stackrox · janisz · Feb 10, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
@@ -403,11 +403,29 @@ jobs:
     - name: Cache Go dependencies
       uses: ./.github/actions/cache-go-dependencies
 
+    - name: Login to Quay.io
+      uses: docker/login-action@v3
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
+        password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
+
     - name: Create k8s Kind Cluster
       uses: helm/kind-action@v1
       with:
         kubeconfig: "${{ env.KUBECONFIG }}"
 
+    - name: Load test images into Kind
+      run: |
+        # Read images from prefetch list (single source of truth)
+        while IFS= read -r image; do
+          # Skip empty lines and comments
+          [[ -z "$image" || "$image" =~ ^# ]] && continue
+          echo "Loading $image into Kind..."
+          docker pull "$image"
+          kind load docker-image "$image" --name chart-testing
+        done < sensor/tests/images-to-prefetch.txt
+
     - name: Run sensor integration tests
       run: make sensor-integration-test
 

diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -640,6 +640,13 @@ _image_prefetcher_prebuilt_start() {
         # prefect list stays up to date with additions.
         ci_export "IMAGE_PULL_POLICY_FOR_QUAY_IO" "Never"
         ;;
+    *sensor-integration-tests)
+        image_prefetcher_start_set sensor-integration
+        # Override the default image pull policy for containers with quay.io
+        # images to rely on prefetched images. This helps ensure that the static
+        # prefect list stays up to date with additions.
+        ci_export "IMAGE_PULL_POLICY_FOR_QUAY_IO" "Never"
+        ;;
     *-operator-e2e-tests)
         image_prefetcher_start_set operator-e2e
         # TODO(ROX-20508): pre-fetch images of the release from which operator upgrade test starts as well.
@@ -763,6 +770,9 @@ _image_prefetcher_prebuilt_await() {
     *nongroovy-e2e-tests)
         image_prefetcher_await_set qa-nongroovy-e2e
         ;;
+    *sensor-integration-tests)
+        image_prefetcher_await_set sensor-integration
+        ;;
     *-operator-e2e-tests)
         image_prefetcher_await_set operator-e2e
         # TODO(ROX-20508): pre-fetch images of the release from which operator upgrade test starts as well.
@@ -920,6 +930,9 @@ populate_prefetcher_image_list() {
     qa-nongroovy-e2e)
         cp "$SCRIPTS_ROOT/tests/images-to-prefetch.txt" "$image_list"
         ;;
+    sensor-integration)
+        cp "$SCRIPTS_ROOT/sensor/tests/images-to-prefetch.txt" "$image_list"
+        ;;
     *)
         die "ERROR: An unsupported image prefetcher target was requested: $name"
         ;;

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: compliance-operator
-        image: busybox
+        image: quay.io/rhacs-eng/qa-multi-arch-busybox:1.30
         command:
           - tail
           - -f

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
 
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
 
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
 
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -23,7 +23,7 @@ var (
 	NginxService    = helper.K8sResourceInfo{Kind: "Service", YamlFile: "nginx-service.yaml", Name: "nginx-service"}
 	TalkPod         = helper.K8sResourceInfo{Kind: "Pod", YamlFile: "talk.yaml", Name: "talk"}
 
-	processIndicatorPolicyName = "test-pi-curl"
+	processIndicatorPolicyName = "test-pi-wget"
 	networkFlowPolicyName      = "test-flow"
 )
 
@@ -95,7 +95,7 @@ func Test_SensorIntermediateRuntimeEvents(t *testing.T) {
 			nginxIP := c.GetIPFromService(srvObj)
 			require.NotEqual(t, "", nginxIP)
 
-			helper.SendSignalMessage(fakeCollector, talkContainerIds[0], "curl")
+			helper.SendSignalMessage(fakeCollector, talkContainerIds[0], "wget")
 			helper.SendFlowMessage(fakeCollector,
 				sensor.SocketFamily_SOCKET_FAMILY_UNKNOWN,
 				storage.L4Protocol_L4_PROTOCOL_TCP,
@@ -119,7 +119,7 @@ func Test_SensorIntermediateRuntimeEvents(t *testing.T) {
 		}
 		expectedSignals := []helper.ExpectedSignalMessageFn{
 			func(msg *sensor.SignalStreamMessage) bool {
-				return msg.GetSignal().GetProcessSignal().GetName() == "curl" && msg.GetSignal().GetProcessSignal().GetContainerId() == talkContainerIds[0]
+				return msg.GetSignal().GetProcessSignal().GetName() == "wget" && msg.GetSignal().GetProcessSignal().GetContainerId() == talkContainerIds[0]
 			},
 		}
 		go helper.WaitToReceiveMessagesFromCollector(ctx, &messagesReceivedSignal,
@@ -143,7 +143,7 @@ func Test_SensorIntermediateRuntimeEvents(t *testing.T) {
 
