add securityContext of ReadOnlyRootFilesystem to steps

Signed-off-by: Hasan Awad <[email protected]>

test again

Fix test

Author: hasanawad94

pkg/config/config.go

@@ -215,8 +215,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
@@ -231,6 +232,14 @@ func NewDefaultConfig() *Config {
 					Name:  "HOME",
 					Value: "/shared-home",
 				},
+				{
+					Name:  "TRIVY_CACHE_DIR",
+					Value: "/trivy-workspace/trivy-cache",
+				},
+				{
+					Name:  "TMPDIR",
+					Value: "/trivy-workspace/tmp",
+				},
 			},
 			// The image processing step runs after the build strategy steps where an arbitrary
 			// user could have been used to write the result files for the image digest. The
@@ -241,6 +250,7 @@ func NewDefaultConfig() *Config {
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsUser:                root,
 				RunAsGroup:               root,
+				ReadOnlyRootFilesystem:   ptr.To(true),
 				Capabilities: &corev1.Capabilities{
 					Add: []corev1.Capability{
 						"DAC_OVERRIDE",
@@ -274,8 +284,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 

pkg/config/config_test.go

@@ -243,8 +243,9 @@ var _ = Describe("Config", func() {
 								"ALL",
 							},
 						},
-						RunAsUser:  nonRoot,
-						RunAsGroup: nonRoot,
+						RunAsUser:              nonRoot,
+						RunAsGroup:             nonRoot,
+						ReadOnlyRootFilesystem: ptr.To(true),
 					},
 				}))
 			})

pkg/reconciler/buildrun/resources/image_processing.go

@@ -23,6 +23,8 @@ const (
 	containerNameImageProcessing = "image-processing"
 	outputDirectoryMountPath     = "/workspace/output-image"
 	paramOutputDirectory         = "output-directory"
+	trivyVolumeName              = "trivy-work-dir"
+	trivyVolumeMountPath         = "/trivy-workspace"
 )
 
 type VulnerablilityScanParams struct {
@@ -160,6 +162,12 @@ func SetupImageProcessing(taskRun *pipelineapi.TaskRun, cfg *config.Config, crea
 		stepArgs = append(stepArgs, "--result-file-image-size", fmt.Sprintf("$(results.%s-%s.path)", prefixParamsResultsVolumes, imageSizeResult))
 		stepArgs = append(stepArgs, "--result-file-image-vulnerabilities", fmt.Sprintf("$(results.%s-%s.path)", prefixParamsResultsVolumes, imageVulnerabilities))
 
+		taskRun.Spec.TaskSpec.Volumes = append(taskRun.Spec.TaskSpec.Volumes, core.Volume{
+			Name: trivyVolumeName,
+			VolumeSource: core.VolumeSource{
+				EmptyDir: &core.EmptyDirVolumeSource{},
+			},
+		})
 		// add the push step
 
 		// initialize the step from the template and the build-specific arguments
@@ -173,8 +181,13 @@ func SetupImageProcessing(taskRun *pipelineapi.TaskRun, cfg *config.Config, crea
 			ComputeResources: cfg.ImageProcessingContainerTemplate.Resources,
 			SecurityContext:  cfg.ImageProcessingContainerTemplate.SecurityContext,
 			WorkingDir:       cfg.ImageProcessingContainerTemplate.WorkingDir,
+			VolumeMounts: []core.VolumeMount{
+				{
+					Name:      trivyVolumeName,
+					MountPath: trivyVolumeMountPath,
+				},
+			},
 		}
-
 		if volumeAdded {
 			imageProcessingStep.VolumeMounts = append(imageProcessingStep.VolumeMounts, core.VolumeMount{
 				Name:      prefixedOutputDirectory,

pkg/reconciler/buildrun/resources/taskrun_test.go

@@ -122,7 +122,7 @@ var _ = Describe("GenerateTaskrun", func() {
 			})
 
 			It("should ensure top level volumes are populated", func() {
-				Expect(len(got.Volumes)).To(Equal(1))
+				Expect(len(got.Volumes)).To(Equal(2))
 			})
 
 			It("should contain the shipwright system parameters", func() {