fix(tekton): use env vars for JSON parameters to avoid quoting issues

[joejstuart]

User description

Pass POLICY_CONFIGURATION and EXTRA_RULE_DATA via environment variables to safely handle JSON strings in Tekton task parameters.

Fixes #3094

Assisted-by: Claude 4.5 Opus

---

PR Type

Bug fix, Tests

---

Description

• Pass JSON parameters via environment variables to avoid shell quoting issues

• Add two new test scenarios for JSON parameter handling

• Refactor EC arguments array construction for better JSON handling

• Improve error message output to stderr

---

Diagram Walkthrough

flowchart LR
  A["Tekton Task Parameters"] -->|"env vars"| B["POLICY_CONFIGURATION<br/>EXTRA_RULE_DATA"]
  B -->|"safe JSON handling"| C["EC Command Execution"]
  D["Test Scenarios"] -->|"validate"| E["JSON String Parameters<br/>Extra Rule Data"]
  E -->|"verify"| F["Task Success"]

Loading

File Walkthrough

	Relevant files
Tests	ta_task_validate_image.feature Add test scenarios for JSON parameters                                      features/ta_task_validate_image.feature Added scenario for policy configuration passed as JSON string parameter Added scenario for extra rule data with JSON value Both scenarios verify task succeeds and logs contain expected content Tests validate JSON parameter handling without quoting issues +65/-0
Bug fix	verify-conforma-konflux-ta.yaml Use env vars for JSON parameters in validate step                tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml Changed POLICY_CONFIGURATION from direct parameter substitution to environment variable reference Refactored EXTRA_RULE_DATA handling with conditional check and proper array syntax Added environment variable definitions for POLICY_CONFIGURATION and EXTRA_RULE_DATA in step env section Fixed error message output to stderr using >&2 redirection Added explanatory comments about JSON parameter handling via environment variables +18/-4

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit context: The updated validate step executes a critical validation action but the diff does not show any explicit audit-style logging (user identity, timestamp, action, outcome) needed to reconstruct events. Referred Code script: | #!/bin/bash set -euo pipefail # Build EC arguments array # POLICY_CONFIGURATION and EXTRA_RULE_DATA are passed via environment variables to safely handle JSON strings EC_ARGS=( validate image --images /tekton/home/snapshot.json --policy "${POLICY_CONFIGURATION}" --public-key "$(params.PUBLIC_KEY)" --rekor-url "$(params.REKOR_HOST)" --ignore-rekor=$(params.IGNORE_REKOR) --workers "$(params.WORKERS)" --info=$(params.INFO) --timeout=100h --strict=false --show-successes --effective-time=$(params.EFFECTIVE_TIME) ) ... (clipped 44 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Potential data exposure: The PR routes POLICY_CONFIGURATION and EXTRA_RULE_DATA (which may contain sensitive JSON) via environment variables and into ec arguments, but the diff does not show whether any step logs or debug output could echo these values without redaction. Referred Code # Build EC arguments array # POLICY_CONFIGURATION and EXTRA_RULE_DATA are passed via environment variables to safely handle JSON strings EC_ARGS=( validate image --images /tekton/home/snapshot.json --policy "${POLICY_CONFIGURATION}" --public-key "$(params.PUBLIC_KEY)" --rekor-url "$(params.REKOR_HOST)" --ignore-rekor=$(params.IGNORE_REKOR) --workers "$(params.WORKERS)" --info=$(params.INFO) --timeout=100h --strict=false --show-successes --effective-time=$(params.EFFECTIVE_TIME) ) # Add extra-rule-data if provided (may contain JSON) if [[ -n "${EXTRA_RULE_DATA:-}" ]]; then EC_ARGS+=(--extra-rule-data "${EXTRA_RULE_DATA}") ... (clipped 40 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated JSON inputs: POLICY_CONFIGURATION and EXTRA_RULE_DATA are accepted from Tekton parameters and passed to ec without visible validation/sanity checks (e.g., empty/malformed JSON handling), so security and robustness depend on ec’s downstream parsing and safeguards. Referred Code # Build EC arguments array # POLICY_CONFIGURATION and EXTRA_RULE_DATA are passed via environment variables to safely handle JSON strings EC_ARGS=( validate image --images /tekton/home/snapshot.json --policy "${POLICY_CONFIGURATION}" --public-key "$(params.PUBLIC_KEY)" --rekor-url "$(params.REKOR_HOST)" --ignore-rekor=$(params.IGNORE_REKOR) --workers "$(params.WORKERS)" --info=$(params.INFO) --timeout=100h --strict=false --show-successes --effective-time=$(params.EFFECTIVE_TIME) ) # Add extra-rule-data if provided (may contain JSON) if [[ -n "${EXTRA_RULE_DATA:-}" ]]; then EC_ARGS+=(--extra-rule-data "${EXTRA_RULE_DATA}") ... (clipped 1 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Validate and append policy configuration Add a validation check to ensure the POLICY_CONFIGURATION variable is not empty, and exit with an error if it is. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml [304] ---policy "${POLICY_CONFIGURATION}" +# Add and validate policy configuration (required) +if [[ -n "${POLICY_CONFIGURATION:-}" ]]; then + EC_ARGS+=(--policy "${POLICY_CONFIGURATION}") +else + echo "ERROR: POLICY_CONFIGURATION is required" >&2 + exit 1 +fi Apply / Chat Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies that POLICY_CONFIGURATION is a required parameter and adds an explicit validation check, which improves robustness and provides a clearer error message if it's missing.	Medium
General	Use safe default expansion Use the :- default parameter expansion for EXTRA_RULE_DATA when adding it to EC_ARGS to prevent potential unbound variable errors. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml [317-319] if [[ -n "${EXTRA_RULE_DATA:-}" ]]; then - EC_ARGS+=(--extra-rule-data "${EXTRA_RULE_DATA}") + EC_ARGS+=(--extra-rule-data "${EXTRA_RULE_DATA:-}") fi Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly proposes using a default expansion for EXTRA_RULE_DATA inside the EC_ARGS array, which is a good defensive practice with set -u enabled, making the code more robust and consistent.	Low
Update

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.36% <ø> (ø)
generative	18.59% <ø> (ø)
integration	27.61% <ø> (ø)
unit	68.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[robnester-rh]

LGTM