Provide an option to halt builds based on container scan results

[jtmulvey]

We need to provide the ability to set a failure criteria in the container vulnerability scanning task which would result in the termination of the build. The build results, along with the scan output are then available for review using the Tekton dashboard/UI/

[teddyjtorres]

Current pipelines in https://github.com/kabanero-io/collections/tree/master/incubator/common/pipelines/default run the scan at the end of the pipeline, which makes it unnecessary to stop. If a PipelineRun needs to be cancelled, it has to be done as documented in https://github.com/tektoncd/pipeline/blob/master/docs/pipelineruns.md#cancelling-a-pipelinerun. It needs to be designed where the PipelineRun cancellation is needed in relation to the build, push, and deploy tasks, possibly breaking up some of the existing tasks, like https://github.com/kabanero-io/collections/blob/master/incubator/common/pipelines/default/build-push-task.yaml .

[teddyjtorres]

It was determined that https://github.com/kabanero-io/collections/blob/master/incubator/common/pipelines/default/build-push-task.yaml cannot be broken up since the push step pushes the image to the registry that is later used to pull the image from for scanning. Otherwise, an intermediate registry may be needed. Other multi-step tasks may be broken up, or the scanning must be integrated in those tasks.

[teddyjtorres]

The build-deploy-pl.yaml pipeline template was updated to use a conditional for the deploy-task as follows,

• name: deploy-task
  conditions:
  • conditionRef: StackId-deployment-condition

Thus, a possible design for this issue is to return a code, as an output parameter, from the image-scan-task that the StackId-deployment-condition will examine to determine if the image can be deployed. Other alternatives can be explored.

[teddyjtorres]

Possible failure criteria would include the SCAP result categories,

1. Non-Compliant/Vulnerable/Unpatched
2. Compliant/Non-Vulnerable/Patched
3. Error
4. Unknown
5. Other (Inventory/Miscellaneous class or Not Applicable/Not Evaluated result)

There needs to be an task input parameter indicating how many entries in those categories would cause this task to fail.

[marikaj123]

@teddyjtorres - Any idea at what Kabanero release would the fix become available?