Skip to content

Catalog health: API modernization, image pinning, and CVE remediation #1381

Description

@vdemeester

Summary

A static + CVE analysis of the catalog's active (non-deprecated) resources surfaces a few concrete, mostly-mechanical maintenance buckets. Full interactive report (foldable, filterable):

Baseline main@8e41018 · 158 active resources (150 deprecated excluded).

Findings

Area Count Notes
API version outdated 123 Task not on v1 / StepAction not on v1beta1
Mutable-tag images 46 not pinned to @sha256
:latest / untagged images 10 should pin
CVEs (HIGH/CRITICAL) 1,772 C / 18,437 H across 87 scanned images; high counts ≈ stale pins
$(params) in script: 79 hardening review (prefer env)
Privileged securityContext 5 mostly legitimate (buildah/buildkit) — review only
Missing tests/run.yaml (see report)
Missing spec.description (see report)

Note: $(params)-in-script and privileged are review signals, not automatic bugs — many are legitimate. PipelineResources usage is 0 among active resources (all such tasks are already deprecated).

Proposed work (in rough priority)

  • Supply chain: re-pin the 56 mutable/:latest images to current digests
  • CVEs: refresh the worst offenders (plumbing/test-runner, goreleaser, gradle, gke-deploy, …) — usually a digest bump
  • API: bump 123 outdated primaries to v1 / v1beta1 (batched, copy-then-modify per task)
  • Hardening: review the 79 $(params)-in-script tasks, move interpolation to env
  • Metadata/tests: fill missing spec.description and tests/run.yaml

Methodology

catalog-health-analyzer.py (in the gist): parses primary manifests, resolves image digests (skopeo/crane), runs trivy for HIGH/CRITICAL. Re-run with --cve. Numbers exclude tekton.dev/deprecated resources by default.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions