×
Setting up OpenShift Pipelines in the web console to view Software Supply Chain Security elements
Use the Developer or Administrator perspective to create or modify a pipeline and view key Software Supply Chain Security elements within a project.
Set up OpenShift Pipelines to view:
-
Project vulnerabilities: Visual representation of identified vulnerabilities within a project.
-
Software Bill of Materials (SBOMs): Download or view detailed listing of PipelineRun components.
Additionally, PipelineRuns that meet Tekton Chains requirement displays signed badges next to their names. This badge indicates that the pipeline run execution results are cryptographically signed and stored securely, for example within an OCI image.
Figure 1. The signed badge
The PipelineRun displays the signed badge next to its name only if you have configured Tekton Chains. For information on configuring Tekton Chains, see Using Tekton Chains for OpenShift Pipelines supply chain security.
Setting up OpenShift Pipelines to view project vulnerabilities
The PipelineRun details page provides a visual representation of identified vulnerabilities, categorized by the severity (critical, high, medium, and low). This streamlined view facilitates prioritization and remediation efforts.
Figure 2. Viewing vulnerabilities on the
PipelineRun details pageYou can also review the vulnerabilities in the Vulnerabilities column in the pipeline run list view page.
Figure 3. Viewing vulnerabilities on the
PipelineRun list viewPrerequisites
-
You have logged in to the web console.
-
You have the appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.
-
You have an existing vulnerability scan task.
Procedures
-
In the Developer or Administrator perspective, switch to the relevant project where you want a visual representation of vulnerabilities.
-
Update your existing vulnerability scan task to ensure that it stores the output in the .json file and then extracts the vulnerability summary in the following format:
# The format to extract vulnerability summary (adjust the jq command for different JSON structures). jq -rce \ '{vulnerabilities:{ critical: (.result.summary.CRITICAL), high: (.result.summary.IMPORTANT), medium: (.result.summary.MODERATE), low: (.result.summary.LOW) }}' scan_output.json | tee $(results.SCAN_OUTPUT.path)You might need to adjust the jq command for different JSON structures.
-
(Optional) If you do not have a vulnerability scan task, create one in the following format:
Example vulnerability scan task using Roxctl
apiVersion: tekton.dev/v1 kind: Task metadata: name: vulnerability-scan (1) annotations: task.output.location: results (2) task.results.format: application/json task.results.key: SCAN_OUTPUT (3) spec: results: - description: CVE result format (4) name: SCAN_OUTPUT type: string steps: - name: roxctl (5) image: quay.io/roxctl-tool-image (6) env: - name: ENV_VAR_NAME_1 (7) valueFrom: secretKeyRef: key: secret_key_1 name: secret_name_1 env: - name: ENV_VAR_NAME_2 valueFrom: secretKeyRef: key: secret_key_2 name: secret_name_2 script: | (8) #!/bin/sh # Sample shell script echo "ENV_VAR_NAME_1: " $ENV_VAR_NAME_1 echo "ENV_VAR_NAME_2: " $ENV_VAR_NAME_2 jq --version (adjust the jq command for different JSON structures) curl -k -L -H "Authorization: Bearer $ENV_VAR_NAME_1" https://$ENV_VAR_NAME_2/api/cli/download/roxctl-linux --output ./roxctl chmod +x ./roxctl echo "roxctl version" ./roxctl version echo "image from pipeline: " # Replace the following line with your dynamic image logic DYNAMIC_IMAGE=$(get_dynamic_image_logic_here) echo "Dynamic image: $DYNAMIC_IMAGE" ./roxctl image scan --insecure-skip-tls-verify -e $ENV_VAR_NAME_2 --image $DYNAMIC_IMAGE --output json > roxctl_output.json more roxctl_output.json jq -rce \ (9) '{vulnerabilities:{ critical: (.result.summary.CRITICAL), high: (.result.summary.IMPORTANT), medium: (.result.summary.MODERATE), low: (.result.summary.LOW) }}' scan_output.json | tee $(results.SCAN_OUTPUT.path)1 The name of your task. 2 The location for storing the task outputs. 3 The naming convention of the scan task result. A valid naming convention must end with the SCAN_OUTPUTstring. For example, SCAN_OUTPUT, MY_CUSTOM_SCAN_OUTPUT, or ACS_SCAN_OUTPUT.4 The description of the result. 5 The name of the vulnerability scanning tool that you have used. 6 The location of the actual image containing the scan tool. 7 The tool-specific environment variables. 8 The shell script to be executed with json output. For example, scan_output.json. 9 The format to extract vulnerability summary (adjust jqcommand for different JSON structures).
