Integrating Scribe in your Tekton Pipelines
Use the following instructions to integrate your Tekton pipelines with Scribe.
1. Obtain a Scribe Hub API Token
Sign in to Scribe Hub. If you don't have an account you can sign up for free here.
Create a API token in Scribe Hub > Settings > Tokens. Copy it to a safe temporary notepad until you complete the integration.
ImportantThe token is a secret and will not be accessible from the UI after you finalize the token generation.
2. Add the API token to Kubernetes secrets
Add the Scribe Hub API token as SCRIBE_TOKEN to your kubernetes secret
The following example looks for a Kubernetes secret that holds your Scribe API token. This secret is called scribe-secret by default and is expected to have the key scribe-token.
You can use the following example configuration
apiVersion: v1
kind: Secret
metadata:
name: orka-creds
type: Opaque
stringData:
scribe_token: $(SCRIBE_TOKEN)
scribe_enable: true
kubectl apply --namespace=<namespace> -f scribe-secret.yaml
Omit --namespace if installing in the default namespace.
3. Install Scribe CLI
Valint -Scribe CLI- is required to generate evidence in such as SBOMs and SLSA provenance.
- Install Azure DevOps Valint-task from the Azure marketplace.
- Follow install-an-extension to add the extension to your organization and use the task in your pipelines.
4. Instrument your build scripts
Usage
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: valint-test-pipeline
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
params:
- name: args
value: bom busybox:latest
Parameters
| Parameter | Description | Default |
|---|---|---|
scribe-secret | The name of the secret that has the scribe security secrets. | scribe-secret |
args | Arguments of the valint CLI | |
image-version-sha | The ID of the valint image cli to be used. |
Basic example
# Create a CycloneDX SBOM and verify it.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- busybox:latest
- -o=statement
- name: valint-verify-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-verify
params:
- name: args
value:
- verify
- busybox:latest
- -i=statement
# Create a SLSA Provanence and verify.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-verify-bom
params:
- name: args
value:
- slsa
- alpine:latest
- -o=statement
- name: valint-verify-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-slsa
params:
- name: args
value:
- verify
- alpine:latest
- -i=statement-slsa
Additional examples
Public registry image (SBOM)
Create SBOM for remote busybox:latest image.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- alpine:latest
Public registry image (SLSA)
Create SLSA for remote busybox:latest image.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- alpine:latest
Custom metadata (SBOM)
Custom metadata added to SBOM.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- busybox:latest
- --env=test_env
- --label=test_label
Custom metadata (SLSA)
Custom metadata added to SLSA.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- busybox:latest
- --env=test_env
- --label=test_label
Archive image (SBOM)
Create SBOM for local docker save output.
Use
oci-archivetarget type when creating a OCI archive (podman save).
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- docker-archive:busybox.tar
Archive image (SLSA)
Create SLSA for local docker save output.
Use
oci-archivetarget type when creating a OCI archive (podman save).
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- docker-archive:busybox.tar
Directory target (SBOM)
Create SBOM for a local directory.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- dir:testdir
Directory target (SLSA)
Create SLSA for a local directory.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- dir:testdir
Git target (SBOM)
Create SBOM for mongo-express remote git repository.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- git:https://github.com/mongo-express/mongo-express.git
Create SBOM for local git repository.
When using implicit checkout note the Gitlab-CI git-strategy will effect the commits collected by the SBOM.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- git:.
Git target (SLSA)
Create SLSA for mongo-express remote git repository.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- git:https://github.com/mongo-express/mongo-express.git
Create SLSA for local git repository.
When using implicit checkout note the Gitlab-CI git-strategy will effect the commits collected by the SBOM.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- slsa
- git:.
Alternative evidence stores
You can learn more about alternative stores here.
OCI Evidence store
Using OCI registry as an evidence store allows you to upload, download and verify evidence across your supply chain in a seamless manner.
Related flags:
--ociEnable OCI store.--oci-repo- Evidence store location.
Before you begin
Evidence can be stored in any accusable registry.
- Write access is required for upload (generate).
- Read access is required for download (verify).
You must first login with the required access privileges to your registry before calling Valint.
Usage
# Creates a CycloneDX SBOM and verifies its policy.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
params:
- name: args
value:
- bom
- busybox:latest
- -o=statement
- --oci
- --oci-repo [my_repo]
- name: valint-verify-bom
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-bom
params:
- name: args
value:
- verify
- busybox:latest
- -i=statement
- --oci
- --oci-repo [my_repo]
# Creates a SLSA Provanence and verifies its policy.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: basic-tests
spec:
workspaces:
- name: shared-workspace
tasks:
- name: valint-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-verify-bom
params:
- name: args
value:
- slsa
- busybox:latest
- -o=statement
- --oci
- --oci-repo [my_repo]
- name: valint-verify-slsa
taskRef:
name: valint
workspaces:
- name: output
workspace: shared-workspace
runAfter:
- valint-slsa
params:
- name: args
value:
- verify
- busybox:latest
- -i=statement-slsa
- --oci
- --oci-repo [my_repo]