2026-06-30T10:59:55.725731Z INFO vector::app: Log level is enabled. level="info" 2026-06-30T10:59:55.726213Z INFO vector::app: Loading configs. paths=["/etc/vector"] 2026-06-30T10:59:55.729144Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Obtained Kubernetes Node name to collect logs for (self). self_node_name="ip-10-0-175-152.ec2.internal" 2026-06-30T10:59:55.736114Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Including matching files. ret=["**/*"] 2026-06-30T10:59:55.736129Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Excluding matching files. ret=["**/*.gz", "**/*.tmp"] 2026-06-30T10:59:55.738392Z INFO vector::topology::running: Running healthchecks. 2026-06-30T10:59:55.738453Z INFO vector: Vector has started. debug="false" version="0.45.0" arch="x86_64" revision="063cabb 2025-02-24 14:52:02.810034614" 2026-06-30T10:59:55.738467Z INFO vector::topology::builder: Healthcheck passed. 2026-06-30T10:59:55.739455Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: file_source::checkpointer: Attempting to read legacy checkpoint files. 2026-06-30T10:59:55.739546Z INFO vector::internal_events::api: API server running. address=127.0.0.1:8686 playground=off graphql=http://127.0.0.1:8686/graphql 2026-06-30T11:14:36.866824Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/place-scripts/0.log 2026-06-30T11:14:36.866915Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/prepare/0.log 2026/06/30 11:14:35 Decoded script /tekton/scripts/script-0-zgxl6 2026/06/30 11:14:35 Decoded script /tekton/scripts/script-1-xrgnv 2026/06/30 11:14:35 Decoded script /tekton/scripts/script-2-whqxh 2026/06/30 11:14:35 Entrypoint initialization 2026-06-30T11:14:51.224104Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-build/0.log 2026-06-30T11:15:01.471041Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-create-sbom/0.log 2026-06-30T11:15:13.768292Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-upload-sbom/0.log 2026-06-30T11:15:15.817451Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-build/0.log 2026-06-30T11:15:17.874355Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-create-sbom/0.log 2026-06-30T11:15:18.905509Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_buildah-demo-rhgasmtnmn-build-image-index-pod_5bfb8011-08ea-49c1-999e-7a48f83c86e6/step-upload-sbom/0.log [2026-06-30T11:15:14,981246172+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' Running konflux-build-cli time="2026-06-30T11:15:17Z" level=info msg="[param] image: quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn" time="2026-06-30T11:15:17Z" level=info msg="[param] images: [quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755]" time="2026-06-30T11:15:17Z" level=info msg="[param] buildah-format: docker" time="2026-06-30T11:15:17Z" level=info msg="[param] always-build-index: false" time="2026-06-30T11:15:17Z" level=info msg="[param] additional-tags: [buildah-demo-rhgasmtnmn-build-image-index]" time="2026-06-30T11:15:17Z" level=info msg="[param] output-manifest-path: /index-build-data/manifest_data.json" time="2026-06-30T11:15:17Z" level=info msg="[param] result-path-image-digest: /tekton/results/IMAGE_DIGEST" time="2026-06-30T11:15:17Z" level=info msg="[param] result-path-image-url: /tekton/results/IMAGE_URL" time="2026-06-30T11:15:17Z" level=info msg="[param] result-path-image-ref: /tekton/results/IMAGE_REF" time="2026-06-30T11:15:17Z" level=info msg="[param] result-path-images: /tekton/results/IMAGES" time="2026-06-30T11:15:17Z" level=info msg="Creating manifest list: quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn" time="2026-06-30T11:15:17Z" level=info msg="buildah [stdout] 3c71c1af42b947eed28a1add92534ff5f5587fbbdc6b3348d8ddea4babcdd9a9" logger=CliExecutor time="2026-06-30T11:15:17Z" level=info msg="Skipping image index generation. Returning results for single image." The manifest_data.json file does not exist. Skipping the SBOM creation... [2026-06-30T11:15:18,539527183+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' The index.spdx.json file does not exists. Skipping the SBOM upload... 2026-06-30T11:15:35.316430Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/place-scripts/0.log 2026-06-30T11:15:35.316474Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/prepare/0.log 2026/06/30 11:15:35 Decoded script /tekton/scripts/script-2-n977z 2026/06/30 11:15:34 Entrypoint initialization 2026-06-30T11:15:49.671960Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-assert/0.log 2026-06-30T11:15:49.671992Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-detailed-report/0.log 2026-06-30T11:15:49.671999Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-initialize-tuf/0.log 2026-06-30T11:15:49.672006Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-reduce/0.log 2026-06-30T11:15:49.672012Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-report-json/0.log 2026-06-30T11:15:49.672020Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-show-config/0.log 2026-06-30T11:15:49.672026Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-summary/0.log 2026-06-30T11:15:49.672032Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-validate/0.log 2026-06-30T11:15:49.672038Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-version/0.log {"image_digest":"sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","image_url":"quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn","image_ref":"quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","images":"quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755"} 2026-06-30T11:15:53.771838Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-initialize-tuf/0.log 2026-06-30T11:15:53.771886Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-reduce/0.log 2026/06/30 11:15:51 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755", "source": {} } ], "artifacts": {} } 2026-06-30T11:15:59.931023Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-assert/0.log 2026-06-30T11:15:59.931065Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-detailed-report/0.log 2026-06-30T11:15:59.931106Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-report-json/0.log 2026-06-30T11:15:59.931124Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-show-config/0.log 2026-06-30T11:15:59.931139Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-summary/0.log 2026-06-30T11:15:59.931161Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-1a17ddf256558e7780685a94576e5aed-pod_eab61c85-ef6d-4bf0-a3d8-bac10308eefa/step-version/0.log Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "slsa_provenance_available" ] } } ], "publicKey": "k8s://chains-e2e-neqh/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:15:52.203375813Z" } true Success: true Result: SUCCESS Violations: 0, Warnings: 0, Successes: 5 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 { "timestamp": "1782818158", "namespace": "", "successes": 5, "failures": 0, "warnings": 0, "result": "SUCCESS" } 2026-06-30T11:16:04.039531Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/place-scripts/0.log 2026-06-30T11:16:04.039572Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/prepare/0.log 2026-06-30T11:16:04.558513Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-initialize-tuf/0.log 2026-06-30T11:16:04.558552Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-reduce/0.log 2026-06-30T11:16:04.558563Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-report-json/0.log 2026-06-30T11:16:04.558581Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-summary/0.log 2026-06-30T11:16:04.558591Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-validate/0.log 2026-06-30T11:16:05.072083Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-assert/0.log 2026-06-30T11:16:05.072112Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-detailed-report/0.log 2026-06-30T11:16:05.072133Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-show-config/0.log 2026-06-30T11:16:05.072148Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-version/0.log 2026/06/30 11:16:03 Decoded script /tekton/scripts/script-2-cx684 2026/06/30 11:16:02 Entrypoint initialization 2026-06-30T11:16:08.147294Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-initialize-tuf/0.log 2026-06-30T11:16:08.147336Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-reduce/0.log 2026/06/30 11:16:07 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755", "source": {} } ], "artifacts": {} } 2026-06-30T11:16:16.354975Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-assert/0.log 2026-06-30T11:16:16.355049Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-detailed-report/0.log 2026-06-30T11:16:16.355091Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-report-json/0.log 2026-06-30T11:16:16.355107Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-show-config/0.log 2026-06-30T11:16:16.355123Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-summary/0.log 2026-06-30T11:16:16.355142Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-9339cf2c9721d66821d29ace91aa29c0-pod_60cfb162-dac4-4c8d-8788-d5c1ed9fe58c/step-version/0.log 2026-06-30T11:16:18.417638Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/place-scripts/0.log 2026-06-30T11:16:18.417677Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/prepare/0.log 2026-06-30T11:16:19.448719Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-initialize-tuf/0.log 2026-06-30T11:16:19.448749Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-reduce/0.log { "timestamp": "1782818173", "namespace": "", "successes": 5, "failures": 1, "warnings": 0, "result": "FAILURE" } Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 true Success: false Result: FAILURE Violations: 1, Warnings: 0, Successes: 5 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Results: ✕ [Violation] test.test_data_found ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Reason: No test data found Title: Test data found in task results Description: Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add "test.test_data_found" to the `exclude` section of the policy configuration. Solution: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "test" ] } } ], "publicKey": "k8s://chains-e2e-neqh/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:16:07.706320697Z" } 2026-06-30T11:16:20.474976Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-assert/0.log 2026-06-30T11:16:20.475007Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-detailed-report/0.log 2026-06-30T11:16:20.475023Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-report-json/0.log 2026-06-30T11:16:20.475030Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-show-config/0.log 2026-06-30T11:16:20.475036Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-summary/0.log 2026-06-30T11:16:20.475042Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-validate/0.log 2026-06-30T11:16:20.475056Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-version/0.log 2026/06/30 11:16:18 Decoded script /tekton/scripts/script-2-b6kxw 2026/06/30 11:16:17 Entrypoint initialization 2026-06-30T11:16:22.525154Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-initialize-tuf/0.log 2026-06-30T11:16:22.525215Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-reduce/0.log 2026/06/30 11:16:22 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755", "source": {} } ], "artifacts": {} } 2026-06-30T11:16:28.682825Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-report-json/0.log 2026-06-30T11:16:28.682873Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-summary/0.log 2026-06-30T11:16:29.202220Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-assert/0.log 2026-06-30T11:16:29.202258Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-detailed-report/0.log 2026-06-30T11:16:29.202300Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-show-config/0.log 2026-06-30T11:16:29.202330Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-656285e3219e4f801a0d7049065cc94c-pod_d0e47587-833d-490a-b313-ddcdc04a3ed0/step-version/0.log Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 false Success: false Result: FAILURE Violations: 1, Warnings: 0, Successes: 5 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Results: ✕ [Violation] test.test_data_found ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Reason: No test data found Title: Test data found in task results Description: Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add "test.test_data_found" to the `exclude` section of the policy configuration. Solution: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "test" ] } } ], "publicKey": "k8s://chains-e2e-neqh/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:16:22.785307893Z" } { "timestamp": "1782818188", "namespace": "", "successes": 5, "failures": 1, "warnings": 0, "result": "FAILURE" } 2026-06-30T11:16:33.314318Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/place-scripts/0.log 2026-06-30T11:16:33.314360Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/prepare/0.log {"success": true,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","source": {},"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}}],"success": true,"signatures": [{"keyid": "","sig": "MEQCIF5DXN6DFIcGjSM0TunCDOqxuN++VNR/vbO0dT31S1jhAiBamuaXjaRgWvASVPW/arucOFcZ4l10TR9y+Hewmxkmsw=="},{"keyid": "","sig": "MEYCIQCBN/FMC2hm/0/rU8tgbcZJXrqwbbPBYWiE68uwJ9obHAIhAJXfQreLAQgLnWMH0RfR774bxTKAZzS2lIwmibcRvO4E"},{"keyid": "","sig": "MEUCICrWmKl1SuRH9XH9bPIotKfWpnl8zoBmNp/i5zX6UTUuAiEAkjxqIxBIZRdthTvVHC956/iYPpqunbPCBDQNYwK/W7M="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:XsPokf5syR4+QXJAbgp++hZgdyGRwQDHcziqX0BkQaI","sig": "MEQCIBI11kf+SJBlEB3aQrdSheKs0cInegZxOgTrtTexZbUUAiAfi4vv+efcDyoHMFLw/7PcghC5uYkTpuxC2cH8KWaYng=="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["slsa_provenance_available"]}}],"publicKey": "k8s://chains-e2e-neqh/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:15:52.203375813Z"} 2026-06-30T11:16:33.834292Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-initialize-tuf/0.log 2026-06-30T11:16:33.834322Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-reduce/0.log 2026-06-30T11:16:33.834330Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-report-json/0.log 2026-06-30T11:16:33.834336Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-show-config/0.log 2026-06-30T11:16:33.834343Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-summary/0.log 2026-06-30T11:16:33.834350Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-validate/0.log 2026-06-30T11:16:33.834357Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-version/0.log 2026-06-30T11:16:34.347954Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-assert/0.log 2026-06-30T11:16:34.347985Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-detailed-report/0.log 2026/06/30 11:16:32 Decoded script /tekton/scripts/script-2-tgb2l 2026/06/30 11:16:31 Entrypoint initialization 2026-06-30T11:16:37.424247Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-initialize-tuf/0.log 2026-06-30T11:16:37.424291Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-reduce/0.log 2026/06/30 11:16:36 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-rhgasmtnmn@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755", "source": {} } ], "artifacts": {} } 2026-06-30T11:16:41.533217Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-assert/0.log 2026-06-30T11:16:41.533258Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-detailed-report/0.log 2026-06-30T11:16:41.533289Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-report-json/0.log 2026-06-30T11:16:41.533305Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-show-config/0.log 2026-06-30T11:16:41.533317Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-summary/0.log 2026-06-30T11:16:41.533333Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-0716cc750a4c2bf603c4f3dd868ca193-pod_61878f56-b37a-4256-8516-ce560e9f9d94/step-version/0.log Success: false Result: FAILURE Violations: 2, Warnings: 0, Successes: 0 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Results: ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755 Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "slsa_provenance_available" ] } } ], "publicKey": "k8s://chains-e2e-neqh/dummy-public-key-slmdybwgca" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENZxkE/d0fKvJ51dXHQmxXaRMTtVz\nBQWcmJD/7pcMDEmBcmk8O1yUPIiFj5TMZqabjS9CQQN+jKHG+Bfi0BYlHg==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:16:36.944430034Z" } { "timestamp": "1782818200", "namespace": "", "successes": 0, "failures": 2, "warnings": 0, "result": "FAILURE" } Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 false 2026-06-30T11:16:45.646881Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/place-scripts/0.log 2026-06-30T11:16:45.646922Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/prepare/0.log 2026-06-30T11:16:45.646931Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-initialize-tuf/0.log 2026-06-30T11:16:45.646939Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-reduce/0.log 2026-06-30T11:16:45.646946Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-validate/0.log 2026-06-30T11:16:46.167341Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-assert/0.log 2026-06-30T11:16:46.167371Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-detailed-report/0.log 2026-06-30T11:16:46.167388Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-report-json/0.log 2026-06-30T11:16:46.167396Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-show-config/0.log 2026-06-30T11:16:46.167403Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-summary/0.log 2026-06-30T11:16:46.167413Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-version/0.log 2026/06/30 11:16:44 Decoded script /tekton/scripts/script-2-hklsp 2026/06/30 11:16:43 Entrypoint initialization {"success": false,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","source": {},"violations": [{"msg": "No test data found","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add \"test.test_data_found\" to the `exclude` section of the policy configuration.","solution": "Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.","title": "Test data found in task results"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}}],"success": false,"signatures": [{"keyid": "","sig": "MEQCIF5DXN6DFIcGjSM0TunCDOqxuN++VNR/vbO0dT31S1jhAiBamuaXjaRgWvASVPW/arucOFcZ4l10TR9y+Hewmxkmsw=="},{"keyid": "","sig": "MEYCIQCBN/FMC2hm/0/rU8tgbcZJXrqwbbPBYWiE68uwJ9obHAIhAJXfQreLAQgLnWMH0RfR774bxTKAZzS2lIwmibcRvO4E"},{"keyid": "","sig": "MEUCICrWmKl1SuRH9XH9bPIotKfWpnl8zoBmNp/i5zX6UTUuAiEAkjxqIxBIZRdthTvVHC956/iYPpqunbPCBDQNYwK/W7M="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:XsPokf5syR4+QXJAbgp++hZgdyGRwQDHcziqX0BkQaI","sig": "MEQCIBI11kf+SJBlEB3aQrdSheKs0cInegZxOgTrtTexZbUUAiAfi4vv+efcDyoHMFLw/7PcghC5uYkTpuxC2cH8KWaYng=="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["test"]}}],"publicKey": "k8s://chains-e2e-neqh/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:16:07.706320697Z"} 2026-06-30T11:16:49.757060Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-initialize-tuf/0.log 2026-06-30T11:16:49.757098Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-reduce/0.log 2026/06/30 11:16:48 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:latest", "source": {} } ], "artifacts": {} } 2026-06-30T11:16:55.917574Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-report-json/0.log 2026-06-30T11:16:55.917623Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-show-config/0.log 2026-06-30T11:16:55.932255Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-summary/0.log 2026-06-30T11:16:55.932312Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-version/0.log 2026-06-30T11:16:56.454430Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-assert/0.log 2026-06-30T11:16:56.454475Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-c4fabc6e37e1d2f8013c454d80a0d84f-pod_bf3857db-6c35-499f-ac40-53403a72932b/step-detailed-report/0.log Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "slsa_provenance_available" ] } } ], "publicKey": "k8s://chains-e2e-neqh/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:16:49.41155998Z" } Success: false Result: FAILURE Violations: 6, Warnings: 0, Successes: 0 Components: - Name: -sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Violations: 2, Warnings: 0, Successes: 0 - Name: -sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Violations: 2, Warnings: 0, Successes: 0 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Violations: 2, Warnings: 0, Successes: 0 Results: ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ false { "timestamp": "1782818215", "namespace": "", "successes": 0, "failures": 6, "warnings": 0, "result": "FAILURE" } 2026-06-30T11:17:00.569651Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/place-scripts/0.log 2026-06-30T11:17:00.569691Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/prepare/0.log 2026-06-30T11:17:00.569718Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-initialize-tuf/0.log 2026-06-30T11:17:01.089030Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-detailed-report/0.log 2026-06-30T11:17:01.089067Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-reduce/0.log 2026-06-30T11:17:01.089075Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-report-json/0.log 2026-06-30T11:17:01.089081Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-show-config/0.log 2026-06-30T11:17:01.089088Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-summary/0.log 2026-06-30T11:17:01.089095Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-validate/0.log 2026-06-30T11:17:01.089101Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-version/0.log 2026-06-30T11:17:01.603985Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-assert/0.log {"success": false,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","source": {},"violations": [{"msg": "No test data found","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add \"test.test_data_found\" to the `exclude` section of the policy configuration.","solution": "Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.","title": "Test data found in task results"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}}],"success": false,"signatures": [{"keyid": "","sig": "MEQCIF5DXN6DFIcGjSM0TunCDOqxuN++VNR/vbO0dT31S1jhAiBamuaXjaRgWvASVPW/arucOFcZ4l10TR9y+Hewmxkmsw=="},{"keyid": "","sig": "MEYCIQCBN/FMC2hm/0/rU8tgbcZJXrqwbbPBYWiE68uwJ9obHAIhAJXfQreLAQgLnWMH0RfR774bxTKAZzS2lIwmibcRvO4E"},{"keyid": "","sig": "MEUCICrWmKl1SuRH9XH9bPIotKfWpnl8zoBmNp/i5zX6UTUuAiEAkjxqIxBIZRdthTvVHC956/iYPpqunbPCBDQNYwK/W7M="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:XsPokf5syR4+QXJAbgp++hZgdyGRwQDHcziqX0BkQaI","sig": "MEQCIBI11kf+SJBlEB3aQrdSheKs0cInegZxOgTrtTexZbUUAiAfi4vv+efcDyoHMFLw/7PcghC5uYkTpuxC2cH8KWaYng=="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["test"]}}],"publicKey": "k8s://chains-e2e-neqh/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:16:22.785307893Z"} 2026/06/30 11:16:59 Decoded script /tekton/scripts/script-2-nvhpd 2026/06/30 11:16:59 Entrypoint initialization 2026-06-30T11:17:04.681044Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-initialize-tuf/0.log 2026-06-30T11:17:04.681085Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-reduce/0.log 2026/06/30 11:17:03 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:latest", "source": {} }, { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task", "source": {} } ], "artifacts": {} } 2026-06-30T11:17:14.946619Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-report-json/0.log 2026-06-30T11:17:14.946667Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-summary/0.log 2026-06-30T11:17:15.466293Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-assert/0.log 2026-06-30T11:17:15.466335Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-detailed-report/0.log 2026-06-30T11:17:15.466384Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-show-config/0.log 2026-06-30T11:17:15.466409Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-a96f29f097285753db2e01d414ae238a-pod_3c67a43e-090c-430d-9568-aca993e650e4/step-version/0.log {"success": false,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:e2f0eeda826260a4293c6fd6d41481f134f0dcd1841d062ce9a8fcd84ce1c755","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENZxkE/d0fKvJ51dXHQmxXaRMTtVz\nBQWcmJD/7pcMDEmBcmk8O1yUPIiFj5TMZqabjS9CQQN+jKHG+Bfi0BYlHg==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["slsa_provenance_available"]}}],"publicKey": "k8s://chains-e2e-neqh/dummy-public-key-slmdybwgca"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:16:36.944430034Z"} {"success": true,"components": [{"name": "-sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEYCIQDAFKFnOSV+ZO53btaeKYBj9ME2NdgwhZHBvpe+FdPrKgIhALpDGT56tbbpn+Y7xX7I6G9Ggm3UD0MYEZYgZ/Jf0n7s"},{"keyid": "","sig": "MEYCIQCwccUeCezmpPt6+gFQUb625+udjgjabwf3JZKGyt7iuAIhAMSTjScJPNed9vmKj/eLIE4zuKkw+dD1CGOcSlHEYGqi"}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "-sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64", "containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIDClKcqP9YPbxNqrjMmnHiaOfanitDdnBlhFmjQ6BLtJAiEArcCsnbdruYcO3+U0I5lWaU61uOUyU+wfbEj0L+ZR+L0="},{"keyid": "","sig": "MEUCIQCpjCHf1LOrOwwyEkcivoYaDzQBLYDerGUXEJvjlVBnmgIgG5Zk2eQpGhuw2sfOQZbwrB8d3fp5JdZcemQw426vGwg="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"], "depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv+QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm+xJ5AoyO3qg+aj8QIgb9xDpjYGRMmpVk+QATeVKlHonzBiu51HtT3J+lQXPXc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa"}]}]},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d","source": {},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"], "description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIH1WSpsKcqzY11HkZUBkW2EtnAsuE1DXjFSvEMiekoYhAiEA8DWjnDJelQVizV67I8B3hE7HzqVdoitHQYtE52UYnfU="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", true { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "exclude": [ "slsa_source_correlated.source_code_reference_provided" ], "include": [ "@slsa3" ] } } ], "publicKey": "k8s://chains-e2e-neqh/golden-image-public-keywvlrcxjdct" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:17:04.230197589Z" } Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "timestamp": "1782818234", "namespace": "", "successes": 84, "failures": 0, "warnings": 0, "result": "SUCCESS" } Success: true Result: SUCCESS Violations: 0, Warnings: 0, Successes: 84 Components: - Name: -sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Violations: 0, Warnings: 0, Successes: 21 - Name: -sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Violations: 0, Warnings: 0, Successes: 21 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Violations: 0, Warnings: 0, Successes: 21 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Violations: 0, Warnings: 0, Successes: 21 2026-06-30T11:17:19.583279Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/place-scripts/0.log 2026-06-30T11:17:19.583322Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/prepare/0.log 2026-06-30T11:17:20.104239Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-initialize-tuf/0.log 2026-06-30T11:17:20.104269Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-reduce/0.log 2026-06-30T11:17:20.104276Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-report-json/0.log 2026-06-30T11:17:20.104283Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-show-config/0.log 2026-06-30T11:17:20.104290Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-summary/0.log 2026-06-30T11:17:20.104296Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-validate/0.log 2026-06-30T11:17:20.104304Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-version/0.log 2026-06-30T11:17:20.618525Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-assert/0.log 2026-06-30T11:17:20.618554Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-detailed-report/0.log 2026/06/30 11:17:18 Decoded script /tekton/scripts/script-2-qf5jv 2026/06/30 11:17:18 Entrypoint initialization 2026-06-30T11:17:23.695948Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-initialize-tuf/0.log 2026-06-30T11:17:23.695991Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-reduce/0.log Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:latest", "source": {} } ], "artifacts": {} } 2026/06/30 11:17:22 INFO Step was skipped due to when expressions were evaluated to false. {"success": false,"components": [{"name": "-sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false},{"name": "-sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dNieq9DfLz+EKmnE2Udm+n7khN\ntC8FQYNCPdZKFaGKrozPMqmP+Crohp3bge7+KbvWj9qsX7uU4JV6inRyXA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["slsa_provenance_available"]}}],"publicKey": "k8s://chains-e2e-neqh/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:16:49.41155998Z"} 2026-06-30T11:17:36.011408Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-validate/0.log time="2026-06-30T11:17:35Z" level=error msg="failed to fetch image" action="fetch image" error="GET https://quay.io/v2/konflux-ci/ec-golden-image/manifests/sha256:b5922ed88aac984288939b94130e1a2d7337cb8241f5c5f74612c0fe82437adf: MANIFEST_UNKNOWN: manifest unknown; map[]" function=ec.oci.image_manifest input_ref="quay.io/konflux-ci/ec-golden-image@sha256:b5922ed88aac984288939b94130e1a2d7337cb8241f5c5f74612c0fe82437adf" time="2026-06-30T11:17:36Z" level=error msg="failed to fetch image" action="fetch image" error="GET https://quay.io/v2/konflux-ci/ec-golden-image/manifests/sha256:b5922ed88aac984288939b94130e1a2d7337cb8241f5c5f74612c0fe82437adf: MANIFEST_UNKNOWN: manifest unknown; map[]" function=ec.oci.image_manifest input_ref="quay.io/konflux-ci/ec-golden-image@sha256:b5922ed88aac984288939b94130e1a2d7337cb8241f5c5f74612c0fe82437adf" "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"exclude": ["slsa_source_correlated.source_code_reference_provided"],"include": ["@slsa3"]}}],"publicKey": "k8s://chains-e2e-neqh/golden-image-public-keywvlrcxjdct"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:17:04.230197589Z"} 2026-06-30T11:17:51.409985Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-assert/0.log 2026-06-30T11:17:51.410053Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-detailed-report/0.log 2026-06-30T11:17:51.410145Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-report-json/0.log 2026-06-30T11:17:51.410188Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-show-config/0.log 2026-06-30T11:17:51.410213Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-summary/0.log 2026-06-30T11:17:51.410246Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-71d6c92463581a383c1fd49e0f3584a2-pod_052230ed-b497-4cce-8b9d-0f620b72e05b/step-version/0.log Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "timestamp": "1782818270", "namespace": "", "successes": 420, "failures": 0, "warnings": 39, "result": "WARNING" } {"success": true,"components": [{"name": "-sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf","source": {},"warnings": [{"msg": "The Task \"ecosystem-cert-preflight-checks\" from the build Pipeline reports a failed informative test","metadata": {"code": "test.no_failed_informative_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","solution": "There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.","term": "ecosystem-cert-preflight-checks","title": "No informative tests failed"}},{"msg": "A newer version of task \"build-image-index\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582\" and the latest bundle ref is \"sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "build-image-index","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-container\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd\" and the latest bundle ref is \"sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "buildah-remote-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clair-scan\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894\" and the latest bundle ref is \"sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "clair-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clamav-scan\" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc\" and the latest bundle ref is \"sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "clamav-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"ecosystem-cert-preflight-checks\" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88\" and the latest bundle ref is \"sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "ecosystem-cert-preflight-checks","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clone-repository\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205\" and the latest bundle ref is \"sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "git-clone-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"prefetch-dependencies\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef\" and the latest bundle ref is \"sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "prefetch-dependencies-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"push-dockerfile\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71\" and the latest bundle ref is \"sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"], "description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "push-dockerfile-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-shell-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f\" and the latest bundle ref is \"sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-shell-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-snyk-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748\" and the latest bundle ref is \"sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-snyk-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-unicode-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b\" and the latest bundle ref is \"sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-unicode-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-source-image\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711\" and the latest bundle ref is \"sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "source-build-oci-ta","title": "Tasks using the latest versions"}}],"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.deprecated_policy_attestation_format","collections": ["minimal","redhat","redhat_rpms"],"description": "The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.","effective_on": "2023-08-31T00:00:00Z","title": "Deprecated policy attestation format"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_types_provided","collections": ["minimal","redhat","redhat_rpms","policy_data"],"description": "Confirm the `known_attestation_types` rule data was provided.","title": "Known attestation types provided"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "base_image_registries.allowed_registries_provided","collections": ["minimal","redhat","policy_data"],"description": "Confirm the `allowed_registry_prefixes` rule data was provided, since it's required by the policy rules in this package.","title": "Allowed base image registry prefixes list was provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_info_found","collections": ["minimal","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the expected information was provided about which base images were used during the build process. The list of base images comes from any associated CycloneDX or SPDX SBOMs.","title": "Base images provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.add_capabilities_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.","effective_on": "2024-08-31T00:00:00Z", "title": "ADD_CAPABILITIES parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.buildah_uses_local_dockerfile","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the Dockerfile used in the buildah task was not fetched from an external source.","title": "Buildah task uses a local Dockerfile"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.disallowed_platform_patterns_pattern","collections": ["redhat","policy_data"],"description": "Confirm the `disallowed_platform_patterns` rule data, if provided matches the expected format.","title": "disallowed_platform_patterns format"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.platform_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are allowed.","effective_on": "2024-09-01T00:00:00Z","title": "PLATFORM parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.privileged_nested_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`.","title": "PRIVILEGED_NESTED parameter"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "cve.cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.rule_data_provided","collections": ["minimal","redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `restrict_cve_security_levels`,\t`warn_cve_security_levels`, `restrict_unpatched_cve_security_levels`, and `warn_unpatched_cve_security_levels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "hermetic_task.hermetic","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution hermetic.","title": "Task called with hermetic param set"}},{"msg": "Pass","metadata": {"code": "labels.deprecated_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that have been deprecated. Use the rule data key `deprecated_labels` to set the list of labels to check.","title": "Deprecated labels"}},{"msg": "Pass","metadata": {"code": "labels.disallowed_inherited_labels","collections": ["redhat"],"description": "Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images.","title": "Disallowed inherited labels"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_config","collections": ["redhat"],"description": "The image config is not accessible.","title": "Inaccessible image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_manifest","collections": ["redhat"],"description": "The image manifest is not accessible.","title": "Inaccessible image manifest"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_config","collections": ["redhat"],"description": "The parent image config is not accessible.","title": "Inaccessible parent image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_manifest","collections": ["redhat"],"description": "The parent image manifest is not accessible.","title": "Inaccessible parent image manifest"}},{"msg": "Pass","metadata": {"code": "labels.optional_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are recommended, but not required. Use the rule data `optional_labels` key to set the list of labels to check, or the `fbc_optional_labels` key for fbc images.","title": "Optional labels"}},{"msg": "Pass","metadata": {"code": "labels.required_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the list of labels to check, or the `fbc_required_labels` key for fbc images.","title": "Required labels"}},{"msg": "Pass","metadata": { "code": "labels.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `required_labels`,\t`fbc_required_labels`, `optional_labels`, `fbc_optional_labels`, `disallowed_inherited_labels`, `fbc_disallowed_inherited_labels`, and `deprecated_labels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries","collections": ["redhat"],"description": "Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2024-09-01T00:00:00Z","title": "Images referenced by OLM bundle are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries_related","collections": ["redhat"],"description": "Each image indicated as a related image should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2025-04-15T00:00:00Z","title": "Related images references are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_resource_kinds","collections": ["redhat"],"description": "Every manifest in an OLM bundle must be of an allowed resource kind, as defined by the rule data key `allowed_olm_resource_kinds`.","title": "OLM bundle image manifests contain only allowed resource kinds"}},{"msg": "Pass","metadata": {"code": "olm.csv_semver_format","collections": ["redhat"],"description": "Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.","title": "ClusterServiceVersion semver format"}},{"msg": "Pass","metadata": {"code": "olm.feature_annotations_format","collections": ["redhat"],"description": "Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string `\"true\"` or the string `\"false\"`. The list of feature annotations can be customize via the `required_olm_features_annotations` rule data.","title": "Feature annotations have expected value"}},{"msg": "Pass","metadata": {"code": "olm.inaccessible_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure that all images are accessible.","effective_on": "2025-03-10T00:00:00Z","title": "Unable to access related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.olm_bundle_multi_arch","collections": ["redhat"],"description": "OLM bundle images should be built for a single architecture. They should not be OCI image indexes nor should they be Docker v2s2 manifest lists.","effective_on": "2025-05-01T00:00:00Z","title": "OLM bundle images are not multi-arch"}},{"msg": "Pass","metadata": {"code": "olm.required_network_policy_rbac_for_operands","collections": ["redhat"],"description": "Operators are required to manage the network policies of their operands. This rule verifies that operator bundles request sufficient RBAC permissions to manage NetworkPolicy lifecycle (create, delete, and update/patch) for networking.k8s.io/networkpolicies in their ClusterServiceVersion. Bundles whose operator name and major.minor version are listed in the `operator_network_policy_rbac_exceptions` rule data key are exempt from this requirement.","effective_on": "2026-08-07T00:00:00Z","title": "NetworkPolicy RBAC present in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.required_olm_features_annotations_provided","collections": ["redhat","policy_data"],"description": "Confirm the `required_olm_features_annotations` rule data was provided, since it's required by the policy rules in this package.","title": "Required OLM feature annotations list provided"}},{"msg": "Pass","metadata": {"code": "olm.subscriptions_annotation_format","collections": ["redhat"],"description": "Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.","effective_on": "2024-04-18T00:00:00Z","title": "Subscription annotation has expected value"}},{"msg": "Pass","metadata": {"code": "olm.unmapped_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that are either not in the RPA about to be released or not accessible already.","effective_on": "2024-08-15T00:00:00Z","title": "Unmapped images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that do not contain a digest -- uniquely identifying the version of the image being pulled.","title": "Unpinned images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure all related image references include a digest.","title": "Unpinned related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_snapshot_references","collections": ["redhat"],"description": "Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest -- uniquely identifying the version of the image being pulled.","effective_on": "2024-08-15T00:00:00Z","title": "Unpinned images in input snapshot"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"],"description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"],"description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_results","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is listed in the task result SCRIPT_RUNNER_IMAGE_REFERENCE","title": "Script runner image is listed in the task results"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_sbom","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is included in the SBOM", "title": "Script runner image is included in the sbom"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.valid_pre_build_script_task_runner_image_ref","collections": ["redhat"],"description": "Verify that a valid image reference is specified as image being used to run the pre-build script task","title": "Script runner image is a valid image reference"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.mode_not_permissive","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the \"permissive\" mode parameter, which could compromise security.","title": "Prefetch dependencies mode parameter check"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.package_registry_proxy_enabled","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that prefetch-dependencies tasks have the enable-package-registry-proxy parameter set to true. This ensures that dependency prefetching uses the package registry proxy.","effective_on": "2026-05-13T00:00:00Z","title": "Prefetch task has package registry proxy enabled"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_source_matches_provenance","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["provenance_materials.git_clone_task_found"],"description": "Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.","title": "Git clone source matches materials provenance"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_task_found","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that the attestation contains a git-clone task with `commit` and `url` task results.","title": "Git clone task found"}},{"msg": "Pass","metadata": {"code": "quay_expiration.expires_label","collections": ["redhat"],"description": "Check the image metadata for the presence of a \"quay.expires-after\" label. If it's present then produce a violation. This check is enforced only for a \"release\", \"production\", or \"staging\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Expires label"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.builder_image_param","collections": ["redhat"],"description": "Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the `allowed_rpm_ostree_builder_image_prefixes` rule data.","effective_on": "2024-03-20T00:00:00Z","title": "Builder image parameter"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.rule_data","collections": ["redhat"],"description": "Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_prefixes`, is in the expected format.","title": "Rule data"}},{"msg": "Pass","metadata": {"code": "rpm_packages.unique_version","collections": ["redhat"],"description": "Check if a multi-arch build has the same RPM versions installed across each different architecture. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.","title": "Unique Version"}},{"msg": "Pass","metadata": {"code": "rpm_repos.ids_known","collections": ["redhat","redhat_rpms"],"description": "Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.","effective_on": "2024-11-10T00:00:00Z","title": "All rpms have known repo ids"}},{"msg": "Pass","metadata": {"code": "rpm_repos.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "A list of known and permitted repository ids should be available in the rule data.","title": "Known repo id list provided"}},{"msg": "Pass","metadata": {"code": "rpm_signature.allowed","collections": ["redhat","redhat_rpms"],"description": "The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the `allowed_rpm_signature_keys` rule data. Use the special value \"unsigned\" to allow unsigned RPMs.","effective_on": "2024-10-05T00:00:00Z","title": "Allowed RPM signature key"}},{"msg": "Pass","metadata": {"code": "rpm_signature.result_format","collections": ["redhat","redhat_rpms"],"description": "Confirm the format of the RPMS_DATA result is in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Result format"}},{"msg": "Pass","metadata": {"code": "rpm_signature.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `allowed_rpm_signature_keys` rule data key has been provided in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "sbom.disallowed_packages_provided","collections": ["redhat","policy_data","redhat_rpms"],"description": "Confirm the `disallowed_packages` and `disallowed_attributes` rule data were provided, since they are required by the policy rules in this package.","title": "Disallowed packages list is provided"}},{"msg": "Pass","metadata": {"code": "sbom.found","collections": ["minimal","redhat"],"description": "Confirm an SBOM attestation exists.","title": "Found"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"],"description": "For each of the components fetched by Hermeto which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2024-12-15T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_proxy_urls","collections": ["redhat","policy_data"], "description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify proxy URLs in externalReferences of type distribution with comment \"proxy URL\" match at least one pattern from allowed_proxy_url_patterns. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all components of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.cdx_supported_version","collections": ["minimal","redhat","redhat_rpms"],"description": "Check that the CycloneDX SBOM specifies a supported schema version (1.4, 1.5 or 1.6).","title": "Supported Version"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.proxy_metadata_required","collections": ["redhat","policy_data"],"description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In CycloneDX, this means at least one externalReference with type \"distribution\" and comment \"proxy URL\" must exist.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_4","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.4 version of the schema.","title": "Valid 1.4"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_5","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.","title": "Valid 1.5"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_6","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.6 version of the schema.","title": "Valid 1.6"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"],"description": "For each of the packages fetched by Hermeto which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2025-02-17T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_proxy_urls","collections": ["redhat","policy_data"],"description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify each proxy URL in sourceInfo matches at least one pattern from allowed_proxy_url_patterns. Hermeto records proxy URLs in the sourceInfo field, semicolon-separated when multiple proxies are used. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all packages of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2025-02-04T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.proxy_metadata_required","collections": ["redhat","policy_data"],"description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In SPDX, the sourceInfo field must be non-empty.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.valid","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.", "title": "Valid"}},{"msg": "Pass","metadata": {"code": "schedule.date_restriction","collections": ["redhat"],"description": "Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Date Restriction"}},{"msg": "Pass","metadata": {"code": "schedule.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `disallowed_weekdays` and `disallowed_dates`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "schedule.weekday_restriction","collections": ["redhat"],"description": "Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Weekday Restriction"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.image_built_by_trusted_task","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result.","title": "Image built by trusted Task"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "source_image.exists","collections": ["redhat"],"description": "Verify the source container image exists.","effective_on": "2024-06-05T00:00:00Z","title": "Exists"}},{"msg": "Pass","metadata": {"code": "source_image.signed","collections": ["redhat"],"depends_on": ["source_image.exists"],"description": "Verify the source container image is signed.","effective_on": "2024-05-04T00:00:00Z","title": "Signed"}},{"msg": "Pass","metadata": {"code": "tasks.data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected data keys have been provided in the expected format. The keys are `pipeline-required-tasks` and `required-tasks`.","title": "Data provided"}},{"msg": "Pass","metadata": {"code": "tasks.future_required_tasks_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.","title": "Future required tasks were found"}},{"msg": "Pass","metadata": {"code": "tasks.pinned_task_refs","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.","title": "Pinned Task references"}},{"msg": "Pass", "metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning if the required tasks list rule data was not provided.","title": "Required tasks list for pipeline was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_found","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the set of required tasks are included in the PipelineRun attestation.","title": "All required tasks were included in the pipeline"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Confirm the `required-tasks` rule data was provided, since it's required by the policy rules in this package.","title": "Required tasks list was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_untrusted_task_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the all required tasks are resolved from trusted tasks.","title": "All required tasks are from trusted tasks"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}},{"msg": "Pass","metadata": {"code": "tasks.unsupported","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "The Tekton Task used is or will be unsupported. The Task is annotated with `build.appstudio.redhat.com/expires-on` annotation marking it as unsupported after a certain date.","title": "Task version unsupported"}},{"msg": "Pass","metadata": {"code": "test.no_erred_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"ERROR\". The result type is configurable by the \"erred_tests_results\" key in the rule data.","title": "No tests erred"}},{"msg": "Pass","metadata": {"code": "test.no_failed_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any non-informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","title": "No tests failed"}},{"msg": "Pass","metadata": {"code": "test.no_skipped_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"SKIPPED\". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the \"skipped_tests_results\" key in the rule data.","effective_on": "2023-12-08T00:00:00Z","title": "No tests were skipped"}},{"msg": "Pass","metadata": {"code": "test.no_test_warnings","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any tests have their result set to \"WARNING\". The result type is configurable by the \"warned_tests_results\" key in the rule data.","title": "No tests produced warnings"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}},{"msg": "Pass","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.","title": "Test data found in task results"}},{"msg": "Pass","metadata": {"code": "test.test_results_found","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Each test result is expected to have a `results` key. Verify that the `results` key is present in all of the TEST_OUTPUT task results.","title": "Test data includes results key"}},{"msg": "Pass","metadata": {"code": "test.test_results_known","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Ensure all test data result values are in the set of known/supported result values.","title": "No unsupported test result values found"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_failed_tests","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a violation if any test result attestation has a result of \"FAILED\". Failed test names from the attestation predicate are included in the message when available.","title": "No failed test attestations"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_test_warnings","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a warning if any test result attestation has a result of \"WARNED\". Warned test names from the attestation predicate are included in the message when available.","title": "No test attestation warnings"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Each test result attestation must include a result field in its predicate. Verify that the result field is present.","title": "Test attestation data includes result"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_result_known","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure the result field of each test result attestation is a recognized value. Valid values are PASSED, WARNED, and FAILED per the in-toto test-result predicate specification.","title": "No unsupported test attestation result values"}},{"msg": "Pass","metadata": {"code": "trusted_task.data","collections": ["redhat","redhat_rpms"],"description": "Confirm the `trusted_tasks` rule data was provided, since it's required by the policy rules in this package.","effective_on": "2024-05-07T00:00:00Z","title": "Task tracking data was provided"}},{"msg": "Pass","metadata": {"code": "trusted_task.data_format","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `trusted_tasks` data keys have been provided in the expected format.","title": "Data format"}},{"msg": "Pass","metadata": {"code": "trusted_task.future_deny_rule","collections": ["redhat"],"description": "Warn when a task matches a deny rule that has an effective_on date in the future. This provides advance notice that a task will become untrusted when the deny rule takes effect.","title": "Future deny rule will apply"}},{"msg": "Pass","metadata": {"code": "trusted_task.pinned", "collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are pinned"}},{"msg": "Pass","metadata": {"code": "trusted_task.tagged","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks defined with the bundle format contain a tag reference.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are tagged"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted.","effective_on": "2024-05-07T00:00:00Z","title": "Tasks are trusted"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted_parameters","collections": ["redhat"],"description": "Confirm certain parameters provided to each builder Task have come from trusted Tasks. Trust can be defined using pattern-based rules (trusted_task_rules) or an explicit allow list with expiry dates (trusted_tasks).","effective_on": "2021-07-04T00:00:00Z","title": "Trusted parameters"}},{"msg": "Pass","metadata": {"code": "trusted_task.valid_trusted_artifact_inputs","collections": ["redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.","title": "Trusted Artifact produced in pipeline"}},{"msg": "Pass","metadata": {"code": "volatile_config.expired_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has passed its effectiveUntil date. Expired rules are no longer active and should be removed from the policy configuration.","title": "Volatile rule has expired"}},{"msg": "Pass","metadata": {"code": "volatile_config.expiring_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule will expire within the configured warning threshold (default 30 days). This provides advance notice to extend or replace the rule before it expires.","title": "Volatile rule expiring soon"}},{"msg": "Pass","metadata": {"code": "volatile_config.invalid_config","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has invalid date values that cannot be parsed. This indicates a configuration error that should be corrected.","title": "Volatile rule has invalid configuration"}},{"msg": "Pass","metadata": {"code": "volatile_config.no_expiration","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has no effectiveUntil date set. Rules without expiration dates may accumulate over time and should be periodically reviewed.","title": "Volatile rule has no expiration"}},{"msg": "Pass","metadata": {"code": "volatile_config.pending_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has an effectiveOn date in the future, indicating it will become active at that time.","title": "Volatile rule pending activation"}}],"success": true,"signatures": [{"keyid": "","sig": "MEYCIQDAFKFnOSV+ZO53btaeKYBj9ME2NdgwhZHBvpe+FdPrKgIhALpDGT56tbbpn+Y7xX7I6G9Ggm3UD0MYEZYgZ/Jf0n7s"},{"keyid": "","sig": "MEYCIQCwccUeCezmpPt6+gFQUb625+udjgjabwf3JZKGyt7iuAIhAMSTjScJPNed9vmKj/eLIE4zuKkw+dD1CGOcSlHEYGqi"}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "-sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414","source": {},"warnings": [{"msg": "The Task \"ecosystem-cert-preflight-checks\" from the build Pipeline reports a failed informative test","metadata": {"code": "test.no_failed_informative_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","solution": "There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.","term": "ecosystem-cert-preflight-checks","title": "No informative tests failed"}},{"msg": "A newer version of task \"build-image-index\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582\" and the latest bundle ref is \"sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "build-image-index","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-container\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd\" and the latest bundle ref is \"sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "buildah-remote-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clair-scan\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894\" and the latest bundle ref is \"sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.", "solution": "Update the Task reference to a newer version.","term": "clair-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clamav-scan\" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc\" and the latest bundle ref is \"sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "clamav-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"ecosystem-cert-preflight-checks\" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88\" and the latest bundle ref is \"sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "ecosystem-cert-preflight-checks","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clone-repository\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205\" and the latest bundle ref is \"sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "git-clone-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"prefetch-dependencies\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef\" and the latest bundle ref is \"sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "prefetch-dependencies-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"push-dockerfile\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71\" and the latest bundle ref is \"sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "push-dockerfile-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-shell-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f\" and the latest bundle ref is \"sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-shell-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-snyk-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748\" and the latest bundle ref is \"sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-snyk-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-unicode-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b\" and the latest bundle ref is \"sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-unicode-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-source-image\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711\" and the latest bundle ref is \"sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"], "description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "source-build-oci-ta","title": "Tasks using the latest versions"}}],"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.deprecated_policy_attestation_format","collections": ["minimal","redhat","redhat_rpms"],"description": "The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.","effective_on": "2023-08-31T00:00:00Z","title": "Deprecated policy attestation format"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_types_provided","collections": ["minimal","redhat","redhat_rpms","policy_data"],"description": "Confirm the `known_attestation_types` rule data was provided.","title": "Known attestation types provided"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "base_image_registries.allowed_registries_provided","collections": ["minimal","redhat","policy_data"],"description": "Confirm the `allowed_registry_prefixes` rule data was provided, since it's required by the policy rules in this package.","title": "Allowed base