-
-
Update an appropriate Pipeline to add vulnerabilities specifications in the following format:
... spec: results: - description: The common vulnerabilities and exposures (CVE) result name: SCAN_OUTPUT type: $(tasks.vulnerability-scan.results.SCAN_OUTPUT)
Verification
-
Navigate to the
PipelineRundetails page and review the Vulnerabilities row for a visual representation of identified vulnerabilities. -
Alternatively, you can navigate to the
PipelineRunlist view page, and review the Vulnerabilities column.
Setting up OpenShift Pipelines to download or view SBOMs
The PipelineRun details page provides an option to download or view Software Bill of Materials (SBOMs), enhancing transparency and control within your supply chain. SBOMs lists all the software libraries that a component uses. Those libraries can enable specific functionality or facilitate development.
You can use an SBOM to better understand the composition of your software, identify vulnerabilities, and assess the potential impact of any security issues that might arise.
Figure 4. Options to download or view SBOMs
Prerequisites
-
You have logged in to the web console.
-
You have the appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.
Procedure
-
In the Developer or Administrator perspective, switch to the relevant project where you want a visual representation of SBOMs.
-
Add a task in the following format to view or download the SBOM information:
Example SBOM taskapiVersion: tekton.dev/v1 kind: Task metadata: name: sbom-task (1) annotations: task.output.location: results (2) task.results.format: application/text task.results.key: LINK_TO_SBOM (3) task.results.type: external-link (4) spec: results: - description: Contains the SBOM link (5) name: LINK_TO_SBOM steps: - name: print-sbom-results image: quay.io/image (6) script: | (7) #!/bin/sh syft version syft quay.io/<username>/quarkus-demo:v2 --output cyclonedx-json=sbom-image.json echo 'BEGIN SBOM' cat sbom-image.json echo 'END SBOM' echo 'quay.io/user/workloads/<namespace>/node-express/node-express:build-8e536-1692702836' | tee $(results.LINK_TO_SBOM.path) (8)1 The name of your task. 2 The location for storing the task outputs. 3 The SBOM task result name. Do not change the name of the SBOM result task. 4 (Optional) Set to open the SBOM in a new tab. 5 The description of the result. 6 The image that generates the SBOM. 7 The script that generates the SBOM image. 8 The SBOM image along with the path name. -
Update the Pipeline to reference the newly created SBOM task.
... spec: tasks: - name: sbom-task taskRef: name: sbom-task (1) results: - name: IMAGE_URL (2) description: url value: <oci_image_registry_url> (3)1 The same name as created in Step 2. 2 The name of the result. 3 The OCI image repository URL which contains the .sbomimages. -
Rerun the affected OpenShift Pipeline.
Viewing an SBOM in the web UI
Prerequisites
-
You have set up OpenShift Pipelines to download or view SBOMs.
Procedure
-
Navigate to the Activity → PipelineRuns tab.
-
For the project whose SBOM you want to view, select its most recent pipeline run.
-
On the
PipelineRundetails page, select View SBOM.-
You can use your web browser to immediately search the SBOM for terms that indicate vulnerabilities in your software supply chain. For example, try searching for
log4j. -
You can select Download to download the SBOM, or Expand to view it full-screen.
-
Downloading an SBOM in the CLI
Prerequisites
-
You have installed the Cosign CLI tool.
-
You have set up OpenShift Pipelines to download or view SBOMs.
Procedure
-
Open terminal, log in to Developer or Administrator perspective, and then switch to the relevant project.
-
From the OpenShift web console, copy the
download sbomcommand and run it on your terminal.Example cosign command$ cosign download sbom quay.io/<workspace>/user-workload@sha256-
(Optional) To view the full SBOM in a searchable format, run the following command to redirect the output:
Example cosign command$ cosign download sbom quay.io/<workspace>/user-workload@sha256 > sbom.txt
-
Reading the SBOM
In the SBOM, as the following sample excerpt shows, you can see four characteristics of each library that a project uses:
-
Its author or publisher
-
Its name
-
Its version
-
Its licenses
This information helps you verify that individual libraries are safely-sourced, updated, and compliant.
Example SBOM
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
"version": 1,
"metadata": {
...
},
"components": [
{
"bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
"type": "library",
"author": "Armin Ronacher <armin.ronacher@active-4.com>",
"name": "Flask",
"version": "2.1.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/Flask@2.1.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
...