// Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures.
Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation.
Use before pushing a PR for review, when CI checks fail, or when reviewing someone else's PR. Pre-push checklist covering all CI requirements, commit conventions, and documentation for task catalog PRs.
Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline.
Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates.
Use when writing tests for a Tekton task, running tests locally, debugging test failures in CI, or understanding the three testing layers (Kind cluster, Tekton integration, ShellSpec).
| name | debugging-task-failures |
| description | Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures. |
Debugging Tekton task failures in pipelines requires understanding task result formats, runner images, and common failure patterns. These scanning tasks (clair-scan, clamav-scan, deprecated-image-check, roxctl-scan, tpa-scan) share common patterns and error modes.
All scanning tasks must produce standardized result formats.
JSON object with scan result status:
{
"result": "SUCCESS|WARNING|ERROR|SKIPPED",
"note": "Human-readable description of result",
"timestamp": "ISO-8601 timestamp (e.g., 2025-05-20T14:30:00Z)"
}
Result values:
SUCCESS — scan passed, no issues foundWARNING — scan completed with non-critical issuesERROR — scan failed or found critical issuesSKIPPED — scan was skipped (image not relevant, etc.)JSON object with vulnerability counts by severity:
{
"vulnerabilities": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 12,
"unknown": 1
},
"unpatched_vulnerabilities": {
"critical": 0,
"high": 0,
"medium": 1,
"low": 5,
"unknown": 0
}
}
vulnerabilities — Total count by severity from scan databaseunpatched_vulnerabilities — Vulnerabilities without available patchesJSON object mapping image pull specifications to their digests:
{
"image": {
"pullspec": "quay.io/org/image:tag",
"digests": ["sha256:abc123...", "sha256:def456..."]
}
}
Multiple digests if image built for multiple architectures.
JSON object mapping image digests to OCI artifact report digests:
{
"sha256:abc123...": {
"scan_report": "sha256:report-digest-1...",
"compliance_report": "sha256:report-digest-2..."
}
}
Reports are stored as OCI artifacts in the image registry.
| Step | Failure | Cause | Fix |
|---|---|---|---|
get-image-manifests | "unauthorized" | Missing docker auth or expired token | Check secret/credentials are mounted |
get-image-manifests | "not found" | Image does not exist in registry | Verify image pull spec is correct |
get-vulnerabilities | OOM killed | Image has too many layers; too much memory | Increase computeResources.limits.memory |
oci-attach-report | "failed to push" | Registry auth issue or storage quota exceeded | Check registry credentials and quota |
conftest-vulnerabilities | Policy violation | Vulnerability severity exceeds threshold | Review Conforma policies in policies/ |
Similar to clair-scan but uses ClamAV malware database instead of vulnerability DB.
| Step | Failure | Cause | Fix |
|---|---|---|---|
clamscan-image | "database outdated" | ClamAV DB not current | Update clamav-db image in task |
clamscan-image | Timeout | Large image with many files | Increase timeout or exclude paths |
| Step | Failure | Cause | Fix |
|---|---|---|---|
get-image-data | "service unavailable" | Pyxis API down (Red Hat's image metadata service) | Retry later; not a task issue |
conftest-deprecated | Policy failure | Base image marked as deprecated | Update to newer base image |
| Step | Failure | Cause | Fix |
|---|---|---|---|
roxctl-image-scan | "connection refused" | ROX_CENTRAL_ADDR unreachable | Verify ACS cluster URL and network access |
roxctl-image-scan | "authentication failed" | ROX_API_TOKEN invalid or expired | Regenerate API token in ACS |
| Step | Failure | Cause | Fix |
|---|---|---|---|
tpa-scan | "timeout" | TPA service slow or unresponsive | Retry; may be service issue |
All scanning tasks use utility images from Konflux:
| Image | Purpose | Source |
|---|---|---|
quay.io/konflux-ci/konflux-test | General utility functions, conftest policy execution | github.com/konflux-ci/konflux-test |
quay.io/konflux-ci/task-runner | OCI artifact attachment via oras | github.com/konflux-ci/task-runner |
quay.io/konflux-ci/clair-in-ci:latest | Clair vulnerability database | github.com/konflux-ci/clair-in-ci-db |
quay.io/konflux-ci/clamav-db:latest | ClamAV antivirus database | github.com/konflux-ci/konflux-clamav |
Pinning: Most tasks use floating latest tags. For reproducibility, pin to specific digest: image@sha256:...
Never use Tekton parameters directly in scripts. Always pass through env vars first.
WRONG (security risk):
spec:
steps:
- name: scan
script: |
scan-tool "$(params.image-url)" # Code injection vulnerability
CORRECT:
spec:
steps:
- name: scan
env:
- name: IMAGE_URL
value: "$(params.image-url)"
script: |
scan-tool "$IMAGE_URL" # Safe
Most scan tasks use RETRY_COUNT (default: 5) for transient failures (timeouts, rate limits).
Set via stepTemplate env variable:
spec:
stepTemplate:
env:
- name: RETRY_COUNT
value: "3"
Each task version has build pipelines in .tekton/:
Pull request: .tekton/<task>-<ver>-pull-request.yaml
Push: .tekton/<task>-<ver>-push.yaml
Debug steps:
Large scan reports are attached via oras push in oci-attach-report step.
Access attached reports:
oras pull <image>@<digest> --output /tmp/
| Mistake | Fix |
|---|---|
| Result JSON malformed | Validate with jq before returning result. Use jq -r @json to escape. |
| Result too large (>4KB) | Use OCI artifact attachment for large output. Summarize in embedded result. |
| Image pull fails silently | Check docker/podman auth is configured. Verify image exists. |
| Task times out | Check timeout parameter in PipelineRun. Increase if legitimate operation is slow. |
| OCI artifact attach fails | Verify registry credentials. Check storage quota. Ensure oras binary is in image. |
| Conftest policy fails unexpectedly | Review policies in policies/. Add --debug flag to conftest for verbose output. |
| CA certificate validation fails | Mount CA trust ConfigMap via ca-trust-config-map-name parameter. |