Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

task: Add M2M support for rhacs-image-check #1261

Merged
merged 1 commit into from
May 31, 2024
Merged

task: Add M2M support for rhacs-image-check #1261

merged 1 commit into from
May 31, 2024

Conversation

dhaus67
Copy link
Contributor

@dhaus67 dhaus67 commented May 13, 2024
edited

Changes

Add a new version of the rhacs-image-check task that can be configured either with authorization using API tokens (similar configuration to 3.71 version of the task), or with authorization using short-lived tokens received from the new rhacs-m2m-authenticate task.

Both configuration variants have a sample with the expected Secret, Pipeline and PipelineRun objects.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Follows the authoring recommendations
  • Includes docs (if user facing)
  • Includes tests (for new tasks or changed functionality)
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Commit messages follow commit message best practices
  • Has a kind label. You can add one by adding a comment on this PR that
    contains /kind <type>. Valid types are bug, cleanup, design, documentation,
    feature, flake, misc, question, tep
  • Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation

    • File path follows <kind>/<name>/<version>/name.yaml

    • Has README.md at <kind>/<name>/<version>/README.md

    • Has mandatory metadata.labels - app.kubernetes.io/version the same as the <version> of the resource

    • Has mandatory metadata.annotations tekton.dev/pipelines.minVersion

    • mandatory spec.description follows the convention

        ```

  spec:
    description: >-
      one line summary of the resource

      Paragraph(s) to describe the resource.
  ```

See the contribution guide for more details.

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented May 13, 2024
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

@tekton-robot tekton-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 13, 2024
@tekton-robot
Copy link

Hi @dhaus67. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label May 13, 2024
@tekton-robot
Copy link

Diff between version and 4.0 
diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: image-check
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-        - name: image
-          value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      runAfter:
-      - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-image-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check an image with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check an image against build-time policies
-    and apply enforcement to fail builds.  It's a companion to the
-    rhacs-image-scan task, which returns full vulnerability scan
-    results for an image.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: image
-      type: string
-      description: |
-        Full name of image to check.
-        Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
-      default: '$(params.IMAGE)'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  results:
-    - name: check_output
-      description: Output of `roxctl image check`
-  steps:
-    - name: rox-image-check
-      image: $(params.rox_image)
-      env:
-        - name: HOME
-          value: /tekton/home
-        - name: IMAGE
-          value: $(params.image)
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - image
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
-  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
-  # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
-  # This must include the port number
-  rox_api_token: "{{ rox_api_token }}"
-  # StackRox API token with CI permissions
-  # Refer to below
-  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
-  name: roxsecrets
-  namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml

@dhaus67 dhaus67 mentioned this pull request May 13, 2024
Merged
12 tasks
@dhaus67
Copy link
Contributor Author

dhaus67 commented May 13, 2024

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label May 13, 2024
khrm
khrm reviewed May 14, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 14, 2024
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2024
@dhaus67
Copy link
Contributor Author

dhaus67 commented May 16, 2024

/verify-owners

@dhaus67
Copy link
Contributor Author

dhaus67 commented May 21, 2024

/assign vdemeester

vinamra28
vinamra28 reviewed May 27, 2024
View reviewed changes
task/rhacs-image-check/4.0/rhacs-image-check.yaml Outdated
tekton.dev/categories: Security
tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,darwin/amd64,darwin/arm64,windows/amd64"
