add rox image scan

clustertask/rox-image-scan/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

clustertask/rox-image-scan/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: rox-image-scan
+description: A Helm chart for Rox Image Scan
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application 
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

clustertask/rox-image-scan/README.md

@@ -0,0 +1 @@
+# Rox image scan

clustertask/rox-image-scan/templates/_helpers.tpl

@@ -0,0 +1,6 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "rox-image-scan.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}-{{ .Chart.Version }}
+{{- end }}

clustertask/rox-image-scan/templates/clustertask.yaml

@@ -0,0 +1,65 @@
+apiVersion: tekton.dev/v1beta1
+kind: ClusterTask
+metadata:
+  name: {{ include "rox-iamge-scan.name" . }}
+spec:
+  params:
+    - name: ROX_CENTRAL_ENDPOINT
+      description: >-
+        Secret containing the address:port tuple for StackRox Central (example -
+        rox.stackrox.io:443)
+      type: string
+    - name: ROX_API_TOKEN
+      description: Secret containing the StackRox API token with CI permissions
+      type: string
+    - name: IMAGE
+      description: 'Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)'
+      type: string
+    - name: output_format
+      description: Output format (json | csv | pretty)
+      default: json
+      type: string
+    - name: IMAGE_DIGEST
+      description: Digest in sha256 hash format of the image to scan
+      type: string
+    - name: BUILD_IMAGE
+      default: 'true'
+      description: Flag specifying whether image should be built again.
+      type: string
+  steps:
+    - env:
+        - name: ROX_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: rox-api-token
+              name: $(params.ROX_API_TOKEN)
+        - name: ROX_CENTRAL_ENDPOINT
+          valueFrom:
+            secretKeyRef:
+              key: rox-central-endpoint
+              name: $(params.ROX_CENTRAL_ENDPOINT)
+      image: 'registry.access.redhat.com/ubi8/ubi-minimal:latest'
+      name: rox-image-scan
+      command: ["/bin/bash"]
+      resources: {}
+      args:
+        - -c
+        - |
+          
+          if [[ $(params.BUILD_IMAGE) == true ]]; then
+            set +x
+          
+            export NO_COLOR="True"
+          
+            curl -k -L -H "Authorization: Bearer $ROX_API_TOKEN" https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux --output ./roxctl  > /dev/null; echo "Getting roxctl"
+          
+            chmod +x ./roxctl > /dev/null
+          
+            echo "## Scanning image $(params.IMAGE)@$(params.IMAGE_DIGEST)"
+          
+            ./roxctl image scan --insecure-skip-tls-verify -e $ROX_CENTRAL_ENDPOINT --image $(params.IMAGE)@$(params.IMAGE_DIGEST) --format $(params.output_format)
+          
+            echo "## Go to
+            https://$ROX_CENTRAL_ENDPOINT/main/vulnerability-management/image/$(params.IMAGE_DIGEST)
+            to check more info"
+          fi