This document describes the available targets and usage patterns for the ACM operator bundle Makefile.
Before using the Makefile targets, ensure you have the required tools installed:
make check-toolsRequired tools:
python3- Required for all scripts (Note: The Makefile specifically usespython3command, notpython)skopeoorpodman- Required for image verificationgrype- Required for CVE scanningjq- Useful for manual JSON inspection (optional)
Install Python dependencies:
make install-depsOr manually:
pip3 install -r requirements.txtPython dependencies:
rich>=13.0.0- For formatted table output
The following environment variables can be set to customize behavior:
| Variable | Default | Description |
|---|---|---|
EXTRAS_DIR |
extras |
Directory containing image manifest JSON files |
REPORTS_DIR |
reports |
Output directory for generated reports |
SCAN_SEVERITY |
HIGH,CRITICAL |
CVE severity levels to report |
SCAN_FORMAT |
table |
Scan output format (table, json, etc.) |
SCAN_TIMEOUT |
10m |
Timeout for CVE scans |
IMAGE_KEY |
- | Specific image component to scan (optional) |
RELEASE |
- | Release branch to check out (optional) |
Display available targets with descriptions:
make helpRun all verification checks (without CVE scanning):
make all-checksRun complete verification including CVE scanning:
make full-scanList all container images from extras/*.json files with short digest format (12 characters, no "sha256:" prefix).
Usage:
make list-imagesOutput format:
- Displays compact table with status icon, image key, and short digest
- Status icons:
✓for valid SHA,…for placeholder/dummy SHA (000000...) - Digests shown as 12 hex characters:
331b906aaf8d - Summary shows total images, real SHAs, and placeholder count
Example output:
┃ ┃ Image Key ┃ Digest ┃
┡━━━╇━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ ✓ │ console │ 62612f2ef686 │
│ … │ acm_cli │ 000000000000 │
List all images with complete SHA-256 digests (full 71-character format including "sha256:" prefix).
Usage:
make list-images-fullOutput format:
- Displays full SHA-256 digests:
sha256:331b906aaf8d52a92eb095f6bd8eedf498f6f6a2e9dce0be8b04cfd0e3db07e9 - Table width expands to accommodate complete 64-character hashes
- Useful for copying full digests or detailed verification
Display help message with all available targets and quick command examples.
Usage:
make helpCheck for dummy or placeholder SHA digests in image manifests. Warns if dummy SHAs are found but does not fail the build.
Usage:
make check-dummy-shasVerify that all images are pullable using skopeo.
Usage:
make verify-imagesVerify images using ICSP (ImageContentSourcePolicy) registry redirects for pre-GA testing.
Usage:
make verify-images-icspRequires icsp-config.json in the repository root.
Verify images using podman instead of skopeo (alternative verification method).
Usage:
make verify-images-podmanVerify images for specific CPU architectures:
Verify images for AMD64/x86_64 architecture.
Usage:
make verify-images-amd64Verify images for ARM64/aarch64 architecture.
Usage:
make verify-images-arm64Verify images for PowerPC 64-bit Little Endian architecture.
Usage:
make verify-images-ppc64leVerify images for IBM Z mainframe architecture.
Usage:
make verify-images-s390xAll CVE scanning targets use Grype to scan container images for vulnerabilities.
Scan all images for CVEs with text output to console.
Usage:
# Scan current extras/ directory
make scan-cves
# Scan with custom severity levels
make scan-cves SCAN_SEVERITY=CRITICAL,HIGH,MEDIUM
# Scan single component
make scan-cves IMAGE_KEY=multiclusterhub_operator
# Setup and scan a release
make scan-cves RELEASE=release-2.17Scan images using ICSP registry redirects with text output.
Usage:
make scan-cves-icsp
make scan-cves-icsp RELEASE=release-2.17Scan images and output results in JSON format.
Usage:
make scan-cves-json
make scan-cves-json IMAGE_KEY=multiclusterhub_operatorScan images with ICSP redirects and output JSON (used for Slack reports).