tekton.dev/pipelines.minVersion: "0.43.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess tekton.dev/v1 was introduced in 0.50.0 can we set that version here? 😅

@vinamra28
Copy link
Member

/test pull-catalog-catlin-lint

@tekton-robot
Copy link

@vinamra28: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-tekton-catalog-build-tests
  • /test pull-tekton-catalog-integration-tests
  • /test pull-tekton-catalog-unit-tests

Use /test all to run all jobs.

In response to this:

/test pull-catalog-catlin-lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot
Copy link

Diff between version and 4.0 
diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: image-check
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-        - name: image
-          value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      runAfter:
-      - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-image-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check an image with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check an image against build-time policies
-    and apply enforcement to fail builds.  It's a companion to the
-    rhacs-image-scan task, which returns full vulnerability scan
-    results for an image.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: image
-      type: string
-      description: |
-        Full name of image to check.
-        Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
-      default: '$(params.IMAGE)'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  results:
-    - name: check_output
-      description: Output of `roxctl image check`
-  steps:
-    - name: rox-image-check
-      image: $(params.rox_image)
-      env:
-        - name: HOME
-          value: /tekton/home
-        - name: IMAGE
-          value: $(params.image)
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - image
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
-  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
-  # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
-  # This must include the port number
-  rox_api_token: "{{ rox_api_token }}"
-  # StackRox API token with CI permissions
-  # Refer to below
-  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
-  name: roxsecrets
-  namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml

1 similar comment
@tekton-robot
Copy link

Diff between version and 4.0 
diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: image-check
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-        - name: image
-          value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      runAfter:
-      - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-image-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check an image with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check an image against build-time policies
-    and apply enforcement to fail builds.  It's a companion to the
-    rhacs-image-scan task, which returns full vulnerability scan
-    results for an image.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: image
-      type: string
-      description: |
-        Full name of image to check.
-        Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
-      default: '$(params.IMAGE)'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  results:
-    - name: check_output
-      description: Output of `roxctl image check`
-  steps:
-    - name: rox-image-check
-      image: $(params.rox_image)
-      env:
-        - name: HOME
-          value: /tekton/home
-        - name: IMAGE
-          value: $(params.image)
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - image
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
-  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
-  # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
-  # This must include the port number
-  rox_api_token: "{{ rox_api_token }}"
-  # StackRox API token with CI permissions
-  # Refer to below
-  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
-  name: roxsecrets
-  namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml

@tekton-robot
Copy link

Catlin Output 
FILE: task/helm-upgrade-from-repo/0.3/helm-upgrade-from-repo.yaml
HINT : Task: tekton.dev/v1beta1 - name: "helm-upgrade-from-repo" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "upgrade-from-repo" uses image "$(params.helm_image)" that contains variables; skipping validation
FILE: task/helm-upgrade-from-source/0.4/helm-upgrade-from-source.yaml
HINT : Task: tekton.dev/v1beta1 - name: "helm-upgrade-from-source" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "upgrade" uses image "$(params.helm_image)" that contains variables; skipping validation
FILE: task/rhacs-image-check/4.0/rhacs-image-check.yaml
