2026-06-29T14:40:09.787627Z INFO vector::app: Log level is enabled. level="info" 2026-06-29T14:40:09.788064Z INFO vector::app: Loading configs. paths=["/etc/vector"] 2026-06-29T14:40:09.790877Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Obtained Kubernetes Node name to collect logs for (self). self_node_name="ip-10-0-168-9.ec2.internal" 2026-06-29T14:40:09.800449Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Including matching files. ret=["**/*"] 2026-06-29T14:40:09.800468Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Excluding matching files. ret=["**/*.gz", "**/*.tmp"] 2026-06-29T14:40:09.802666Z INFO vector::topology::running: Running healthchecks. 2026-06-29T14:40:09.802716Z INFO vector::topology::builder: Healthcheck passed. 2026-06-29T14:40:09.802731Z INFO vector: Vector has started. debug="false" version="0.45.0" arch="x86_64" revision="063cabb 2025-02-24 14:52:02.810034614" 2026-06-29T14:40:09.804037Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: file_source::checkpointer: Attempting to read legacy checkpoint files. 2026-06-29T14:40:09.804056Z INFO vector::internal_events::api: API server running. address=127.0.0.1:8686 playground=off graphql=http://127.0.0.1:8686/graphql 2026-06-29T14:50:38.898433Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-init-pod_93bc850f-f486-40bb-957d-1a00d8f7ff6d/prepare/0.log 2026/06/29 14:50:38 Entrypoint initialization 2026-06-29T14:50:53.253997Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-init-pod_93bc850f-f486-40bb-957d-1a00d8f7ff6d/step-init/0.log 2026-06-29T14:50:55.303068Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-init-pod_93bc850f-f486-40bb-957d-1a00d8f7ff6d/step-init/0.log time="2026-06-29T14:50:53Z" level=info msg="[param] enable: false" time="2026-06-29T14:50:53Z" level=info msg="[param] default-http-proxy: squid.caching.svc.cluster.local:3128" time="2026-06-29T14:50:53Z" level=info msg="[param] default-no-proxy: brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" time="2026-06-29T14:50:53Z" level=info msg="[param] http-proxy-result-path: /tekton/results/http-proxy" time="2026-06-29T14:50:53Z" level=info msg="[param] no-proxy-result-path: /tekton/results/no-proxy" time="2026-06-29T14:50:53Z" level=info msg="Using in-cluster config" logger=KubeClient time="2026-06-29T14:50:53Z" level=info msg="Cache proxy is disabled via param" time="2026-06-29T14:50:53Z" level=info msg="[result] HTTP PROXY: " time="2026-06-29T14:50:53Z" level=info msg="[result] NO PROXY: " 2026-06-29T14:53:41.304881Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/place-scripts/0.log 2026-06-29T14:53:41.304928Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/prepare/0.log 2026-06-29T14:53:41.825690Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-build/0.log 2026/06/29 14:53:40 Entrypoint initialization 2026/06/29 14:53:40 Decoded script /tekton/scripts/script-0-4xn8k 2026/06/29 14:53:40 Decoded script /tekton/scripts/script-1-hk9bw 2026/06/29 14:53:40 Decoded script /tekton/scripts/script-2-vhhz6 2026-06-29T14:53:53.612080Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-create-sbom/0.log 2026-06-29T14:54:07.956209Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-upload-sbom/0.log 2026-06-29T14:54:10.005349Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-build/0.log 2026-06-29T14:54:11.558090Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-create-sbom/0.log 2026-06-29T14:54:12.076840Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-build-image-index-pod_a8b896a6-2b03-4775-ad68-2b79cbd53251/step-upload-sbom/0.log The manifest_data.json file does not exist. Skipping the SBOM creation... [2026-06-29T14:54:08,415743518+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' Running konflux-build-cli time="2026-06-29T14:54:10Z" level=info msg="[param] image: quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed" time="2026-06-29T14:54:10Z" level=info msg="[param] images: [quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047]" time="2026-06-29T14:54:10Z" level=info msg="[param] buildah-format: docker" time="2026-06-29T14:54:10Z" level=info msg="[param] always-build-index: false" time="2026-06-29T14:54:10Z" level=info msg="[param] additional-tags: [buildah-demo-nvjyiiqhed-build-image-index]" time="2026-06-29T14:54:10Z" level=info msg="[param] output-manifest-path: /index-build-data/manifest_data.json" time="2026-06-29T14:54:10Z" level=info msg="[param] result-path-image-digest: /tekton/results/IMAGE_DIGEST" time="2026-06-29T14:54:10Z" level=info msg="[param] result-path-image-url: /tekton/results/IMAGE_URL" time="2026-06-29T14:54:10Z" level=info msg="[param] result-path-image-ref: /tekton/results/IMAGE_REF" time="2026-06-29T14:54:10Z" level=info msg="[param] result-path-images: /tekton/results/IMAGES" time="2026-06-29T14:54:10Z" level=info msg="Creating manifest list: quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed" time="2026-06-29T14:54:10Z" level=info msg="buildah [stdout] a70654889da713a516b9b7a4717cc73e036142fe9ac35ab40c3147cd1d3ad522" logger=CliExecutor time="2026-06-29T14:54:10Z" level=info msg="Skipping image index generation. Returning results for single image." [2026-06-29T14:54:12,037878700+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' The index.spdx.json file does not exists. Skipping the SBOM upload... 