=-Dockerfile)
        http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
        if [ "$http_code" != 200 ]; then
          echo "No Dockerfile is fetched. Server responds $http_code"
          exit 1
        fi
        http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
        if [ "$http_code" = 200 ]; then
          echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
          mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore"
        fi
      else
        echo "Cannot find Dockerfile $DOCKERFILE"
        exit 1
      fi

      cp "$dockerfile_path" /tekton/home/sast.Dockerfile
      dockerfile_path=/tekton/home/sast.Dockerfile

      # Modify Dockerfile
      sed -i '1 i\ARG NEW_ARG=default-value' "$dockerfile_path"

      echo 'Modified Dockerfile:'
      cat "$dockerfile_path"

      # Prepare directory for the SAST scan results
      mkdir /tekton/home/sast-scan-results

  # Postprocess step
- op: add
  path: /spec/steps/2
  value:
    name: postprocess
    image: quay.io/konflux-ci/buildah-task:latest
    computeResources:
      limits:
        memory: 1Gi
        cpu: '1'
      requests:
        memory: 0.5Gi
        cpu: '0.5'
    workingDir: $(workspaces.source.path)
    script: |
      ls -l /tekton/home/sast-scan-results
      echo 'Postprocessing SAST results'

      # buildah push quay.io/results-image
      echo "buildah push quay.io/org/results-image"

Example PR could be found here.

Then, the SAST task can be used in the pipeline by just copying original buildah task definition and replacing the task bundle, for example:

...
    - name: build-container-sast
      params:
      - name: IMAGE
        value: $(params.output-image)
      - name: DOCKERFILE
        value: $(params.dockerfile)
      - name: CONTEXT
        value: $(params.path-context)
      - name: HERMETIC
        value: $(params.hermetic)
      - name: PREFETCH_INPUT
        value: $(params.prefetch-input)
      - name: IMAGE_EXPIRES_AFTER
        value: $(params.image-expires-after)
      - name: COMMIT_SHA
        value: $(tasks.clone-repository.results.commit)
      - name: BUILD_ARGS
        value:
        - $(params.build-args[*])
      - name: BUILD_ARGS_FILE
        value: $(params.build-args-file)
      runAfter:
      - prefetch-dependencies
      taskRef:
        params:
        - name: name
          value: buildah-sast
        - name: bundle
          value: quay.io/org/sast-task-bundle:tag@sha1234abcd
        - name: kind
          value: task
        resolver: bundles
      when:
      - input: $(tasks.init.results.build)
        operator: in
        values:
        - "true"
      workspaces:
      - name: source
        workspace: workspace
...

@mmorhun mmorhun self-assigned this Oct 22, 2024
tkdchen
tkdchen reviewed Oct 23, 2024
View reviewed changes
task/buildah/0.2/buildah.yaml Show resolved Hide resolved
task/buildah/0.2/buildah.yaml Outdated Show resolved Hide resolved
@mmorhun mmorhun force-pushed the STONEBLD-2804-2 branch 2 times, most recently from c7a2d47 to 96ec78f Compare October 24, 2024 09:18
@mmorhun mmorhun mentioned this pull request Oct 24, 2024
Closed
@kdudka kdudka mentioned this pull request Oct 24, 2024
Draft
@mmorhun mmorhun force-pushed the STONEBLD-2804-2 branch 2 times, most recently from e075f06 to d7b02b4 Compare October 25, 2024 08:22
chmeliik
chmeliik approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@chmeliik chmeliik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just to re-generate the other buildah variants

@tkdchen
Copy link
Contributor

tkdchen commented Oct 25, 2024

/retest

@mmorhun mmorhun added this pull request to the merge queue Oct 25, 2024
Merged via the queue into konflux-ci:main with commit 36a8ba1 Oct 25, 2024
14 checks passed
@rh-tap-build-team rh-tap-build-team bot mentioned this pull request Oct 25, 2024
Closed
@mmorhun mmorhun deleted the STONEBLD-2804-2 branch October 25, 2024 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdudka kdudka kdudka left review comments

@chmeliik chmeliik chmeliik approved these changes

@tkdchen tkdchen tkdchen approved these changes

@ralphbean ralphbean Awaiting requested review from ralphbean

@tisutisu tisutisu Awaiting requested review from tisutisu

@arewm arewm Awaiting requested review from arewm

@MartinBasti MartinBasti Awaiting requested review from MartinBasti

@mkosiarc mkosiarc Awaiting requested review from mkosiarc

@tnevrlka tnevrlka Awaiting requested review from tnevrlka

@brunoapimentel brunoapimentel Awaiting requested review from brunoapimentel

@rcerven rcerven Awaiting requested review from rcerven

Assignees

@mmorhun mmorhun

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mmorhun @tkdchen @kdudka @chmeliik