 		msg, err := testContext.WaitForMessageWithMatcher(func(event *central.MsgFromSensor) bool {
 			return event.GetEvent().GetProcessIndicator().GetDeploymentId() == talkUID &&
-				event.GetEvent().GetProcessIndicator().GetSignal().GetName() == "curl"
+				event.GetEvent().GetProcessIndicator().GetSignal().GetName() == "wget"
 		}, time.Minute)
 		assert.NoError(t, err)
 		assert.NotNil(t, msg)

@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -7,7 +7,7 @@ metadata:
 spec:
   containers:
   - name: talk
-    image: alpine/curl
+    image: quay.io/rhacs-eng/qa:alpine-3.16.0
     command: ["/bin/sh", "-c"]
     args:
-     - "while true ; do sleep 2; curl http://nginx-service.sensor-integration.svc.cluster.local:80; done"
+     - "while true ; do sleep 2; wget -O- http://nginx-service.sensor-integration.svc.cluster.local:80; done"
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -1,3 +1,3 @@
 {"policies":[
-{"id":"cdd8ceab-784e-4726-b4de-86334b230b61","name":"test-pi-curl","description":"","rationale":"","remediation":"","disabled":false,"categories":["Anomalous Activity"],"lifecycleStages":["RUNTIME"],"eventSource":"DEPLOYMENT_EVENT","exclusions":[],"scope":[],"severity":"LOW_SEVERITY","enforcementActions":[],"notifiers":[],"lastUpdated":"2024-02-05T11:50:54.392130134Z","SORTName":"test-pi-curl","SORTLifecycleStage":"RUNTIME","SORTEnforcement":false,"policyVersion":"1.1","policySections":[{"sectionName":"Policy Section 1","policyGroups":[{"fieldName":"Process Name","booleanOperator":"OR","negate":false,"values":[{"value":"curl"}]}]}],"mitreAttackVectors":[],"criteriaLocked":false,"mitreVectorsLocked":false,"isDefault":false},
+{"id":"cdd8ceab-784e-4726-b4de-86334b230b61","name":"test-pi-wget","description":"","rationale":"","remediation":"","disabled":false,"categories":["Anomalous Activity"],"lifecycleStages":["RUNTIME"],"eventSource":"DEPLOYMENT_EVENT","exclusions":[],"scope":[],"severity":"LOW_SEVERITY","enforcementActions":[],"notifiers":[],"lastUpdated":"2024-02-05T11:50:54.392130134Z","SORTName":"test-pi-wget","SORTLifecycleStage":"RUNTIME","SORTEnforcement":false,"policyVersion":"1.1","policySections":[{"sectionName":"Policy Section 1","policyGroups":[{"fieldName":"Process Name","booleanOperator":"OR","negate":false,"values":[{"value":"wget"}]}]}],"mitreAttackVectors":[],"criteriaLocked":false,"mitreVectorsLocked":false,"isDefault":false},
 {"id":"b626cb9d-0bd1-4c6c-b8d0-b9c69f07722c","name":"test-flow","description":"","rationale":"","remediation":"","disabled":false,"categories":["Anomalous Activity"],"lifecycleStages":["RUNTIME"],"eventSource":"DEPLOYMENT_EVENT","exclusions":[],"scope":[],"severity":"LOW_SEVERITY","enforcementActions":[],"notifiers":[],"lastUpdated":"2024-02-05T11:51:34.581615895Z","SORTName":"test-flow","SORTLifecycleStage":"RUNTIME","SORTEnforcement":false,"policyVersion":"1.1","policySections":[{"sectionName":"Policy Section 1","policyGroups":[{"fieldName":"Unexpected Network Flow Detected","booleanOperator":"OR","negate":false,"values":[{"value":"false"}]}]}],"mitreAttackVectors":[],"criteriaLocked":false,"mitreVectorsLocked":false,"isDefault":false}]}
@@ -0,0 +1,26 @@
+# Images used by sensor integration tests - prefetched to avoid Docker Hub rate limits
+#
+# This file is referenced by scripts/ci/lib.sh:populate_prefetcher_image_list()
+# Pattern follows tests/images-to-prefetch.txt and qa-tests-backend/scripts/images-to-prefetch.txt
+
+# Used by sensor/tests/connection/runtime/yaml/nginx.yaml
+# Used by sensor/tests/connection/alerts/yaml/nginx.yaml
+# Used by sensor/tests/connection/k8sreconciliation/yaml/nginx*.yaml (4 files)
+# Used by sensor/tests/connection/yaml/nginx*.yaml (2 files)
+# Used by sensor/tests/resource/networkpolicy/yaml/nginx.yaml
+# Used by sensor/tests/resource/pod/yaml/nginx.yaml
+# Used by sensor/tests/resource/role/yaml/nginx.yaml
+# Used by sensor/tests/resource/service/yaml/nginx.yaml
+quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
+
+# Used by sensor/tests/resource/pod/yaml/nginx-pod.yaml
+# Used by sensor/tests/resource/role/yaml/nginx-pod.yaml
+# Used by sensor/tests/resource/service/yaml/nginx-pod.yaml
+# Used by sensor/tests/resource/imagescan/yaml/pod.yaml
+# (All nginx-pod.yaml files use the same nginx-1.21.1 image)
+
+# Used by sensor/tests/connection/runtime/yaml/talk.yaml
+quay.io/rhacs-eng/qa:alpine-3.16.0
+
+# Used by sensor/tests/complianceoperator/yaml/co-deployment.yaml
+quay.io/rhacs-eng/qa-multi-arch-busybox:1.30
@@ -7,6 +7,6 @@ metadata:
 spec:
   containers:
   - name: app
-    image: nginx:1.14.1
+    image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
     ports:
     - containerPort: 80
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -96,8 +96,8 @@ func (s *PodHierarchySuite) Test_ContainerSpecOnDeployment() {
 			s.Require().NoError(err)
 