2026-06-29T14:54:16.194769Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-apply-tags-pod_7c36fd2e-9a45-48d5-b2a5-45888c4896df/prepare/0.log 2026-06-29T14:54:16.715190Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-apply-tags-pod_7c36fd2e-9a45-48d5-b2a5-45888c4896df/step-apply-additional-tags/0.log 2026/06/29 14:54:15 Entrypoint initialization 2026-06-29T14:54:20.302794Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_buildah-demo-nvjyiiqhed-apply-tags-pod_7c36fd2e-9a45-48d5-b2a5-45888c4896df/step-apply-additional-tags/0.log time="2026-06-29T14:54:19Z" level=info msg="[param] image-url: quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed" time="2026-06-29T14:54:19Z" level=info msg="[param] digest: sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047" time="2026-06-29T14:54:19Z" level=info msg="[param] tags-from-image-label: konflux.additional-tags" time="2026-06-29T14:54:20Z" level=warning msg="No tags given in 'konflux.additional-tags' image label" {"image_digest":"sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047","image_url":"quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed","image_ref":"quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047","images":"quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047"} {"tags":[]} 2026-06-29T14:55:35.120945Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/prepare/0.log 2026-06-29T14:55:36.153323Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/place-scripts/0.log 2026/06/29 14:55:35 Entrypoint initialization 2026/06/29 14:55:35 Decoded script /tekton/scripts/script-2-vvgq5 2026-06-29T14:55:46.411973Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-assert/0.log 2026-06-29T14:55:46.412008Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-detailed-report/0.log 2026-06-29T14:55:46.412018Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-initialize-tuf/0.log 2026-06-29T14:55:46.412031Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-reduce/0.log 2026-06-29T14:55:46.412042Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-report-json/0.log 2026-06-29T14:55:46.412053Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-show-config/0.log 2026-06-29T14:55:46.412064Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-summary/0.log 2026-06-29T14:55:46.412075Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-validate/0.log 2026-06-29T14:55:46.412089Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-version/0.log 2026-06-29T14:55:48.462201Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-initialize-tuf/0.log 2026-06-29T14:55:48.462247Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-reduce/0.log 2026/06/29 14:55:47 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-nvjyiiqhed@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047", "source": {} } ], "artifacts": {} } 2026-06-29T14:55:54.619514Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-assert/0.log 2026-06-29T14:55:54.619555Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-detailed-report/0.log 2026-06-29T14:55:54.619610Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-report-json/0.log 2026-06-29T14:55:54.619623Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-show-config/0.log 2026-06-29T14:55:54.619639Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-summary/0.log 2026-06-29T14:55:54.619656Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-0a44bb777e9de89dc69c05c3538da3d6-pod_d05747b6-7087-4a9c-b319-cbc885236843/step-version/0.log Success: false Result: FAILURE Violations: 2, Warnings: 0, Successes: 0 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047 Results: ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047 Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047 Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ false { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "slsa_provenance_available" ] } } ], "publicKey": "k8s://chains-e2e-awrf/dummy-public-key-fotxnnsftc" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENZxkE/d0fKvJ51dXHQmxXaRMTtVz\nBQWcmJD/7pcMDEmBcmk8O1yUPIiFj5TMZqabjS9CQQN+jKHG+Bfi0BYlHg==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T14:55:48.339190672Z" } { "timestamp": "1782744952", "namespace": "", "successes": 0, "failures": 2, "warnings": 0, "result": "FAILURE" } Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 2026-06-29T14:56:11.029819Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/place-scripts/0.log 2026-06-29T14:56:11.029867Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/prepare/0.log 2026-06-29T14:56:12.063912Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-initialize-tuf/0.log 2026-06-29T14:56:12.063953Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-reduce/0.log 2026-06-29T14:56:13.090180Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-assert/0.log 2026-06-29T14:56:13.090211Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-detailed-report/0.log 2026-06-29T14:56:13.090226Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-report-json/0.log 2026-06-29T14:56:13.090233Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-show-config/0.log 2026-06-29T14:56:13.090239Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-summary/0.log 2026-06-29T14:56:13.090245Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-validate/0.log 2026-06-29T14:56:13.090251Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-version/0.log 2026/06/29 14:56:10 Entrypoint initialization 2026/06/29 14:56:11 Decoded script /tekton/scripts/script-2-l8cqn 2026-06-29T14:56:15.140293Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-initialize-tuf/0.log 2026-06-29T14:56:15.140334Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-reduce/0.log Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:latest", "source": {} }, { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task", "source": {} } ], "artifacts": {} } 2026/06/29 14:56:15 INFO Step was skipped due to when expressions were evaluated to false. 