Build-time tests

This document covers the build-time tests that Konflux runs as part of its component build pipeline. These build-time tests automatically check all application images to inform you if they’re up-to-date, correctly formatted, and protected from security vulnerabilities.

These tests are non-blocking and do not prevent the pipeline from proceeding if issues are found. The tests use results conventions in order to indicate the status of the tests and scans that are run.

The component build pipeline for Konflux include various types of build-time tests, conducted using Tekton tasks.

The table below outlines the default build-time tests:

Table 1. Deprecated image checks
Test name Description Failure message

image_repository_deprecated

Deprecated images are no longer maintained, leading to unresolved security vulnerabilities.

The container image must not be built from a repository marked as 'Deprecated' in COMET

Table 2. Unsigned RPM check
Test name Description Failure message

image_unsigned_rpms

Packages signed with Red Hat’s secure signing server adheres to stringent policies and procedures.

Alerts the user for any unsigned RPMs. Found following unsigned rpms(nvra):

Table 3. Security checks
Test name Description Failure message

clair-scan

Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair’s vulnerability databases.

Found packages with critical vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs.

clamav-scan

Scans the content of container images for viruses, malware, and other malicious content using ClamAV antivirus scanner.

A malware has been found.

sast-snyk-check

Scans and analyze source code or compiled versions of code to help find security flaws using Snyk Code.

For details, review Tekton task log.

You can disable the default build-time tests by setting the skip-checks parameter to true

- description: Skip checks against built image
  name: skip-checks
  type: string
  default: "false"

Additional resources