image registry prefixes list was provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_info_found","collections": ["minimal","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the expected information was provided about which base images were used during the build process. The list of base images comes from any associated CycloneDX or SPDX SBOMs.","title": "Base images provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.add_capabilities_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.","effective_on": "2024-08-31T00:00:00Z","title": "ADD_CAPABILITIES parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.buildah_uses_local_dockerfile","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the Dockerfile used in the buildah task was not fetched from an external source.","title": "Buildah task uses a local Dockerfile"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.disallowed_platform_patterns_pattern","collections": ["redhat","policy_data"],"description": "Confirm the `disallowed_platform_patterns` rule data, if provided matches the expected format.","title": "disallowed_platform_patterns format"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.platform_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are allowed.","effective_on": "2024-09-01T00:00:00Z","title": "PLATFORM parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.privileged_nested_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`.","title": "PRIVILEGED_NESTED parameter"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "cve.cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.rule_data_provided","collections": ["minimal","redhat","policy_data"], "description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `restrict_cve_security_levels`,\t`warn_cve_security_levels`, `restrict_unpatched_cve_security_levels`, and `warn_unpatched_cve_security_levels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "hermetic_task.hermetic","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution hermetic.","title": "Task called with hermetic param set"}},{"msg": "Pass","metadata": {"code": "labels.deprecated_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that have been deprecated. Use the rule data key `deprecated_labels` to set the list of labels to check.","title": "Deprecated labels"}},{"msg": "Pass","metadata": {"code": "labels.disallowed_inherited_labels","collections": ["redhat"],"description": "Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images.","title": "Disallowed inherited labels"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_config","collections": ["redhat"],"description": "The image config is not accessible.","title": "Inaccessible image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_manifest","collections": ["redhat"],"description": "The image manifest is not accessible.","title": "Inaccessible image manifest"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_config","collections": ["redhat"],"description": "The parent image config is not accessible.","title": "Inaccessible parent image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_manifest","collections": ["redhat"],"description": "The parent image manifest is not accessible.","title": "Inaccessible parent image manifest"}},{"msg": "Pass","metadata": {"code": "labels.optional_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are recommended, but not required. Use the rule data `optional_labels` key to set the list of labels to check, or the `fbc_optional_labels` key for fbc images.","title": "Optional labels"}},{"msg": "Pass","metadata": {"code": "labels.required_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the list of labels to check, or the `fbc_required_labels` key for fbc images.","title": "Required labels"}},{"msg": "Pass","metadata": {"code": "labels.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `required_labels`,\t`fbc_required_labels`, `optional_labels`, `fbc_optional_labels`, `disallowed_inherited_labels`, `fbc_disallowed_inherited_labels`, and `deprecated_labels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries","collections": ["redhat"],"description": "Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2024-09-01T00:00:00Z","title": "Images referenced by OLM bundle are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries_related","collections": ["redhat"],"description": "Each image indicated as a related image should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2025-04-15T00:00:00Z","title": "Related images references are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_resource_kinds","collections": ["redhat"],"description": "Every manifest in an OLM bundle must be of an allowed resource kind, as defined by the rule data key `allowed_olm_resource_kinds`.","title": "OLM bundle image manifests contain only allowed resource kinds"}},{"msg": "Pass","metadata": {"code": "olm.csv_semver_format","collections": ["redhat"],"description": "Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.","title": "ClusterServiceVersion semver format"}},{"msg": "Pass","metadata": {"code": "olm.feature_annotations_format","collections": ["redhat"],"description": "Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string `\"true\"` or the string `\"false\"`. The list of feature annotations can be customize via the `required_olm_features_annotations` rule data.","title": "Feature annotations have expected value"}},{"msg": "Pass","metadata": {"code": "olm.inaccessible_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure that all images are accessible.","effective_on": "2025-03-10T00:00:00Z","title": "Unable to access related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.olm_bundle_multi_arch","collections": ["redhat"],"description": "OLM bundle images should be built for a single architecture. They should not be OCI image indexes nor should they be Docker v2s2 manifest lists.","effective_on": "2025-05-01T00:00:00Z","title": "OLM bundle images are not multi-arch"}},{"msg": "Pass","metadata": {"code": "olm.required_network_policy_rbac_for_operands","collections": ["redhat"],"description": "Operators are required to manage the network policies of their operands. This rule verifies that operator bundles request sufficient RBAC permissions to manage NetworkPolicy lifecycle (create, delete, and update/patch) for networking.k8s.io/networkpolicies in their ClusterServiceVersion. Bundles whose operator name and major.minor version are listed in the `operator_network_policy_rbac_exceptions` rule data key are exempt from this requirement.","effective_on": "2026-08-07T00:00:00Z","title": "NetworkPolicy RBAC present in OLM bundle"} },{"msg": "Pass","metadata": {"code": "olm.required_olm_features_annotations_provided","collections": ["redhat","policy_data"],"description": "Confirm the `required_olm_features_annotations` rule data was provided, since it's required by the policy rules in this package.","title": "Required OLM feature annotations list provided"}},{"msg": "Pass","metadata": {"code": "olm.subscriptions_annotation_format","collections": ["redhat"],"description": "Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.","effective_on": "2024-04-18T00:00:00Z","title": "Subscription annotation has expected value"}},{"msg": "Pass","metadata": {"code": "olm.unmapped_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that are either not in the RPA about to be released or not accessible already.","effective_on": "2024-08-15T00:00:00Z","title": "Unmapped images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that do not contain a digest -- uniquely identifying the version of the image being pulled.","title": "Unpinned images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure all related image references include a digest.","title": "Unpinned related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_snapshot_references","collections": ["redhat"],"description": "Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest -- uniquely identifying the version of the image being pulled.","effective_on": "2024-08-15T00:00:00Z","title": "Unpinned images in input snapshot"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"],"description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"],"description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_results","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is listed in the task result SCRIPT_RUNNER_IMAGE_REFERENCE","title": "Script runner image is listed in the task results"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_sbom","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is included in the SBOM","title": "Script runner image is included in the sbom"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.valid_pre_build_script_task_runner_image_ref","collections": ["redhat"],"description": "Verify that a valid image reference is specified as image being used to run the pre-build script task","title": "Script runner image is a valid image reference"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.mode_not_permissive","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the \"permissive\" mode parameter, which could compromise security.","title": "Prefetch dependencies mode parameter check"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.package_registry_proxy_enabled","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that prefetch-dependencies tasks have the enable-package-registry-proxy parameter set to true. This ensures that dependency prefetching uses the package registry proxy.","effective_on": "2026-05-13T00:00:00Z","title": "Prefetch task has package registry proxy enabled"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_source_matches_provenance","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["provenance_materials.git_clone_task_found"],"description": "Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.","title": "Git clone source matches materials provenance"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_task_found","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that the attestation contains a git-clone task with `commit` and `url` task results.","title": "Git clone task found"}},{"msg": "Pass","metadata": {"code": "quay_expiration.expires_label","collections": ["redhat"],"description": "Check the image metadata for the presence of a \"quay.expires-after\" label. If it's present then produce a violation. This check is enforced only for a \"release\", \"production\", or \"staging\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Expires label"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.builder_image_param","collections": ["redhat"],"description": "Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the `allowed_rpm_ostree_builder_image_prefixes` rule data.","effective_on": "2024-03-20T00:00:00Z","title": "Builder image parameter"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.rule_data","collections": ["redhat"],"description": "Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_prefixes`, is in the expected format.","title": "Rule data"}},{"msg": "Pass","metadata": {"code": "rpm_packages.unique_version","collections": ["redhat"],"description": "Check if a multi-arch build has the same RPM versions installed across each different architecture. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.","title": "Unique Version"}},{"msg": "Pass","metadata": {"code": "rpm_repos.ids_known", "collections": ["redhat","redhat_rpms"],"description": "Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.","effective_on": "2024-11-10T00:00:00Z","title": "All rpms have known repo ids"}},{"msg": "Pass","metadata": {"code": "rpm_repos.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "A list of known and permitted repository ids should be available in the rule data.","title": "Known repo id list provided"}},{"msg": "Pass","metadata": {"code": "rpm_signature.allowed","collections": ["redhat","redhat_rpms"],"description": "The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the `allowed_rpm_signature_keys` rule data. Use the special value \"unsigned\" to allow unsigned RPMs.","effective_on": "2024-10-05T00:00:00Z","title": "Allowed RPM signature key"}},{"msg": "Pass","metadata": {"code": "rpm_signature.result_format","collections": ["redhat","redhat_rpms"],"description": "Confirm the format of the RPMS_DATA result is in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Result format"}},{"msg": "Pass","metadata": {"code": "rpm_signature.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `allowed_rpm_signature_keys` rule data key has been provided in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "sbom.disallowed_packages_provided","collections": ["redhat","policy_data","redhat_rpms"],"description": "Confirm the `disallowed_packages` and `disallowed_attributes` rule data were provided, since they are required by the policy rules in this package.","title": "Disallowed packages list is provided"}},{"msg": "Pass","metadata": {"code": "sbom.found","collections": ["minimal","redhat"],"description": "Confirm an SBOM attestation exists.","title": "Found"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"],"description": "For each of the components fetched by Hermeto which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2024-12-15T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_proxy_urls","collections": ["redhat","policy_data"],"description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify proxy URLs in externalReferences of type distribution with comment \"proxy URL\" match at least one pattern from allowed_proxy_url_patterns. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all components of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.cdx_supported_version","collections": ["minimal","redhat","redhat_rpms"],"description": "Check that the CycloneDX SBOM specifies a supported schema version (1.4, 1.5 or 1.6).","title": "Supported Version"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.proxy_metadata_required","collections": ["redhat","policy_data"],"description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In CycloneDX, this means at least one externalReference with type \"distribution\" and comment \"proxy URL\" must exist.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_4","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.4 version of the schema.","title": "Valid 1.4"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_5","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.","title": "Valid 1.5"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_6","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.6 version of the schema.","title": "Valid 1.6"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"], "description": "Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"],"description": "For each of the packages fetched by Hermeto which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2025-02-17T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_proxy_urls","collections": ["redhat","policy_data"],"description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify each proxy URL in sourceInfo matches at least one pattern from allowed_proxy_url_patterns. Hermeto records proxy URLs in the sourceInfo field, semicolon-separated when multiple proxies are used. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all packages of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2025-02-04T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.proxy_metadata_required","collections": ["redhat","policy_data"],"description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In SPDX, the sourceInfo field must be non-empty.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.valid","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.","title": "Valid"}},{"msg": "Pass","metadata": {"code": "schedule.date_restriction","collections": ["redhat"],"description": "Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Date Restriction"}},{"msg": "Pass","metadata": {"code": "schedule.