Setting up Tekton Pipeline

Last Update : 21 November, 2023 | Published : 16 November, 2023 | 2 Min Read

Tekton Pipeline

Description

This pipeline performs a series of tasks related to source code management, Docker image building, scanning, and signing.

Parameters

repo-url: The URL of the Git repository to clone.
revision: The revision to use.
PARAM_SCM: Source Code Management URL (default: github.com).
pathToContext: Path to the build context (default: src).
imageUrl: Image name including repository.
imageTag: Image tag (default: latest).
STORAGE_DRIVER: Storage driver to use (default: vfs).
trivy-args: Arguments for Trivy scanner (default: [’–format json’]).
TRIVY_EXIT_CODE: Exit code if critical vulnerabilities are found.
syft-args: Arguments for Syft scanner (default: [’target/images/docker-image-local.tar’, ‘-o syft-json’]).
grype-args: Arguments for Grype scanner (default: [’target/images/docker-image-local.tar’, ‘-o json’]).
SBOM_FORMAT: Software Bill of Materials format (default: spdx-json).

Workspaces

shared-data: Contains the cloned repository files.
git-credentials: Basic authentication for Git.
sonar-project.properties: Sonar details for scanning and pushing results to SonarCloud.
sonar-token: Sonar authentication token.
dockerconfig: Docker configuration.
cosign: Cosign configuration (private key).
cosign-pub: Cosign configuration (public key).
docker-credentials: Docker credentials.
clickhouse: Clickhouse database connection.
python-clickhouse: Python Clickhouse valuse.

Tasks

1. fetch-source

Description: Clones the Git repository.
Parameters:
- url: $(params.repo-url)
- PARAM_SCM: $(params.PARAM_SCM)
- revision: $(params.revision)

2. sonarqube-scanner

Description: Runs SonarQube scanner.
Dependencies: fetch-source
Workspaces:
- source: shared-data
- sonar-settings: sonar-project.properties
- sonar-token: sonar-token

3. build-dockerfile

Description: Builds the Docker image.
Dependencies: fetch-source, sonarqube-scanner
Workspaces:
- source: shared-data
- dockerconfig: docker-credentials
Parameters:
- CONTEXT: $(params.pathToContext)
- IMAGE: $(params.imageUrl):$(params.imageTag)

4. trivy-scanner

Description: Scans the Docker image using Trivy.
Dependencies: build-dockerfile
Workspaces:
- manifest-dir: shared-data
Parameters:
- IMAGE_PATH: $(params.imageUrl):$(params.imageTag)
- ARGS: $(params.trivy-args[*])
- EXIT_CODE: $(params.TRIVY_EXIT_CODE)

5. buildah-push

Description: Pushes the Docker image to a registry.
Dependencies: trivy-scanner
Workspaces:
- source: shared-data
- dockerconfig: docker-credentials
Parameters:
- CONTEXT: $(params.pathToContext)
- IMAGE: $(params.imageUrl):$(params.imageTag)
- STORAGE_DRIVER: $(params.STORAGE_DRIVER)

6. trivy-sbom

Description: Generates a Software Bill of Materials using Trivy.
Dependencies: buildah-push
Workspaces:
- manifest-dir: shared-data
- clickhouse: clickhouse
- python-clickhouse: python-clickhouse
Parameters:
- IMAGE: $(params.imageUrl)
- DIGEST: $(tasks.buildah-push.results.IMAGE_DIGEST)
- format: $(params.SBOM_FORMAT)

7. cosign-sign

Description: Signs the Docker image using Cosign.
Dependencies: buildah-push
Workspaces:
- source: shared-data
- dockerconfig: dockerconfig
- cosign: cosign
Parameters:
- image: “$(params.imageUrl)@$(tasks.buildah-push.results.IMAGE_DIGEST)”

8. cosign-image-verify

Description: Verifies the signed Docker image using Cosign.
Dependencies: cosign-sign
Workspaces:
- source: shared-data
- dockerconfig: dockerconfig
- cosign: cosign-pub
Parameters:
- image: “$(params.imageUrl)@$(tasks.buildah-push.results.IMAGE_DIGEST)”

Looking for Cloud-Native Implementation?

Finding the right talent is pain. More so, keeping up with concepts, culture, technology and tools. We all have been there. Our AI-based automated solutions helps eliminate these issues, making your teams lives easy.