Summary
A static + CVE analysis of the catalog's active (non-deprecated) resources surfaces a few concrete, mostly-mechanical maintenance buckets. Full interactive report (foldable, filterable):
Baseline main@8e41018 · 158 active resources (150 deprecated excluded).
Findings
| Area |
Count |
Notes |
| API version outdated |
123 |
Task not on v1 / StepAction not on v1beta1 |
| Mutable-tag images |
46 |
not pinned to @sha256 |
:latest / untagged images |
10 |
should pin |
| CVEs (HIGH/CRITICAL) |
1,772 C / 18,437 H |
across 87 scanned images; high counts ≈ stale pins |
$(params) in script: |
79 |
hardening review (prefer env) |
| Privileged securityContext |
5 |
mostly legitimate (buildah/buildkit) — review only |
Missing tests/run.yaml |
(see report) |
|
Missing spec.description |
(see report) |
|
Note: $(params)-in-script and privileged are review signals, not automatic bugs — many are legitimate. PipelineResources usage is 0 among active resources (all such tasks are already deprecated).
Proposed work (in rough priority)
Methodology
catalog-health-analyzer.py (in the gist): parses primary manifests, resolves image digests (skopeo/crane), runs trivy for HIGH/CRITICAL. Re-run with --cve. Numbers exclude tekton.dev/deprecated resources by default.
Summary
A static + CVE analysis of the catalog's active (non-deprecated) resources surfaces a few concrete, mostly-mechanical maintenance buckets. Full interactive report (foldable, filterable):
Baseline
main@8e41018· 158 active resources (150 deprecated excluded).Findings
v1/ StepAction not onv1beta1@sha256:latest/ untagged images$(params)inscript:env)tests/run.yamlspec.descriptionProposed work (in rough priority)
:latestimages to current digestsplumbing/test-runner,goreleaser,gradle,gke-deploy, …) — usually a digest bumpv1/v1beta1(batched, copy-then-modify per task)$(params)-in-scripttasks, move interpolation toenvspec.descriptionandtests/run.yamlMethodology
catalog-health-analyzer.py(in the gist): parses primary manifests, resolves image digests (skopeo/crane), runs trivy for HIGH/CRITICAL. Re-run with--cve. Numbers excludetekton.dev/deprecatedresources by default.