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `disallowed_weekdays` and `disallowed_dates`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "schedule.weekday_restriction","collections": ["redhat"],"description": "Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Weekday Restriction"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.image_built_by_trusted_task","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result.","title": "Image built by trusted Task"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": { "code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "source_image.exists","collections": ["redhat"],"description": "Verify the source container image exists.","effective_on": "2024-06-05T00:00:00Z","title": "Exists"}},{"msg": "Pass","metadata": {"code": "source_image.signed","collections": ["redhat"],"depends_on": ["source_image.exists"],"description": "Verify the source container image is signed.","effective_on": "2024-05-04T00:00:00Z","title": "Signed"}},{"msg": "Pass","metadata": {"code": "tasks.data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected data keys have been provided in the expected format. The keys are `pipeline-required-tasks` and `required-tasks`.","title": "Data provided"}},{"msg": "Pass","metadata": {"code": "tasks.future_required_tasks_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.","title": "Future required tasks were found"}},{"msg": "Pass","metadata": {"code": "tasks.pinned_task_refs","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.","title": "Pinned Task references"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning if the required tasks list rule data was not provided.","title": "Required tasks list for pipeline was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_found","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the set of required tasks are included in the PipelineRun attestation.","title": "All required tasks were included in the pipeline"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Confirm the `required-tasks` rule data was provided, since it's required by the policy rules in this package.","title": "Required tasks list was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_untrusted_task_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the all required tasks are resolved from trusted tasks.","title": "All required tasks are from trusted tasks"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}},{"msg": "Pass","metadata": {"code": "tasks.unsupported","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "The Tekton Task used is or will be unsupported. The Task is annotated with `build.appstudio.redhat.com/expires-on` annotation marking it as unsupported after a certain date.","title": "Task version unsupported"}},{"msg": "Pass","metadata": {"code": "test.no_erred_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"ERROR\". The result type is configurable by the \"erred_tests_results\" key in the rule data.","title": "No tests erred"}},{"msg": "Pass","metadata": {"code": "test.no_failed_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any non-informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","title": "No tests failed"}},{"msg": "Pass","metadata": {"code": "test.no_skipped_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"SKIPPED\". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the \"skipped_tests_results\" key in the rule data.","effective_on": "2023-12-08T00:00:00Z","title": "No tests were skipped"}},{"msg": "Pass","metadata": {"code": "test.no_test_warnings","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any tests have their result set to \"WARNING\". The result type is configurable by the \"warned_tests_results\" key in the rule data.","title": "No tests produced warnings"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"], "description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}},{"msg": "Pass","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.","title": "Test data found in task results"}},{"msg": "Pass","metadata": {"code": "test.test_results_found","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Each test result is expected to have a `results` key. Verify that the `results` key is present in all of the TEST_OUTPUT task results.","title": "Test data includes results key"}},{"msg": "Pass","metadata": {"code": "test.test_results_known","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Ensure all test data result values are in the set of known/supported result values.","title": "No unsupported test result values found"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_failed_tests","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a violation if any test result attestation has a result of \"FAILED\". Failed test names from the attestation predicate are included in the message when available.","title": "No failed test attestations"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_test_warnings","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a warning if any test result attestation has a result of \"WARNED\". Warned test names from the attestation predicate are included in the message when available.","title": "No test attestation warnings"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Each test result attestation must include a result field in its predicate. Verify that the result field is present.","title": "Test attestation data includes result"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_result_known","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure the result field of each test result attestation is a recognized value. Valid values are PASSED, WARNED, and FAILED per the in-toto test-result predicate specification.","title": "No unsupported test attestation result values"}},{"msg": "Pass","metadata": {"code": "trusted_task.data","collections": ["redhat","redhat_rpms"],"description": "Confirm the `trusted_tasks` rule data was provided, since it's required by the policy rules in this package.","effective_on": "2024-05-07T00:00:00Z","title": "Task tracking data was provided"}},{"msg": "Pass","metadata": {"code": "trusted_task.data_format","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `trusted_tasks` data keys have been provided in the expected format.","title": "Data format"}},{"msg": "Pass","metadata": {"code": "trusted_task.future_deny_rule","collections": ["redhat"],"description": "Warn when a task matches a deny rule that has an effective_on date in the future. This provides advance notice that a task will become untrusted when the deny rule takes effect.","title": "Future deny rule will apply"}},{"msg": "Pass","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are pinned"}},{"msg": "Pass","metadata": {"code": "trusted_task.tagged","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks defined with the bundle format contain a tag reference.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are tagged"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted.","effective_on": "2024-05-07T00:00:00Z","title": "Tasks are trusted"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted_parameters","collections": ["redhat"],"description": "Confirm certain parameters provided to each builder Task have come from trusted Tasks. Trust can be defined using pattern-based rules (trusted_task_rules) or an explicit allow list with expiry dates (trusted_tasks).","effective_on": "2021-07-04T00:00:00Z","title": "Trusted parameters"}},{"msg": "Pass","metadata": {"code": "trusted_task.valid_trusted_artifact_inputs","collections": ["redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.","title": "Trusted Artifact produced in pipeline"}},{"msg": "Pass","metadata": {"code": "volatile_config.expired_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has passed its effectiveUntil date. Expired rules are no longer active and should be removed from the policy configuration.","title": "Volatile rule has expired"}},{"msg": "Pass","metadata": {"code": "volatile_config.expiring_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule will expire within the configured warning threshold (default 30 days). This provides advance notice to extend or replace the rule before it expires.","title": "Volatile rule expiring soon"}},{"msg": "Pass","metadata": {"code": "volatile_config.invalid_config","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has invalid date values that cannot be parsed. This indicates a configuration error that should be corrected.","title": "Volatile rule has invalid configuration"}},{"msg": "Pass","metadata": {"code": "volatile_config.no_expiration","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has no effectiveUntil date set. Rules without expiration dates may accumulate over time and should be periodically reviewed.","title": "Volatile rule has no expiration"}},{"msg": "Pass","metadata": {"code": "volatile_config.pending_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has an effectiveOn date in the future, indicating it will become active at that time.","title": "Volatile rule pending activation"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIDClKcqP9YPbxNqrjMmnHiaOfanitDdnBlhFmjQ6BLtJAiEArcCsnbdruYcO3+U0I5lWaU61uOUyU+wfbEj0L+ZR+L0="},{"keyid": "", "sig": "MEUCIQCpjCHf1LOrOwwyEkcivoYaDzQBLYDerGUXEJvjlVBnmgIgG5Zk2eQpGhuw2sfOQZbwrB8d3fp5JdZcemQw426vGwg="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d","source": {},"warnings": [{"msg": "The Task \"ecosystem-cert-preflight-checks\" from the build Pipeline reports a failed informative test","metadata": {"code": "test.no_failed_informative_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","solution": "There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.","term": "ecosystem-cert-preflight-checks","title": "No informative tests failed"}},{"msg": "A newer version of task \"build-image-index\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582\" and the latest bundle ref is \"sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "build-image-index","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-container\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd\" and the latest bundle ref is \"sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "buildah-remote-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clair-scan\" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894\" and the latest bundle ref is \"sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "clair-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clamav-scan\" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc\" and the latest bundle ref is \"sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "clamav-scan","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"ecosystem-cert-preflight-checks\" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88\" and the latest bundle ref is \"sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "ecosystem-cert-preflight-checks","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"clone-repository\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205\" and the latest bundle ref is \"sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "git-clone-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"prefetch-dependencies\" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef\" and the latest bundle ref is \"sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "prefetch-dependencies-oci-ta","title": "Tasks using the latest versions"}},{ "msg": "A newer version of task \"push-dockerfile\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71\" and the latest bundle ref is \"sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "push-dockerfile-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-shell-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f\" and the latest bundle ref is \"sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-shell-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-snyk-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748\" and the latest bundle ref is \"sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-snyk-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"sast-unicode-check\" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b\" and the latest bundle ref is \"sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "sast-unicode-check-oci-ta","title": "Tasks using the latest versions"}},{"msg": "A newer version of task \"build-source-image\" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is \"oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711\" and the latest bundle ref is \"sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0\"","metadata": {"code": "trusted_task.current","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","solution": "Update the Task reference to a newer version.","term": "source-build-oci-ta","title": "Tasks using the latest versions"}}],"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.deprecated_policy_attestation_format","collections": ["minimal","redhat","redhat_rpms"],"description": "The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.","effective_on": "2023-08-31T00:00:00Z","title": "Deprecated policy attestation format"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_types_provided","collections": ["minimal","redhat","redhat_rpms","policy_data"],"description": "Confirm the `known_attestation_types` rule data was provided.","title": "Known attestation types provided"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "base_image_registries.allowed_registries_provided","collections": ["minimal","redhat","policy_data"],"description": "Confirm the `allowed_registry_prefixes` rule data was provided, since it's required by the policy rules in this package.","title": "Allowed base image registry prefixes list was provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_info_found","collections": ["minimal","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the expected information was provided about which base images were used during the build process. The list of base images comes from any associated CycloneDX or SPDX SBOMs.","title": "Base images provided"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "base_image_registries.base_image_permitted","collections": ["minimal","redhat"],"depends_on": ["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"], "description": "Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title": "Base image comes from permitted registry"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.add_capabilities_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.","effective_on": "2024-08-31T00:00:00Z","title": "ADD_CAPABILITIES parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.buildah_uses_local_dockerfile","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the Dockerfile used in the buildah task was not fetched from an external source.","title": "Buildah task uses a local Dockerfile"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.disallowed_platform_patterns_pattern","collections": ["redhat","policy_data"],"description": "Confirm the `disallowed_platform_patterns` rule data, if provided matches the expected format.","title": "disallowed_platform_patterns format"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.platform_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are allowed.","effective_on": "2024-09-01T00:00:00Z","title": "PLATFORM parameter"}},{"msg": "Pass","metadata": {"code": "buildah_build_task.privileged_nested_param","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`.","title": "PRIVILEGED_NESTED parameter"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "cve.cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking CVE check"}},{"msg": "Pass","metadata": {"code": "cve.rule_data_provided","collections": ["minimal","redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `restrict_cve_security_levels`,\t`warn_cve_security_levels`, `restrict_unpatched_cve_security_levels`, and `warn_unpatched_cve_security_levels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_blockers","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title": "Blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "cve.unpatched_cve_warnings","collections": ["minimal","redhat"],"depends_on": ["cve.cve_results_found"],"description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title": "Non-blocking unpatched CVE check"}},{"msg": "Pass","metadata": {"code": "hermetic_task.hermetic","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution hermetic.","title": "Task called with hermetic param set"}},{"msg": "Pass","metadata": {"code": "labels.deprecated_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that have been deprecated. Use the rule data key `deprecated_labels` to set the list of labels to check.","title": "Deprecated labels"}},{"msg": "Pass","metadata": {"code": "labels.disallowed_inherited_labels","collections": ["redhat"],"description": "Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images.","title": "Disallowed inherited labels"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_config","collections": ["redhat"],"description": "The image config is not accessible.","title": "Inaccessible image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_manifest","collections": ["redhat"],"description": "The image manifest is not accessible.","title": "Inaccessible image manifest"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_config","collections": ["redhat"],"description": "The parent image config is not accessible.", "title": "Inaccessible parent image config"}},{"msg": "Pass","metadata": {"code": "labels.inaccessible_parent_manifest","collections": ["redhat"],"description": "The parent image manifest is not accessible.","title": "Inaccessible parent image manifest"}},{"msg": "Pass","metadata": {"code": "labels.optional_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are recommended, but not required. Use the rule data `optional_labels` key to set the list of labels to check, or the `fbc_optional_labels` key for fbc images.","title": "Optional labels"}},{"msg": "Pass","metadata": {"code": "labels.required_labels","collections": ["redhat"],"description": "Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the list of labels to check, or the `fbc_required_labels` key for fbc images.","title": "Required labels"}},{"msg": "Pass","metadata": {"code": "labels.