Build-time tests
This document covers the build-time tests that Konflux runs as part of its component build pipeline. These build-time tests automatically check all application images to inform you if they’re up-to-date, correctly formatted, and protected from security vulnerabilities.
These tests are non-blocking and do not prevent the pipeline from proceeding if issues are found. |
The component build pipeline for Konflux include various types of build-time tests, conducted using Tekton tasks.
The table below outlines the default build-time tests:
Test name | Description | Failure message |
---|---|---|
image_repository_deprecated |
Deprecated images are no longer maintained, leading to unresolved security vulnerabilities. |
The container image must not be built from a repository marked as 'Deprecated' in COMET |
Test name | Description | Failure message |
---|---|---|
image_unsigned_rpms |
Packages signed with Red Hat’s secure signing server adheres to stringent policies and procedures. |
Alerts the user for any unsigned RPMs. Found following unsigned rpms(nvra): |
Test name | Description | Failure message |
---|---|---|
clair-scan |
Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair’s vulnerability databases. |
Found packages with critical vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs. |
clamav-scan |
Scans the content of container images for viruses, malware, and other malicious content using ClamAV antivirus scanner. |
A malware has been found. |
sast-snyk-check |
Scans and analyze source code or compiled versions of code to help find security flaws using Snyk Code. |
For details, review Tekton task log. |
You can disable the default build-time tests by setting the skip-checks
parameter to true
- description: Skip checks against built image
name: skip-checks
type: string
default: "false"
Additional resources
-
For information about enabling Snyk task, see Enabling a Snyk task.
-
For additional build-time tests, see Customizing the build pipeline.