 			testC.LastDeploymentState(t, "nginx-deployment",
-				assertDeploymentContainerImages("docker.io/library/nginx:1.14.2"),
-				"nginx deployment should have a single container with nginx:1.14.2 image")
+				assertDeploymentContainerImages("quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1"),
+				"nginx deployment should have a single container with quay.io nginx image")
 
 			messages := testC.GetFakeCentral().GetAllMessages()
 			uniquePodNames := helper.GetUniquePodNamesFromPrefix(messages, "sensor-integration", "nginx-")
@@ -122,8 +122,8 @@ func (s *PodHierarchySuite) Test_ParentlessPodsAreTreatedAsDeployments() {
 			s.Require().NoError(err)
 
 			testC.LastDeploymentState(t, "nginx-rogue",
-				assertDeploymentContainerImages("docker.io/library/nginx:1.14.1"),
-				"nginx standalone pod should have a single container with nginx:1.14.1 image")
+				assertDeploymentContainerImages("quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1"),
+				"nginx standalone pod should have a single container with quay.io nginx image")
 
 			messages := testC.GetFakeCentral().GetAllMessages()
 			uniqueDeployments := helper.GetUniqueDeploymentNames(messages, "sensor-integration")

@@ -7,6 +7,6 @@ metadata:
 spec:
   containers:
   - name: nginx
-    image: nginx:1.14.1
+    image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
     ports:
     - containerPort: 80
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
@@ -7,6 +7,6 @@ metadata:
 spec:
   containers:
   - name: nginx
-    image: nginx:1.14.1
+    image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
     ports:
     - containerPort: 80
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
       serviceAccountName: nginx-sa
@@ -7,6 +7,6 @@ metadata:
 spec:
   containers:
   - name: nginx
-    image: nginx:1.14.1
+    image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
     ports:
     - containerPort: 80
@@ -16,6 +16,6 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.14.2
+        image: quay.io/rhacs-eng/qa-multi-arch:nginx-1.21.1
         ports:
         - containerPort: 80
diff --git a/tests/e2e/sensor.sh b/tests/e2e/sensor.sh
@@ -31,6 +31,15 @@ test_sensor() {
 
     test_preamble
     setup_deployment_env false false
+
+    # Prefetch images for OSCI (DaemonSet-based prefetcher)
+    # For Kind (GitHub Actions), images are loaded directly via kind load
+    if [[ "${IMAGE_PREFETCH_DISABLED:-false}" != "true" ]]; then
+        info "Starting image prefetching for sensor integration tests"
+        image_prefetcher_prebuilt_start
+        image_prefetcher_prebuilt_await
+    fi
+
     # shellcheck disable=SC2119
     remove_existing_stackrox_resources