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `required_labels`,\t`fbc_required_labels`, `optional_labels`, `fbc_optional_labels`, `disallowed_inherited_labels`, `fbc_disallowed_inherited_labels`, and `deprecated_labels`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries","collections": ["redhat"],"description": "Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2024-09-01T00:00:00Z","title": "Images referenced by OLM bundle are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_registries_related","collections": ["redhat"],"description": "Each image indicated as a related image should match an entry in the list of prefixes defined by the rule data key `allowed_olm_image_registry_prefixes` in your policy configuration.","effective_on": "2025-04-15T00:00:00Z","title": "Related images references are from allowed registries"}},{"msg": "Pass","metadata": {"code": "olm.allowed_resource_kinds","collections": ["redhat"],"description": "Every manifest in an OLM bundle must be of an allowed resource kind, as defined by the rule data key `allowed_olm_resource_kinds`.","title": "OLM bundle image manifests contain only allowed resource kinds"}},{"msg": "Pass","metadata": {"code": "olm.csv_semver_format","collections": ["redhat"],"description": "Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.","title": "ClusterServiceVersion semver format"}},{"msg": "Pass","metadata": {"code": "olm.feature_annotations_format","collections": ["redhat"],"description": "Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string `\"true\"` or the string `\"false\"`. The list of feature annotations can be customize via the `required_olm_features_annotations` rule data.","title": "Feature annotations have expected value"}},{"msg": "Pass","metadata": {"code": "olm.inaccessible_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure that all images are accessible.","effective_on": "2025-03-10T00:00:00Z","title": "Unable to access related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.olm_bundle_multi_arch","collections": ["redhat"],"description": "OLM bundle images should be built for a single architecture. They should not be OCI image indexes nor should they be Docker v2s2 manifest lists.","effective_on": "2025-05-01T00:00:00Z","title": "OLM bundle images are not multi-arch"}},{"msg": "Pass","metadata": {"code": "olm.required_network_policy_rbac_for_operands","collections": ["redhat"],"description": "Operators are required to manage the network policies of their operands. This rule verifies that operator bundles request sufficient RBAC permissions to manage NetworkPolicy lifecycle (create, delete, and update/patch) for networking.k8s.io/networkpolicies in their ClusterServiceVersion. Bundles whose operator name and major.minor version are listed in the `operator_network_policy_rbac_exceptions` rule data key are exempt from this requirement.","effective_on": "2026-08-07T00:00:00Z","title": "NetworkPolicy RBAC present in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.required_olm_features_annotations_provided","collections": ["redhat","policy_data"],"description": "Confirm the `required_olm_features_annotations` rule data was provided, since it's required by the policy rules in this package.","title": "Required OLM feature annotations list provided"}},{"msg": "Pass","metadata": {"code": "olm.subscriptions_annotation_format","collections": ["redhat"],"description": "Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.","effective_on": "2024-04-18T00:00:00Z","title": "Subscription annotation has expected value"}},{"msg": "Pass","metadata": {"code": "olm.unmapped_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that are either not in the RPA about to be released or not accessible already.","effective_on": "2024-08-15T00:00:00Z","title": "Unmapped images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_references","collections": ["redhat"],"description": "Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that do not contain a digest -- uniquely identifying the version of the image being pulled.","title": "Unpinned images in OLM bundle"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_related_images","collections": ["redhat"],"description": "Check the input image for the presence of related images. Ensure all related image references include a digest.","title": "Unpinned related images for a component"}},{"msg": "Pass","metadata": {"code": "olm.unpinned_snapshot_references","collections": ["redhat"],"description": "Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest -- uniquely identifying the version of the image being pulled.","effective_on": "2024-08-15T00:00:00Z","title": "Unpinned images in input snapshot"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"],"description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_allowed","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type","base_image_registries.allowed_registries_provided"], "description": "Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the `allowed_registry_prefixes` list in the rule data.","title": "Script runner image comes from allowed registry"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_results","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is listed in the task result SCRIPT_RUNNER_IMAGE_REFERENCE","title": "Script runner image is listed in the task results"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.pre_build_script_task_runner_image_in_sbom","collections": ["redhat"],"description": "Verify that the image used to run the pre-build script task is included in the SBOM","title": "Script runner image is included in the sbom"}},{"msg": "Pass","metadata": {"code": "pre_build_script_task.valid_pre_build_script_task_runner_image_ref","collections": ["redhat"],"description": "Verify that a valid image reference is specified as image being used to run the pre-build script task","title": "Script runner image is a valid image reference"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.mode_not_permissive","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the prefetch-dependencies task in the PipelineRun attestation was not invoked with the \"permissive\" mode parameter, which could compromise security.","title": "Prefetch dependencies mode parameter check"}},{"msg": "Pass","metadata": {"code": "prefetch_dependencies.package_registry_proxy_enabled","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that prefetch-dependencies tasks have the enable-package-registry-proxy parameter set to true. This ensures that dependency prefetching uses the package registry proxy.","effective_on": "2026-05-13T00:00:00Z","title": "Prefetch task has package registry proxy enabled"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_source_matches_provenance","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["provenance_materials.git_clone_task_found"],"description": "Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.","title": "Git clone source matches materials provenance"}},{"msg": "Pass","metadata": {"code": "provenance_materials.git_clone_task_found","collections": ["minimal","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that the attestation contains a git-clone task with `commit` and `url` task results.","title": "Git clone task found"}},{"msg": "Pass","metadata": {"code": "quay_expiration.expires_label","collections": ["redhat"],"description": "Check the image metadata for the presence of a \"quay.expires-after\" label. If it's present then produce a violation. This check is enforced only for a \"release\", \"production\", or \"staging\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Expires label"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.builder_image_param","collections": ["redhat"],"description": "Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the `allowed_rpm_ostree_builder_image_prefixes` rule data.","effective_on": "2024-03-20T00:00:00Z","title": "Builder image parameter"}},{"msg": "Pass","metadata": {"code": "rpm_ostree_task.rule_data","collections": ["redhat"],"description": "Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_prefixes`, is in the expected format.","title": "Rule data"}},{"msg": "Pass","metadata": {"code": "rpm_packages.unique_version","collections": ["redhat"],"description": "Check if a multi-arch build has the same RPM versions installed across each different architecture. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.","title": "Unique Version"}},{"msg": "Pass","metadata": {"code": "rpm_repos.ids_known","collections": ["redhat","redhat_rpms"],"description": "Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.","effective_on": "2024-11-10T00:00:00Z","title": "All rpms have known repo ids"}},{"msg": "Pass","metadata": {"code": "rpm_repos.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "A list of known and permitted repository ids should be available in the rule data.","title": "Known repo id list provided"}},{"msg": "Pass","metadata": {"code": "rpm_signature.allowed","collections": ["redhat","redhat_rpms"],"description": "The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the `allowed_rpm_signature_keys` rule data. Use the special value \"unsigned\" to allow unsigned RPMs.","effective_on": "2024-10-05T00:00:00Z","title": "Allowed RPM signature key"}},{"msg": "Pass","metadata": {"code": "rpm_signature.result_format","collections": ["redhat","redhat_rpms"],"description": "Confirm the format of the RPMS_DATA result is in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Result format"}},{"msg": "Pass","metadata": {"code": "rpm_signature.rule_data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `allowed_rpm_signature_keys` rule data key has been provided in the expected format.","effective_on": "2024-10-05T00:00:00Z","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "sbom.disallowed_packages_provided","collections": ["redhat","policy_data","redhat_rpms"],"description": "Confirm the `disallowed_packages` and `disallowed_attributes` rule data were provided, since they are required by the policy rules in this package.","title": "Disallowed packages list is provided"}},{"msg": "Pass","metadata": {"code": "sbom.found","collections": ["minimal","redhat"],"description": "Confirm an SBOM attestation exists.","title": "Found"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"], "description": "For each of the components fetched by Hermeto which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2024-12-15T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.allowed_proxy_urls","collections": ["redhat","policy_data"],"description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify proxy URLs in externalReferences of type distribution with comment \"proxy URL\" match at least one pattern from allowed_proxy_url_patterns. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all components of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.cdx_supported_version","collections": ["minimal","redhat","redhat_rpms"],"description": "Check that the CycloneDX SBOM specifies a supported schema version (1.4, 1.5 or 1.6).","title": "Supported Version"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.proxy_metadata_required","collections": ["redhat","policy_data"],"description": "For components found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In CycloneDX, this means at least one externalReference with type \"distribution\" and comment \"proxy URL\" must exist.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_4","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.4 version of the schema.","title": "Valid 1.4"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_5","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.","title": "Valid 1.5"}},{"msg": "Pass","metadata": {"code": "sbom_cyclonedx.valid_cdx_1_6","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.6 version of the schema.","title": "Valid 1.6"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed","collections": ["redhat","redhat_rpms"],"description": "Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title": "Allowed"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title": "Allowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_package_sources","collections": ["redhat","redhat_rpms","policy_data"],"description": "For each of the packages fetched by Hermeto which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on": "2025-02-17T00:00:00Z","title": "Allowed package sources"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.allowed_proxy_urls","collections": ["redhat","policy_data"],"description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify each proxy URL in sourceInfo matches at least one pattern from allowed_proxy_url_patterns. Hermeto records proxy URLs in the sourceInfo field, semicolon-separated when multiple proxies are used. The \"proxy_enabled_purl_types\" rule data key is a list of PURL type strings (e.g. [\"maven\", \"npm\"]). The \"allowed_proxy_url_patterns\" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {\"maven\": [\"^https://proxy\\\\.example\\\\.com/maven/.*\"]}). If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all packages of that type are denied.","effective_on": "2026-06-01T00:00:00Z","title": "Allowed proxy URLs"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_attributes","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value. Each entry may include an optional \"except_when\" field to suppress violations when a PURL qualifier matches specified regex patterns.","effective_on": "2025-02-04T00:00:00Z","title": "Disallowed package attributes"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.disallowed_package_external_references","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on": "2024-07-31T00:00:00Z","title": "Disallowed package external references"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.proxy_metadata_required","collections": ["redhat","policy_data"], "description": "For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_types that are registry dependencies (no download_url or vcs_url qualifier, not bundled), verify that proxy metadata is present. In SPDX, the sourceInfo field must be non-empty.","effective_on": "2026-05-13T00:00:00Z","title": "Proxy metadata required"}},{"msg": "Pass","metadata": {"code": "sbom_spdx.valid","collections": ["minimal","redhat","redhat_rpms"],"description": "Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.","title": "Valid"}},{"msg": "Pass","metadata": {"code": "schedule.date_restriction","collections": ["redhat"],"description": "Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Date Restriction"}},{"msg": "Pass","metadata": {"code": "schedule.