Use the Developer or Administrator perspective to create or modify a pipeline and view key Software Supply Chain Security elements within a project.
Set up OpenShift Pipelines to view:
Project vulnerabilities: Visual representation of identified vulnerabilities within a project.
Software Bill of Materials (SBOMs): Download or view detailed listing of PipelineRun components.
Additionally, PipelineRuns that meet Tekton Chains requirement displays signed badges next to their names. This badge indicates that the pipeline run execution results are cryptographically signed and stored securely, for example within an OCI image.
The PipelineRun displays the signed badge next to its name only if you have configured Tekton Chains. For information on configuring Tekton Chains, see Using Tekton Chains for OpenShift Pipelines supply chain security.
The PipelineRun details page provides a visual representation of identified vulnerabilities, categorized by the severity (critical, high, medium, and low). This streamlined view facilitates prioritization and remediation efforts.
PipelineRun
details pageYou can also review the vulnerabilities in the Vulnerabilities column in the pipeline run list view page.
PipelineRun
list view
Visual representation of identified vulnerabilities is available starting from the OpenShift Container Platform version 4.15 release. |
You have logged in to the web console.
You have the appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.
You have an existing vulnerability scan task.
In the Developer or Administrator perspective, switch to the relevant project where you want a visual representation of vulnerabilities.
Update your existing vulnerability scan task to ensure that it stores the output in the .json file and then extracts the vulnerability summary in the following format:
# The format to extract vulnerability summary (adjust the jq command for different JSON structures).
jq -rce \
'{vulnerabilities:{
critical: (.result.summary.CRITICAL),
high: (.result.summary.IMPORTANT),
medium: (.result.summary.MODERATE),
low: (.result.summary.LOW)
}}' scan_output.json | tee $(results.SCAN_OUTPUT.path)
You might need to adjust the jq command for different JSON structures. |
(Optional) If you do not have a vulnerability scan task, create one in the following format:
Example vulnerability scan task using Roxctl
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: vulnerability-scan (1)
annotations:
task.output.location: results (2)
task.results.format: application/json
task.results.key: SCAN_OUTPUT (3)
spec:
results:
- description: CVE result format (4)
name: SCAN_OUTPUT
steps:
- name: roxctl (5)
image: quay.io/roxctl-tool-image (6)
env:
- name: ENV_VAR_NAME_1 (7)
valueFrom:
secretKeyRef:
key: secret_key_1
name: secret_name_1
env:
- name: ENV_VAR_NAME_2
valueFrom:
secretKeyRef:
key: secret_key_2
name: secret_name_2
script: | (8)
#!/bin/sh
# Sample shell script
echo "ENV_VAR_NAME_1: " $ENV_VAR_NAME_1
echo "ENV_VAR_NAME_2: " $ENV_VAR_NAME_2
jq --version (adjust the jq command for different JSON structures)
curl -k -L -H "Authorization: Bearer $ENV_VAR_NAME_1" https://$ENV_VAR_NAME_2/api/cli/download/roxctl-linux --output ./roxctl
chmod +x ./roxctl
echo "roxctl version"
./roxctl version
echo "image from pipeline: "
# Replace the following line with your dynamic image logic
DYNAMIC_IMAGE=$(get_dynamic_image_logic_here)
echo "Dynamic image: $DYNAMIC_IMAGE"
./roxctl image scan --insecure-skip-tls-verify -e $ENV_VAR_NAME_2 --image $DYNAMIC_IMAGE --output json > roxctl_output.json
more roxctl_output.json
jq -rce \ (9)
'{vulnerabilities:{
critical: (.result.summary.CRITICAL),
high: (.result.summary.IMPORTANT),
medium: (.result.summary.MODERATE),
low: (.result.summary.LOW)
}}' scan_output.json | tee $(results.SCAN_OUTPUT.path)
1 | The name of your task. |
2 | The location for storing the task outputs. |
3 | The naming convention of the scan task result. A valid naming convention must end with the SCAN_OUTPUT string. For example, SCAN_OUTPUT, MY_CUSTOM_SCAN_OUTPUT, or ACS_SCAN_OUTPUT. |
4 | The description of the result. |
5 | The name of the vulnerability scanning tool that you have used. |
6 | The location of the actual image containing the scan tool. |
7 | The tool-specific environment variables. |
8 | The shell script to be executed with json output. For example, scan_output.json. |
9 | The format to extract vulnerability summary (adjust jq command for different JSON structures). |
This is an example configuration. Modify the values according to your specific scanning tool to set results in the expected format. |
Update an appropriate Pipeline to add vulnerabilities specifications in the following format:
...
spec:
results:
- description: The common vulnerabilities and exposures (CVE) result
name: SCAN_OUTPUT
value: $(tasks.vulnerability-scan.results.SCAN_OUTPUT)
Navigate to the PipelineRun
details page and review the Vulnerabilities row for a visual representation of identified vulnerabilities.
