test trivy scan

Author: clubanderson

.tekton/benchmark.yaml

@@ -0,0 +1,43 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: benchmark-task
+spec:
+  params:
+    - name: openshift_host
+      description: "The OpenShift API server URL"
+      type: string
+    - name: openshift_namespace
+      description: "The OpenShift namespace to use"
+      type: string
+  steps:
+    - name: clone-and-install-fmperf
+      image: continuumio/miniconda3:latest
+      script: |
+        #!/bin/bash
+        set -ex
+
+        # Initialize conda (this sets up the environment for conda commands)
+        source /opt/conda/etc/profile.d/conda.sh
+
+        echo "Cloning fmperf repository..."
+        git clone https://github.com/fmperf-project/fmperf.git
+        cd fmperf
+
+        echo "Creating conda environment 'fmperf-env' with Python 3.11..."
+        conda create -y -n fmperf-env python=3.11
+
+        echo "Activating the conda environment..."
+        conda activate fmperf-env
+
+        echo "Installing required dependencies..."
+        pip install -r requirements.txt
+        pip install -e .
+
+        echo "Setting up environment variables for OpenShift connection..."
+        export OPENSHIFT_HOST="$(params.openshift_host)"
+        export OPENSHIFT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+        export OPENSHIFT_NAMESPACE="$(params.openshift_namespace)"
+
+        echo "Running fmperf benchmark..."
+        python examples/example_vllm.py || true

.tekton/buildah-build.yaml

@@ -8,6 +8,9 @@ spec:
       description: "Application version"
     - name: image_tag_base
       description: "Image tag base"
+  results:
+    - name: image-url
+      description: "The full image URL including tag"
   workspaces:
     - name: source
     - name: registry
@@ -65,3 +68,4 @@ spec:
         echo "🚀 Calling make buildah-build with IMG=$IMG..."
         make buildah-build IMG=$IMG
 
+        echo "$IMG" > /tekton/results/image-url

.tekton/pipelinerun.yaml

@@ -12,6 +12,14 @@ metadata:
       (!has(body.ref) || body.ref == 'refs/heads/main' || body.ref == 'refs/heads/dev') &&
       (!has(body.head_commit) || !has(body.head_commit.author) || !body.head_commit.author.name.matches("(?i).*ci-tag-bot.*")) &&
       (!has(body.pull_request) || (body.pull_request.base.ref == 'main' || body.pull_request.base.ref == 'dev'))
+    results.tekton.dev/columns: |
+      [
+        {
+          "name": "Vulnerabilities",
+          "type": "string",
+          "jsonPath": ".status.pipelineResults[?(@.name==\"vulnerabilities\")].value"
+        }
+      ]
 spec:
   podTemplate:
     serviceAccountName: pipeline
@@ -58,31 +66,17 @@ spec:
           - name: source
             workspace: source
 
-      # - name: debug-user
-      #   taskSpec:
-      #     workspaces:
-      #       - name: source
-      #         workspace: source
-      #     steps:
-      #       - name: show-user-info
-      #         image: busybox
-      #         script: |
-      #           #!/bin/sh
-      #           echo "Current UID:"
-      #           id -u
-      #           echo "Current GID:"
-      #           id -g
-      #           echo "Permissions on /workspace/source:"
-      #           ls -ld /workspace/source
-      #   workspaces:
-      #     - name: source
-      #       workspace: source
+      - name: read-cluster-name
+        taskRef:
+          name: read-cluster-name
+        runAfter:
+          - fix-permissions
 
       - name: which-branch
         taskRef:
           name: print-branch-task
         runAfter:
-          - fix-permissions
+          - read-cluster-name
         params:
           - name: source-branch
             value: "$(params.source_branch)"
@@ -113,6 +107,9 @@ spec:
           - input: "$(params.runOptional)"
             operator: in
             values: ["true"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         taskRef:
           name: go-lint-task
         runAfter:
@@ -126,11 +123,13 @@ spec:
           - input: "$(params.runOptional)"
             operator: in
             values: ["true"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         taskRef:
           name: go-test-task
         runAfter:
           - go-lint
-          # - fetch-repository
         workspaces:
           - name: source
             workspace: source
@@ -140,6 +139,9 @@ spec:
           - input: "$(params.runOptional)"
             operator: in
             values: ["true"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         taskRef:
           name: go-build-task
         runAfter:
@@ -168,6 +170,9 @@ spec:
           - input: "$(params.source_branch)"
             operator: in
             values: ["main"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         taskRef:
           name: promote-to-prod-task
         params:
@@ -193,6 +198,9 @@ spec:
           - input: "$(params.source_branch)"
             operator: in
             values: ["dev"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         params:
           - name: dev-version
             value: "$(tasks.extract-version-and-registry.results.dev-version)"
@@ -210,10 +218,40 @@ spec:
           - name: registry
             workspace: registry-secret
 