Catlin script lint Output 
ERROR: /usr/bin/shellcheck, [-s sh] failed:

In helm-upgrade-from-repo-upgrade-from-repo line 5:
REPO=`echo "$(params.chart_name)" | cut -d "/" -f 1`
     ^-- SC2006 (style): Use $(...) notation instead of legacy backticks `...`.
           ^--------------------^ SC2005 (style): Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.

Did you mean: 
REPO=$(echo "$(params.chart_name)" | cut -d "/" -f 1)


In helm-upgrade-from-repo-upgrade-from-repo line 7:
helm repo add $REPO "$(params.helm_repo)"
              ^---^ SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: 
helm repo add "$REPO" "$(params.helm_repo)"


In helm-upgrade-from-repo-upgrade-from-repo line 11:
helm upgrade --wait --install --namespace "$(params.release_namespace)" $(params.release_name) $(params.chart_name) --debug --set "$(params.overwrite_values)"
                                                                        ^--------------------^ SC2046 (warning): Quote this to prevent word splitting.
                                                                                               ^------------------^ SC2046 (warning): Quote this to prevent word splitting.

For more information:
  https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
  https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
  https://www.shellcheck.net/wiki/SC2005 -- Useless echo? Instead of 'echo $(...

ERROR: /usr/bin/shellcheck, [-s sh] failed:

In helm-upgrade-from-source-upgrade line 6:
helm upgrade --install --wait --values "$(params.charts_dir)/$(params.values_file)" --namespace "$(params.release_namespace)" --version "$(params.release_version)" "$(params.release_name)" "$(params.charts_dir)" --debug --set "$(params.overwrite_values)" $(params.upgrade_extra_params)
                                                                                                                                                                                                                                                               ^----------------------------^ SC2046 (warning): Quote this to prevent word splitting.

For more information:
  https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...

@dhaus67 dhaus67 requested a review from vinamra28 May 27, 2024 23:21
@vinamra28
Copy link
Member

can you please squash the commits? will merge post that

@tekton-robot
Copy link

Diff between version and 4.0 
diff --git a/task/rhacs-image-check/3.71/README.md b/task/rhacs-image-check/3.71/README.md
deleted file mode 100644
index 8e09b30..0000000
--- a/task/rhacs-image-check/3.71/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-# Red Hat Advanced Cluster Security Image Check Task
-
-Check an image against RHACS build and deploy lifecycle policies to validate a pipeline run using `roxctl`.
-
-It's a companion to the rhacs-image-scan task, which returns full vulnerability scan results for an image.
-
-## Prerequisites
-
-This task requires an active installation of [Red Hat Advanced Cluster Security (RHACS)](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet).  It also requires configuration of secrets for the Central endpoint and an API token with at least CI privileges.
-
-## Install the Task
-
-```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/rhacs-image-check/3.71/raw
-```
-
-## Parameters
-
-- **`image`**: Full name of image to scan. Examples: _gcr.io/rox/sample:5.0-rc1, **$(params.IMAGE)**, $(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)_
-- **`insecure-skip-tls-verify`**: Skip verification the TLS certs for Central endpoint and registry. Examples: _"true", **"false"**_.
-- **`output_format`**:  Examples: _**table**, csv, json, junit_
-- **`rox_central_endpoint`**: Secret containing the address:port tuple for StackRox Central. Default: _**rox-central-endpoint**_
-- **`rox_api_token`**: Secret containing the StackRox API token with CI permissions. Default: _**rox-api-token**_
-
-## Usage
-
-Checks images that have been pushed to a registry.  This enables scanning regardless of whether the build is using traditional Docker-based approaches, hosted/SaaS-based approaches where the Docker socket may not be directly available, or rootless approaches like `kaniko` and `buildah`.
-
-If the image violates one or more enforced policies, this task will return a failure and cause the pipeline run to fail.
-
-**Example secret creation:**
-
-```bash
-kubectl create secret generic rox-api-token \
-  --from-literal=rox_api_token="$ROX_API_TOKEN"
-kubectl create secret generic rox-central-endpoint \
-  --from-literal=rox_central_endpoint=central.stackrox.svc:443
-```
-
-**Example task use:**
-
-```yaml
-  tasks:
-    - name: image-check
