// Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures.
| name | debugging-task-failures |
| description | Use when a scan task fails in a pipeline, when task results have unexpected values, when understanding scan output formats, or when debugging bundle build failures. |
Debugging Tekton task failures in pipelines requires understanding task result formats, runner images, and common failure patterns. These scanning tasks (clair-scan, clamav-scan, deprecated-image-check, roxctl-scan, tpa-scan) share common patterns and error modes.
All scanning tasks must produce standardized result formats.
JSON object with scan result status:
{
"result": "SUCCESS|WARNING|ERROR|SKIPPED",
"note": "Human-readable description of result",
"timestamp": "ISO-8601 timestamp (e.g., 2025-05-20T14:30:00Z)"
}
Result values:
SUCCESS — scan passed, no issues foundWARNING — scan completed with non-critical issuesERROR — scan failed or found critical issuesSKIPPED — scan was skipped (image not relevant, etc.)JSON object with vulnerability counts by severity:
{
"vulnerabilities": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 12,
"unknown": 1
},
"unpatched_vulnerabilities": {
"critical": 0,
"high": 0,
"medium": 1,
"low": 5,
"unknown": 0
}
}
vulnerabilities — Total count by severity from scan databaseunpatched_vulnerabilities — Vulnerabilities without available patchesJSON object mapping image pull specifications to their digests:
{
"image": {
"pullspec": "quay.io/org/image:tag",
"digests": ["sha256:abc123...", "sha256:def456..."]
}
}
Multiple digests if image built for multiple architectures.
JSON object mapping image digests to OCI artifact report digests:
{
"sha256:abc123...": {
"scan_report": "sha256:report-digest-1...",
"compliance_report": "sha256:report-digest-2..."
}
}
Reports are stored as OCI artifacts in the image registry.
| Step | Failure | Cause | Fix |
|---|---|---|---|
get-image-manifests | "unauthorized" | Missing docker auth or expired token | Check secret/credentials are mounted |
get-image-manifests | "not found" | Image does not exist in registry | Verify image pull spec is correct |
get-vulnerabilities | OOM killed | Image has too many layers; too much memory | Increase computeResources.limits.memory |
oci-attach-report | "failed to push" | Registry auth issue or storage quota exceeded | Check registry credentials and quota |
conftest-vulnerabilities | Policy violation | Vulnerability severity exceeds threshold | Review Conforma policies in policies/ |
Similar to clair-scan but uses ClamAV malware database instead of vulnerability DB.
| Step | Failure | Cause | Fix |
|---|---|---|---|
clamscan-image | "database outdated" | ClamAV DB not current | Update clamav-db image in task |
clamscan-image | Timeout | Large image with many files | Increase timeout or exclude paths |
| Step | Failure | Cause | Fix |
|---|---|---|---|
get-image-data | "service unavailable" | Pyxis API down (Red Hat's image metadata service) | Retry later; not a task issue |
conftest-deprecated | Policy failure | Base image marked as deprecated | Update to newer base image |
| Step | Failure | Cause | Fix |
|---|---|---|---|
roxctl-image-scan | "connection refused" | ROX_CENTRAL_ADDR unreachable | Verify ACS cluster URL and network access |
roxctl-image-scan | "authentication failed" | ROX_API_TOKEN invalid or expired | Regenerate API token in ACS |
| Step | Failure | Cause | Fix |
|---|---|---|---|
tpa-scan | "timeout" | TPA service slow or unresponsive | Retry; may be service issue |
All scanning tasks use utility images from Konflux:
| Image | Purpose | Source |
|---|---|---|
quay.io/konflux-ci/konflux-test | General utility functions, conftest policy execution | github.com/konflux-ci/konflux-test |
quay.io/konflux-ci/task-runner | OCI artifact attachment via oras | github.com/konflux-ci/task-runner |
quay.io/konflux-ci/clair-in-ci:latest | Clair vulnerability database | github.com/konflux-ci/clair-in-ci-db |
quay.io/konflux-ci/clamav-db:latest | ClamAV antivirus database | github.com/konflux-ci/konflux-clamav |
Pinning: Most tasks use floating latest tags. For reproducibility, pin to specific digest: image@sha256:...
Never use Tekton parameters directly in scripts. Always pass through env vars first.
WRONG (security risk):
spec:
steps:
- name: scan
script: |
scan-tool "$(params.image-url)" # Code injection vulnerability
CORRECT:
spec:
steps:
- name: scan
env:
- name: IMAGE_URL
value: "$(params.image-url)"
script: |
scan-tool "$IMAGE_URL" # Safe
Most scan tasks use RETRY_COUNT (default: 5) for transient failures (timeouts, rate limits).
Set via stepTemplate env variable:
spec:
stepTemplate:
env:
- name: RETRY_COUNT
value: "3"
Each task version has build pipelines in .tekton/:
Pull request: .tekton/<task>-<ver>-pull-request.yaml
Push: .tekton/<task>-<ver>-push.yaml
Debug steps:
Large scan reports are attached via oras push in oci-attach-report step.
Access attached reports:
oras pull <image>@<digest> --output /tmp/
| Mistake | Fix |
|---|---|
| Result JSON malformed | Validate with jq before returning result. Use jq -r @json to escape. |
| Result too large (>4KB) | Use OCI artifact attachment for large output. Summarize in embedded result. |
| Image pull fails silently | Check docker/podman auth is configured. Verify image exists. |
| Task times out | Check timeout parameter in PipelineRun. Increase if legitimate operation is slow. |
| OCI artifact attach fails | Verify registry credentials. Check storage quota. Ensure oras binary is in image. |
| Conftest policy fails unexpectedly | Review policies in policies/. Add --debug flag to conftest for verbose output. |
| CA certificate validation fails | Mount CA trust ConfigMap via ca-trust-config-map-name parameter. |
Use when CI behaves unexpectedly, when you need to understand how Tekton bundles are built, or when understanding non-obvious behavior with templated workflows, Checkton, migration validation, kustomize checks, or trusted artifacts generation.
Use before pushing a PR for review, when CI checks fail, or when reviewing someone else's PR. Pre-push checklist covering all CI requirements, commit conventions, and documentation for task catalog PRs.
Use when creating task variants (remote, trusted-artifacts), working with recipe.yaml files, or when the check-ta CI workflow fails. Covers both Go generators, the recipe format, and the generation pipeline.
Use when creating a new task version, bumping version labels, writing migration scripts, or when versioning/migration CI checks fail. Covers version labels, CHANGELOG.md, migration scripts with pmt modify, and kustomized variant updates.
Use when writing tests for a Tekton task, running tests locally, debugging test failures in CI, or understanding the three testing layers (Kind cluster, Tekton integration, ShellSpec).