2026-06-29T14:56:27.448205Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-detailed-report/0.log 2026-06-29T14:56:27.448278Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-report-json/0.log 2026-06-29T14:56:27.448296Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-show-config/0.log 2026-06-29T14:56:27.448312Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-summary/0.log 2026-06-29T14:56:27.448331Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-version/0.log {"success": false,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:40cd27cf0ffa191b55b687c985895086bdc07766e51f55c92253583119140047","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENZxkE/d0fKvJ51dXHQmxXaRMTtVz\nBQWcmJD/7pcMDEmBcmk8O1yUPIiFj5TMZqabjS9CQQN+jKHG+Bfi0BYlHg==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["slsa_provenance_available"]}}],"publicKey": "k8s://chains-e2e-awrf/dummy-public-key-fotxnnsftc"},"ec-version": "v0.9.25","effective-time": "2026-06-29T14:55:48.339190672Z"} 2026-06-29T14:56:27.972063Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-48371cab80581e6b70d82ac2c292e394-pod_901b1647-4c4d-4f0b-b9b4-cd3a44a5bb7b/step-assert/0.log { "timestamp": "1782744987", "namespace": "", "successes": 84, "failures": 0, "warnings": 0, "result": "SUCCESS" } Success: true Result: SUCCESS Violations: 0, Warnings: 0, Successes: 84 Components: - Name: -sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Violations: 0, Warnings: 0, Successes: 21 - Name: -sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Violations: 0, Warnings: 0, Successes: 21 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Violations: 0, Warnings: 0, Successes: 21 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Violations: 0, Warnings: 0, Successes: 21 { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "exclude": [ "slsa_source_correlated.source_code_reference_provided" ], "include": [ "@slsa3" ] } } ], "publicKey": "k8s://chains-e2e-awrf/golden-image-public-keyjuvajhpumc" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T14:56:15.68814165Z" } {"success": true,"components": [{"name": "-sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEYCIQDAFKFnOSV+ZO53btaeKYBj9ME2NdgwhZHBvpe+FdPrKgIhALpDGT56tbbpn+Y7xX7I6G9Ggm3UD0MYEZYgZ/Jf0n7s"},{"keyid": "","sig": "MEYCIQCwccUeCezmpPt6+gFQUb625+udjgjabwf3JZKGyt7iuAIhAMSTjScJPNed9vmKj/eLIE4zuKkw+dD1CGOcSlHEYGqi"}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "-sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64", "containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIDClKcqP9YPbxNqrjMmnHiaOfanitDdnBlhFmjQ6BLtJAiEArcCsnbdruYcO3+U0I5lWaU61uOUyU+wfbEj0L+ZR+L0="},{"keyid": "","sig": "MEUCIQCpjCHf1LOrOwwyEkcivoYaDzQBLYDerGUXEJvjlVBnmgIgG5Zk2eQpGhuw2sfOQZbwrB8d3fp5JdZcemQw426vGwg="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"], "depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv+QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm+xJ5AoyO3qg+aj8QIgb9xDpjYGRMmpVk+QATeVKlHonzBiu51HtT3J+lQXPXc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa"}]}]},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"], "description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIH1WSpsKcqzY11HkZUBkW2EtnAsuE1DXjFSvEMiekoYhAiEA8DWjnDJelQVizV67I8B3hE7HzqVdoitHQYtE52UYnfU="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 true "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"exclude": ["slsa_source_correlated.source_code_reference_provided"],"include": ["@slsa3"]}}],"publicKey": "k8s://chains-e2e-awrf/golden-image-public-keyjuvajhpumc"},"ec-version": "v0.9.25","effective-time": "2026-06-29T14:56:15.68814165Z"} 2026-06-29T14:57:06.929000Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/prepare/0.log 2026-06-29T14:57:07.449169Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/place-scripts/0.log 2026-06-29T14:57:08.482275Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-initialize-tuf/0.log 2026-06-29T14:57:08.482305Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-reduce/0.log 2026-06-29T14:57:08.482312Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-report-json/0.log 2026-06-29T14:57:08.482318Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-summary/0.log 2026-06-29T14:57:08.482325Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-validate/0.log 2026-06-29T14:57:09.507996Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-assert/0.log 2026-06-29T14:57:09.508049Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-detailed-report/0.log 2026-06-29T14:57:09.508070Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-show-config/0.log 2026-06-29T14:57:09.508085Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-version/0.log 2026/06/29 14:57:07 Decoded script /tekton/scripts/script-2-zlcs9 2026/06/29 14:57:06 Entrypoint initialization 2026-06-29T14:57:11.558116Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-initialize-tuf/0.log 2026-06-29T14:57:11.558156Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-reduce/0.log Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task", "source": {} } ], "artifacts": {} } 2026/06/29 14:57:11 INFO Step was skipped due to when expressions were evaluated to false. 2026-06-29T14:57:19.767803Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-detailed-report/0.log 2026-06-29T14:57:19.767873Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-report-json/0.log 2026-06-29T14:57:19.767888Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-show-config/0.log 2026-06-29T14:57:19.767902Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-summary/0.log 2026-06-29T14:57:19.767922Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-version/0.log 2026-06-29T14:57:20.306345Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-awrf_verify-enterprise-contract-3d591770603d4ab5de4c14a4aa33f89b-pod_6c1510fb-e774-4839-b00c-97f9f8e6fd04/step-assert/0.log Success: false Result: FAILURE Violations: 11, Warnings: 0, Successes: 3 Component: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Results: ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "build-container" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a Term: buildah Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clair-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f