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-        - name: image
-          value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      runAfter:
-      - image-scan
-```
-
-**Samples:**
-
-- [secrets.yaml](samples/secrets.yaml) example secret
-- [pipeline.yaml](samples/pipeline.yaml) demonstrates use in a pipeline.
-- [pipelinerun.yaml](samples/pipelinerun.yaml) demonstrates use in a pipelinerun.
-
-# Known Issues
-
-* Skipping TLS Verify is currently required. TLS trust bundle not working for quay.io etc.
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/rhacs-image-check.yaml b/task/rhacs-image-check/3.71/rhacs-image-check.yaml
deleted file mode 100644
index e7ae511..0000000
--- a/task/rhacs-image-check/3.71/rhacs-image-check.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: rhacs-image-check
-  labels:
-    app.kubernetes.io/version: "3.71"
-  annotations:
-    tekton.dev/tags: security
-    tekton.dev/categories: Security
-    tekton.dev/displayName: "Policy check an image with Red Hat Advanced Cluster Security"
-    tekton.dev/platforms: "linux/amd64"
-    tekton.dev/pipelines.minVersion: "0.18.0"
-spec:
-  description: >-
-    Policy check an image with Red Hat Advanced Cluster Security.
-
-    This tasks allows you to check an image against build-time policies
-    and apply enforcement to fail builds.  It's a companion to the
-    rhacs-image-scan task, which returns full vulnerability scan
-    results for an image.
-  params:
-    - name: rox_central_endpoint
-      type: string
-      description: Name of secret containing the address:port tuple for RHACS Stackrox Central.
-      default: rox-central-endpoint
-    - name: rox_api_token
-      type: string
-      description: Name of secret containing the RHACS StackRox API token with CI permissions.
-      default: rox-api-token
-    - name: rox_image
-      description: Image providing the roxctl tool.
-      default: quay.io/stackrox-io/roxctl:3.71.0
-    - name: image
-      type: string
-      description: |
-        Full name of image to check.
-        Examples: 'gcr.io/rox/sample:5.0-rc1', '$(params.IMAGE)', '$(params.IMAGE)@$(tasks.buildah.results.IMAGE_DIGEST)'
-      default: '$(params.IMAGE)'
-    - name: output_format
-      description: Results output format (csv | json | junit | table)
-      type: string
-      default: "table"
-    - name: insecure-skip-tls-verify
-      type: string
-      description: |
-        Do not verify TLS certificates.
-
-        When set to "true", skip verifying the TLS certs of the Central endpoint and registry.
-      default: "false"
-  results:
-    - name: check_output
-      description: Output of `roxctl image check`
-  steps:
-    - name: rox-image-check
-      image: $(params.rox_image)
-      env:
-        - name: HOME
-          value: /tekton/home
-        - name: IMAGE
-          value: $(params.image)
-        - name: INSECURE
-          value: $(params.insecure-skip-tls-verify)
-        - name: OUTPUT
-          value: $(params.output_format)
-        - name: ROX_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_api_token)
-              key: rox_api_token
-        - name: ROX_CENTRAL_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              name: $(params.rox_central_endpoint)
-              key: rox_central_endpoint
-      args:
-        - image
-        - check
-        - --endpoint=$(ROX_CENTRAL_ENDPOINT)
-        - --insecure-skip-tls-verify=$(INSECURE)
-        - --output=$(OUTPUT)
-        - --image=$(IMAGE)
\ No newline at end of file
diff --git a/task/rhacs-image-check/3.71/samples/pipeline.yaml b/task/rhacs-image-check/3.71/samples/pipeline.yaml
deleted file mode 100644
index 3fe2941..0000000
--- a/task/rhacs-image-check/3.71/samples/pipeline.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: rox-pipeline
-spec:
-
-  workspaces:
-    - name: shared-workspace
-
-  params:
-    - name: deployment-name
-      type: string
-      description: name of the deployment resource to be patched
-    - name: deployment
-      type: string
-      description: filename of the deployment to be patched
-    - name: git-url
-      type: string
-      description: url of the git repo for the code of deployment
-    - name: git-revision
-      type: string
-      description: revision to be used from repo of the code for deployment
-      default: main
-    - name: IMAGE
-      type: string
-      description: image to be build from the code
-
-  tasks:
-    # checkout source code
-    - name: fetch-repository
-      taskRef:
-        name: git-clone
-        kind: ClusterTask
-      workspaces:
-      - name: output
-        workspace: shared-workspace
-      params:
-      - name: url
-        value: $(params.git-url)
-      - name: subdirectory
-        value: ""
-      - name: deleteExisting
-        value: "true"
-      - name: revision
-        value: $(params.git-revision)
-
-    # validate deployment against defined  RHACS policies
-    - name: police-deployment
-      taskRef:
-        name: rhacs-deployment-check
-        kind: Task
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      params:
-      - name: deployment
-        value: $(params.deployment)
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - fetch-repository
-
-    - name: build-image
-      taskRef:
-        name: buildah
-        kind: ClusterTask
-      params:
-      - name: IMAGE
-        value: $(params.IMAGE)
-      workspaces:
-      - name: source
-        workspace: shared-workspace
-      runAfter:
-      - fetch-repository
-
-    # scan image for vulns using RHACS
-    - name: scan-image
-      taskRef:
-        name: rhacs-image-scan
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true" # stackrox to OCP image registry x509 fail...
-      runAfter:
-      - build-image
-
-    # validate image against RHACS policies
-    - name: police-image
-      taskRef:
-        name: rhacs-image-check
-        kind: Task
-      params:
-      - name: image
-        value: "$(params.IMAGE)@$(tasks.build-image.results.IMAGE_DIGEST)"
-      - name: insecure-skip-tls-verify
-        value: "true"
-      runAfter:
-      - scan-image
diff --git a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml b/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
deleted file mode 100644
index 67ef9e3..0000000
--- a/task/rhacs-image-check/3.71/samples/rox-secrets.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-stringData:
-  rox_central_endpoint: "{{ central_addr }}:{{ central_port }}"
-  # The address:port tuple for StackRox Central (example - central.stackrox.svc:443)
-  # This must include the port number
-  rox_api_token: "{{ rox_api_token }}"
-  # StackRox API token with CI permissions
-  # Refer to below
-  # https://help.stackrox.com/docs/use-the-api/#generate-an-access-token
-kind: Secret
-metadata:
-  name: roxsecrets
-  namespace: pipeline-demo
-type: Opaque
diff --git a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
deleted file mode 100644
index 304f9b0..0000000
--- a/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: rox-api-token
-data:
-  rox_api_token: EXAMPLE
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-data:
-  rox_central_endpoint: Y2VudHJhbC5zdGFja3JveC5zdmM6NDQz
-metadata:
-  name: rox-central-endpoint
diff --git a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
deleted file mode 100644
index ccdfa5f..0000000
--- a/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: PipelineRun
-metadata:
-  name: rox-pipelinerun
-spec:
-  pipelineRef:
-    name: rox-pipeline
-  params:
-  - name: deployment-name
-    value: pipelines-vote-api
-  - name: deployment
-    value: k8s/deployment.yaml
-  - name: git-url
-    value: https://github.com/openshift/pipelines-vote-api.git
-  - name: git-revision
-    value: pipelines-1.7
-  - name: IMAGE
-    value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/pipelines-vote-ui
-  - name: insecure-skip-tls-verify
-    value: "true"
-  workspaces:
-  - name: shared-workspace
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 500Mi
diff --git a/task/rhacs-image-check/OWNERS b/task/rhacs-image-check/OWNERS
deleted file mode 100644
index 1af341f..0000000
--- a/task/rhacs-image-check/OWNERS
+++ /dev/null
@@ -1,6 +0,0 @@
-approvers:
-- dlbewley
-- MoOyeg
-reviewers:
-- dlbewley
-- MoOyeg
diff --git a/task/rhacs-image-check/3.71/samples/secrets.yaml b/task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/secrets.yaml
rename to task/rhacs-image-check/4.0/samples/with-api-token/secrets.yaml
diff --git a/task/rhacs-image-check/3.71/samples/pipelinerun.yaml b/task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml
similarity index 100%
rename from task/rhacs-image-check/3.71/samples/pipelinerun.yaml
rename to task/rhacs-image-check/4.0/samples/with-m2m-token/pipelinerun.yaml

@vinamra28
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 31, 2024
@tekton-robot tekton-robot merged commit 674b218 into tektoncd:main May 31, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khrm khrm khrm left review comments

@vdemeester vdemeester vdemeester approved these changes

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@vinamra28 vinamra28 Awaiting requested review from vinamra28

Assignees

@vdemeester vdemeester

@vinamra28 vinamra28

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dhaus67 @tekton-robot @vinamra28 @vdemeester @khrm