OpenShift CI/CD Image Scan & Sign Pipeline Bundle (cicd-openshift-image-scan-and-sign.json)
Production‑ready pipeline to scan, sign, verify, and gate OpenShift container images.
What You'll Get
Stop spending entire days wiring OpenShift CI/CD image security. Start shipping fully scanned and signed images in minutes.
You fight Tekton permissions, SCC errors, missing ImageStream signatures, and scanners that don’t integrate cleanly. You think you’re close, then OpenShift blocks your pipeline for reasons no docs explain. Hours disappear, the cluster stays insecure, and nothing reliably gates unscanned images.
This bundle gives you a production‑ready OpenShift pipeline that performs end‑to‑end image scanning, signing, verifying, and policy gating with zero guesswork. You get a complete, wired, working scan→sign→verify flow built from real enterprise OpenShift clusters, ready to drop into your CI/CD and run immediately.
What’s Included:
• cicd-openshift-image-scan-and-sign.json — A complete pipeline with all scan, sign, verify, and enforce stages pre‑linked
• 7 Tekton Tasks for image scanning, signing, signature storage, and CVE reporting
• 4 ServiceAccounts with tightened RBAC to eliminate impersonation and SCC failure loops
• 3 ClusterPolicies to block unscanned or unsigned images across all namespaces
• 2 ImageStream patches enabling signature propagation and verification triggers
• 1 reusable SigningConfig that guarantees reproducible registry‑mapped signatures
Built from patterns used in real production OpenShift clusters where image security had to be airtight. Every edge case—Tekton permission boundaries, signature admission quirks, ImageStream timing issues, and registry‑signing mismatches—was solved inside this exact pipeline.
Who This Is For:
• Platform engineers responsible for enforcing image security across multi‑team OpenShift clusters
• DevOps teams migrating from ad‑hoc scripts to a reliable, cluster‑wide scan‑and‑sign pipeline
• Security teams who need provable verification that only scanned and signed images reach production
Who This Is NOT For:
• Teams running vanilla Kubernetes without OpenShift’s ImageStream and SCC requirements
• Anyone wanting to build their own pipeline from scratch instead of using a ready solution
Guarantee: If this doesn’t cut your OpenShift image security setup from 8 hours to under 15 minutes, reach out for a full refund.
What's Included (12 files)
- openshift-signer-rolebinding.yaml
- pipeline-image-security-gates.yaml
- openshift-image-sign-task.yaml
- TROUBLESHOOTING.md
- openshift-image-policy-enforcement.yaml
- openshift-signer-serviceaccount.yaml
- SETUP-GUIDE.md
- openshift-image-scan-task.yaml
- shared-libraries-image-security.sh
- cicd-openshift-image-scan-and-sign.json
- openshift-signer-clusterrole.yaml
- openshift-image-verify-task.yaml