Alternatively, you can navigate to the PipelineRun
list view page, and review the Vulnerabilities column.
The PipelineRun
details page provides an option to download or view Software Bill of Materials (SBOMs), enhancing transparency and control within your supply chain. SBOMs lists all the software libraries that a component uses. Those libraries can enable specific functionality or facilitate development.
You can use an SBOM to better understand the composition of your software, identify vulnerabilities, and assess the potential impact of any security issues that might arise.
You have logged in to the web console.
You have the appropriate roles and permissions in a project to create applications and other workloads in OpenShift Container Platform.
In the Developer or Administrator perspective, switch to the relevant project where you want a visual representation of SBOMs.
Add a task in the following format to view or download the SBOM information:
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: sbom-task (1)
annotations:
task.output.location: results (2)
task.results.format: application/text
task.results.key: LINK_TO_SBOM (3)
task.results.type: external-link (4)
spec:
results:
- description: Contains the SBOM link (5)
name: LINK_TO_SBOM
steps:
- name: print-sbom-results
image: quay.io/image (6)
script: | (7)
#!/bin/sh
syft version
syft quay.io/<username>/quarkus-demo:v2 --output cyclonedx-json=sbom-image.json
echo 'BEGIN SBOM'
cat sbom-image.json
echo 'END SBOM'
echo 'quay.io/user/workloads/<namespace>/node-express/node-express:build-8e536-1692702836' | tee $(results.LINK_TO_SBOM.path) (8)
1 | The name of your task. |
2 | The location for storing the task outputs. |
3 | The SBOM task result name. Do not change the name of the SBOM result task. |
4 | (Optional) Set to open the SBOM in a new tab. |
5 | The description of the result. |
6 | The image that generates the SBOM. |
7 | The script that generates the SBOM image. |
8 | The SBOM image along with the path name. |
Update the Pipeline to reference the newly created SBOM task.
...
spec:
tasks:
- name: sbom-task
taskRef:
name: sbom-task (1)
results:
- name: IMAGE_URL (2)
description: url
value: <oci_image_registry_url> (3)
1 | The same name as created in Step 2. |
2 | The name of the result. |
3 | The OCI image repository URL which contains the .sbom images. |
Rerun the affected OpenShift Pipeline.
You have set up OpenShift Pipelines to download or view SBOMs.
Navigate to the Activity → PipelineRuns tab.
For the project whose SBOM you want to view, select its most recent pipeline run.
On the PipelineRun
details page, select View SBOM.
You can use your web browser to immediately search the SBOM for terms that indicate vulnerabilities in your software supply chain. For example, try searching for log4j
.
You can select Download to download the SBOM, or Expand to view it full-screen.
You have installed the Cosign CLI tool.
You have set up OpenShift Pipelines to download or view SBOMs.
Open terminal, log in to Developer or Administrator perspective, and then switch to the relevant project.
From the OpenShift web console, copy the download sbom
command and run it on your terminal.
$ cosign download sbom quay.io/<workspace>/user-workload@sha256
(Optional) To view the full SBOM in a searchable format, run the following command to redirect the output:
$ cosign download sbom quay.io/<workspace>/user-workload@sha256 > sbom.txt
In the SBOM, as the following sample excerpt shows, you can see four characteristics of each library that a project uses:
Its author or publisher
Its name
Its version
Its licenses
This information helps you verify that individual libraries are safely-sourced, updated, and compliant.
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:89146fc4-342f-496b-9cc9-07a6a1554220",
"version": 1,
"metadata": {
...
},
"components": [
{
"bom-ref": "pkg:pypi/flask@2.1.0?package-id=d6ad7ed5aac04a8",
"type": "library",
"author": "Armin Ronacher <armin.ronacher@active-4.com>",
"name": "Flask",
"version": "2.1.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"cpe": "cpe:2.3:a:armin-ronacher:python-Flask:2.1.0:*:*:*:*:*:*:*",
"purl": "pkg:pypi/Flask@2.1.0",
"properties": [
{
"name": "syft:package:foundBy",
"value": "python-package-cataloger"
...