+      - name: vulnerability-scan
+        when:
+          - input: "$(params.runOptional)"
+            operator: in
+            values: ["true"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
+        runAfter:
+          - buildah-build
+        taskRef:
+          name: trivy-scan
+        params:
+          - name: IMAGE_URL
+            value: "$(tasks.buildah-build.results.image-url)"
+          - name: SEVERITY
+            value: "CRITICAL,HIGH"
+          - name: ARGS
+            value: "--exit-code 0"
+        workspaces:
+          - name: registry-secret
+            workspace: registry-secret
+          - name: output
+            workspace: output
+
       - name: sync-after-promote-or-build
+        when:
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         runAfter:
           - promote-to-prod
-          - buildah-build
+          # - buildah-build
+          - vulnerability-scan
         taskRef:
           name: noop-task
 
@@ -240,6 +278,9 @@ spec:
           - input: "$(params.source_branch)"
             operator: in
             values: ["main", "dev"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         taskRef:
           name: tag-version-task
         params:
@@ -310,12 +351,35 @@ spec:
         workspaces:
           - name: source
             workspace: source
-            
+
+      - name: benchmark
+        when:
+          - input: "$(params.source_branch)"
+            operator: in
+            values: ["dev"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
+        continueOn:
+          errors: true
+        params:
+          - name: openshift_host
+            value: "https://api.fmaas-platform-eval.fmaas.res.ibm.com:6443"
+          - name: openshift_namespace
+            value: "hc4ai-operator-dev"
+        taskRef:
+          name: benchmark-task 
+        runAfter:
+          - go-test-post-deploy
+
       - name: increment-versions
         when:
           - input: "$(params.source_branch)"
             operator: in
             values: ["main"]
+          - input: "$(tasks.read-cluster-name.results.cluster-name)"
+            operator: in
+            values: ["cluster-platform-eval"]
         params:
           - name: source-branch
             value: "$(params.source_branch)"
@@ -347,7 +411,7 @@ spec:
             operator: in
             values: ["dev"]
         runAfter:
-          - go-test-post-deploy
+          - benchmark
         taskRef:
           name: noop-task
 
@@ -360,6 +424,14 @@ spec:
           resources:
             requests:
               storage: 1Gi
+    - name: output
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
     - name: basic-auth
       secret:
         secretName: "{{ git_auth_secret }}"

.tekton/read-cluster-name.yaml

@@ -0,0 +1,20 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: read-cluster-name
+spec:
+  results:
+    - name: cluster-name
+  steps:
+    - name: get-cluster-name
+      image: registry.access.redhat.com/ubi8/ubi-minimal
+      script: |
+        #!/bin/sh
+        cat /etc/config/cluster-name | tee $(results.cluster-name.path)
+      volumeMounts:
+        - name: config-vol
+          mountPath: /etc/config
+  volumes:
+    - name: config-vol
+      configMap:
+        name: cluster-info

.tekton/vuln-scan-trivy.yaml

@@ -0,0 +1,67 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: trivy-scan
+spec:
+  params:
+    - name: IMAGE_URL
+      type: string
+      description: Full image URL (e.g., quay.io/org/image:tag)
+    - name: SEVERITY
+      type: string
+      default: "CRITICAL,HIGH"
+      description: Comma-separated severity levels
+    - name: ARGS
+      type: string
+      default: ""
+      description: Additional Trivy arguments
+  workspaces:
+    - name: registry-secret
+      description: Workspace with Docker config.json (auth for private registries)
+    - name: output
+  results:
+    - name: vulnerabilities
+      type: string
+  steps:
+    - name: trivy-scan
+      image: docker:20.10.24-dind
+      securityContext:
+        privileged: true
+      script: |
+        #!/bin/sh
+        set -e
+
+        echo "🔧 Starting Docker daemon..."
+        dockerd-entrypoint.sh &
+
+        echo "⏳ Waiting for Docker daemon to be ready..."
+        until docker info > /dev/null 2>&1; do
+          sleep 1
+        done
+
+        echo "🔐 Setting up Docker credentials..."
+        mkdir -p /root/.docker
+        cp /workspace/registry-secret/.dockerconfigjson /root/.docker/config.json
+
+        echo "⬇️ Installing Trivy..."
+        apk add --no-cache curl jq
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+        IMAGE="$(echo $(params.IMAGE_URL))"
+        IMAGE=$(echo "$IMAGE" | tr -d '\n\r' | xargs)
+
+        echo "🔍 Running Trivy remote scan on: $IMAGE"
+        if ! trivy image \
+          --severity "$(params.SEVERITY)" \
+          --format json \
+          $(params.ARGS) \
+          "$IMAGE" > /workspace/output/trivy-results.json; then
+          echo "❌ Trivy scan failed"
+          echo -n "-1" > $(results.vulnerabilities.path)
+          exit 1
+        fi
+
+        echo "📊 Counting vulnerabilities..."
+        vuln_count=$(jq '[.Results[].Vulnerabilities[]?] | length' /workspace/output/trivy-results.json)
+        echo "📊 Found $vuln_count vulnerabilities"
+        echo -n "$vuln_count" > /tekton/results/vulnerabilities