Term: clair-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clamav-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d Term: clamav-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "deprecated-base-image-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17 Term: deprecated-image-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clone-repository" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3 Term: git-clone Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:git-clone" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "init" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8 Term: init Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:init" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-inspect-image" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824 Term: sanity-inspect-image Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-inspect-image" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-optional-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sbom-json-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205 Term: sbom-json-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sbom-json-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "show-summary" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49 Term: summary Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:summary" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ {"success": false,"components": [{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25","source": {},"violations": [{"msg": "PipelineTask \"build-container\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:buildah\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "buildah","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clair-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clair-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clair-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clamav-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clamav-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clamav-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"deprecated-base-image-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "deprecated-image-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clone-repository\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "git-clone","title": "Tasks are trusted"}},{"msg": "PipelineTask \"init\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:init\" to the `exclude` section of the policy configuration.", "solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "init","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-inspect-image\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-inspect-image\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-inspect-image","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-optional-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sbom-json-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sbom-json-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sbom-json-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"show-summary\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:summary\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "summary","title": "Tasks are trusted"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false,"signatures": [{"keyid": "","sig": "MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv+QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ="}],"attestations": [{ Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "trusted_task.trusted" ] } } ], "publicKey": "k8s://chains-e2e-awrf/golden-image-public-keytiheitgnko" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T14:57:11.650247809Z" } { "timestamp": "1782745039", "namespace": "", "successes": 3, "failures": 11, "warnings": 0, "result": "FAILURE" } false "type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm+xJ5AoyO3qg+aj8QIgb9xDpjYGRMmpVk+QATeVKlHonzBiu51HtT3J+lQXPXc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa"}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:a84185f081bd2514cd8a48b38db2daf8a5964779c4c56c5c1c9a5fcff51e2a6b","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["trusted_task.trusted"]}}],"publicKey": "k8s://chains-e2e-awrf/golden-image-public-keytiheitgnko"},"ec-version": "v0.9.25","effective-time": "2026-06-29T14:57:11.650247809Z"} 2026-06-29T16:00:20.504363Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/place-scripts/0.log 2026-06-29T16:00:20.504405Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/prepare/0.log 2026/06/29 16:00:19 Entrypoint initialization 2026/06/29 16:00:19 Decoded script /tekton/scripts/script-0-gbb2x 2026/06/29 16:00:19 Decoded script /tekton/scripts/script-1-cmjt2 2026/06/29 16:00:19 Decoded script /tekton/scripts/script-2-tzdqb 2026-06-29T16:00:24.613385Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/step-prepare-db/0.log 2026/06/29 16:00:24 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied 2026-06-29T16:00:28.722543Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/step-prepare-rpm-cert/0.log 2026/06/29 16:00:27 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/root": unable to create destination directory: mkdir /root/.docker: permission denied 2026-06-29T16:02:35.837929Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/step-prepare-db/0.log reached_eof="true" 2026-06-29T16:02:39.937931Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/place-scripts/0.log reached_eof="true" 2026-06-29T16:02:39.937965Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/prepare/0.log reached_eof="true" 2026-06-29T16:02:39.937970Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06291600-5852fdb1-build-pod_9739e6d7-5887-46e0-b6a4-83edcfbec6d1/step-prepare-rpm-cert/0.log reached_eof="true"