Usage:
make scan-cves-json-icsp
make scan-cves-json-icsp RELEASE=release-2.17Check out and set up extras/ directory from a specific release branch.
Usage:
make setup-release RELEASE=release-2.17Note: This target is automatically called by verify-release and scan-release.
Set up a release and verify all its images (combines setup-release + verify-images).
Usage:
make verify-release RELEASE=release-2.17Set up a release and scan it for CVEs (combines setup-release + scan-cves-json-icsp).
Usage:
make scan-release RELEASE=release-2.17Generate a comprehensive report about all images.
Usage:
make image-reportSend a CVE scan summary to Slack (requires SLACK_WEBHOOK_URL environment variable).
Usage:
export SLACK_WEBHOOK_URL="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
make slack-cve-reportSend a detailed CVE report to Slack with more verbose information.
Usage:
export SLACK_WEBHOOK_URL="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
make slack-cve-report-detailedRun all verification checks without CVE scanning (dummy SHA check + image verification + report).
Usage:
make all-checksEquivalent to running:
make check-dummy-shas
make verify-images
make image-reportRun all checks including CVE scanning.
Usage:
make full-scanEquivalent to:
make all-checks
make scan-cvesVerify that all required command-line tools are installed and available.
Usage:
make check-toolsInstall Python dependencies from requirements.txt.
Usage:
make install-depsEnsure all scripts in the scripts/ directory have executable permissions.
Usage:
make make-scripts-executableRemove the reports directory and all generated reports.
Usage:
make clean-reports# Verify all images are pullable
make verify-release RELEASE=release-2.17
# Scan for CVEs
make scan-release RELEASE=release-2.17# Set up release
make setup-release RELEASE=release-2.18
# Check for dummy SHAs (warning only, default behavior)
make check-dummy-shas
# Verify with ICSP redirects
make verify-images-icsp
# Scan with ICSP
make scan-cves-icsp# Scan just the multiclusterhub operator
make scan-cves IMAGE_KEY=multiclusterhub_operator
# Scan specific component from a release
make scan-cves RELEASE=release-2.17 IMAGE_KEY=cluster_curator_controller# Verify all supported architectures
make verify-images-amd64
make verify-images-arm64
make verify-images-ppc64le
make verify-images-s390x# Scan for all severity levels
make scan-cves SCAN_SEVERITY=CRITICAL,HIGH,MEDIUM,LOW
# Only critical vulnerabilities
make scan-cves SCAN_SEVERITY=CRITICAL# Full verification pipeline
make check-tools
make install-deps
make all-checks
make scan-cves-json > cve-report.json
# Send results to Slack
export SLACK_WEBHOOK_URL="$WEBHOOK_URL"
make slack-cve-report# Custom directories
EXTRAS_DIR=my-extras REPORTS_DIR=my-reports make verify-images
# Custom scan settings
SCAN_TIMEOUT=30m SCAN_SEVERITY=CRITICAL make scan-cves
# Combining multiple variables
RELEASE=release-2.17 IMAGE_KEY=multiclusterhub_operator SCAN_SEVERITY=HIGH,CRITICAL make scan-cvesAll Makefile targets invoke Python scripts located in the scripts/ directory:
list_images.py- List images from manifest filescheck_dummy_shas.py- Validate SHA digestsverify_images.py- Verify image pullabilityscan_cves.py- Scan images for CVEsimage_report.py- Generate image reportsslack_cve_report.py- Send reports to Slacksetup_release.sh- Set up release branches
- Use
make helpto see a quick reference of all targets - Run
make check-toolsbefore starting work to ensure all dependencies are available - Important: All scripts require the
python3command (not justpython). Ensurepython3is available in your PATH - Use
RELEASE=parameter for quick release switching without manual branch checkouts - Combine
IMAGE_KEY=with any scan target to focus on a specific component - Use
verify-images-podmanif you don't have skopeo installed - Use
list-images-fullwhen you need to copy complete SHA-256 digests - Clean up old reports periodically with
make clean-reports