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `disallowed_weekdays` and `disallowed_dates`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "schedule.weekday_restriction","collections": ["redhat"],"description": "Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title": "Weekday Restriction"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.image_built_by_trusted_task","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result.","title": "Image built by trusted Task"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "source_image.exists","collections": ["redhat"],"description": "Verify the source container image exists.","effective_on": "2024-06-05T00:00:00Z","title": "Exists"}},{"msg": "Pass","metadata": {"code": "source_image.signed","collections": ["redhat"],"depends_on": ["source_image.exists"],"description": "Verify the source container image is signed.","effective_on": "2024-05-04T00:00:00Z","title": "Signed"}},{"msg": "Pass","metadata": {"code": "tasks.data_provided","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected data keys have been provided in the expected format. The keys are `pipeline-required-tasks` and `required-tasks`.","title": "Data provided"}},{"msg": "Pass","metadata": { "code": "tasks.future_required_tasks_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.","title": "Future required tasks were found"}},{"msg": "Pass","metadata": {"code": "tasks.pinned_task_refs","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.","title": "Pinned Task references"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Produce a warning if the required tasks list rule data was not provided.","title": "Required tasks list for pipeline was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_found","collections": ["redhat"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the set of required tasks are included in the PipelineRun attestation.","title": "All required tasks were included in the pipeline"}},{"msg": "Pass","metadata": {"code": "tasks.required_tasks_list_provided","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Confirm the `required-tasks` rule data was provided, since it's required by the policy rules in this package.","title": "Required tasks list was provided"}},{"msg": "Pass","metadata": {"code": "tasks.required_untrusted_task_found","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that the all required tasks are resolved from trusted tasks.","title": "All required tasks are from trusted tasks"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}},{"msg": "Pass","metadata": {"code": "tasks.unsupported","collections": ["redhat","redhat_rpms"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "The Tekton Task used is or will be unsupported. The Task is annotated with `build.appstudio.redhat.com/expires-on` annotation marking it as unsupported after a certain date.","title": "Task version unsupported"}},{"msg": "Pass","metadata": {"code": "test.no_erred_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"ERROR\". The result type is configurable by the \"erred_tests_results\" key in the rule data.","title": "No tests erred"}},{"msg": "Pass","metadata": {"code": "test.no_failed_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any non-informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","title": "No tests failed"}},{"msg": "Pass","metadata": {"code": "test.no_skipped_tests","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a violation if any tests have their result set to \"SKIPPED\". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the \"skipped_tests_results\" key in the rule data.","effective_on": "2023-12-08T00:00:00Z","title": "No tests were skipped"}},{"msg": "Pass","metadata": {"code": "test.no_test_warnings","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Produce a warning if any tests have their result set to \"WARNING\". The result type is configurable by the \"warned_tests_results\" key in the rule data.","title": "No tests produced warnings"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}},{"msg": "Pass","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.","title": "Test data found in task results"}},{"msg": "Pass","metadata": {"code": "test.test_results_found","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Each test result is expected to have a `results` key. Verify that the `results` key is present in all of the TEST_OUTPUT task results.","title": "Test data includes results key"}},{"msg": "Pass","metadata": {"code": "test.test_results_known","collections": ["redhat"],"depends_on": ["test.test_data_found"],"description": "Ensure all test data result values are in the set of known/supported result values.","title": "No unsupported test result values found"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_failed_tests","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a violation if any test result attestation has a result of \"FAILED\". Failed test names from the attestation predicate are included in the message when available.","title": "No failed test attestations"}},{"msg": "Pass","metadata": {"code": "test_attestation.no_test_warnings","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Produce a warning if any test result attestation has a result of \"WARNED\". Warned test names from the attestation predicate are included in the message when available.","title": "No test attestation warnings"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Each test result attestation must include a result field in its predicate. Verify that the result field is present.","title": "Test attestation data includes result"}},{"msg": "Pass","metadata": {"code": "test_attestation.test_result_known","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure the result field of each test result attestation is a recognized value. Valid values are PASSED, WARNED, and FAILED per the in-toto test-result predicate specification.","title": "No unsupported test attestation result values"}},{"msg": "Pass","metadata": {"code": "trusted_task.data","collections": ["redhat","redhat_rpms"],"description": "Confirm the `trusted_tasks` rule data was provided, since it's required by the policy rules in this package.","effective_on": "2024-05-07T00:00:00Z","title": "Task tracking data was provided"}},{"msg": "Pass", Success: true Result: WARNING Violations: 0, Warnings: 39, Successes: 420 Components: - Name: -sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Violations: 0, Warnings: 13, Successes: 140 - Name: -sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Violations: 0, Warnings: 13, Successes: 140 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Violations: 0, Warnings: 13, Successes: 140 Results: › [Warning] test.no_failed_informative_tests ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a failed informative test Term: ecosystem-cert-preflight-checks Title: No informative tests failed Description: Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data. Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "build-image-index" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582" and the latest bundle ref is "sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122" Term: build-image-index Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "build-container" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd" and the latest bundle ref is "sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9" Term: buildah-remote-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "clair-scan" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894" and the latest bundle ref is "sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21" Term: clair-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "clamav-scan" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc" and the latest bundle ref is "sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217" Term: clamav-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "ecosystem-cert-preflight-checks" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88" and the latest bundle ref is "sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0" Term: ecosystem-cert-preflight-checks Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "clone-repository" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205" and the latest bundle ref is "sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591" Term: git-clone-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "prefetch-dependencies" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef" and the latest bundle ref is "sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975" Term: prefetch-dependencies-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "push-dockerfile" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71" and the latest bundle ref is "sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd" Term: push-dockerfile-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "sast-shell-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f" and the latest bundle ref is "sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c" Term: sast-shell-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "sast-snyk-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748" and the latest bundle ref is "sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970" Term: sast-snyk-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "sast-unicode-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b" and the latest bundle ref is "sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73" Term: sast-unicode-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: A newer version of task "build-source-image" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711" and the latest bundle ref is "sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0" Term: source-build-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] test.no_failed_informative_tests ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a failed informative test Term: ecosystem-cert-preflight-checks Title: No informative tests failed Description: Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data. Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "build-image-index" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582" and the latest bundle ref is "sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122" Term: build-image-index Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "build-container" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd" and the latest bundle ref is "sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9" Term: buildah-remote-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "clair-scan" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894" and the latest bundle ref is "sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21" Term: clair-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "clamav-scan" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc" and the latest bundle ref is "sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217" Term: clamav-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "ecosystem-cert-preflight-checks" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88" and the latest bundle ref is "sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0" Term: ecosystem-cert-preflight-checks Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "clone-repository" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205" and the latest bundle ref is "sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591" Term: git-clone-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "prefetch-dependencies" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef" and the latest bundle ref is "sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975" Term: prefetch-dependencies-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "push-dockerfile" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71" and the latest bundle ref is "sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd" Term: push-dockerfile-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "sast-shell-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f" and the latest bundle ref is "sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c" Term: sast-shell-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "sast-snyk-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748" and the latest bundle ref is "sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970" Term: sast-snyk-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "sast-unicode-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b" and the latest bundle ref is "sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73" Term: sast-unicode-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: A newer version of task "build-source-image" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711" and the latest bundle ref is "sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0" Term: source-build-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] test.no_failed_informative_tests ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a failed informative test Term: ecosystem-cert-preflight-checks Title: No informative tests failed Description: Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data. Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "build-image-index" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:b33bfa8dc27dbf459f0779598ba45dcaa490bcc9f8efe1652bcf360ec8cb5582" and the latest bundle ref is "sha256:0b4251ea0fab38be2b1441bea2788220d4cf2963ffb854a0ed90992fbabbe122" Term: build-image-index Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "build-container" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.9@sha256:77007259cc87f32d63d2c201226aadaab98313cfd4e02b46abc243c4d2cc27bd" and the latest bundle ref is "sha256:148347cf1a291bc3ebe0700d7f61c12f7f4d5e78e59a162f5e622ad67106c4a9" Term: buildah-remote-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "clair-scan" exists. Please update before 2026-08-22T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894" and the latest bundle ref is "sha256:9ff424d913dd7681031a93d8bdbed622cd5536633f8ed0dbb4a9021055cf9d21" Term: clair-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "clamav-scan" exists. Please update before 2026-08-28T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:567cb66bd2e1f4b58b9d4d756f3317fc62479e0b40aa0de66094b1f12d296cfc" and the latest bundle ref is "sha256:53a02326bfb930ca5ef6bfa7a33acca833d57752f34f3cb79255fe2e25e7d217" Term: clamav-scan Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "ecosystem-cert-preflight-checks" exists. Please update before 2026-08-08T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:88f4fd6d7812a3c46f120f3035974f5fb8cb06b5e3e927badf6e8370f1516a88" and the latest bundle ref is "sha256:3c4f60ebda2225eff6a6bc387d9bbd443f1264d756bf385f97cc684992e904a0" Term: ecosystem-cert-preflight-checks Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "clone-repository" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205" and the latest bundle ref is "sha256:a11dac7d914d0165362cdcc4c50860a30320f59a32ed0778bf895004d3f74591" Term: git-clone-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "prefetch-dependencies" exists. Please update before 2026-08-02T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:3dc78afbf3a441e0280067433cb28ea3d2d0088ec214c73bf063f145b4f273ef" and the latest bundle ref is "sha256:92956e75cd4714286f9c0c043f5301d1c0df1d750884edeceee87e0a91cc1975" Term: prefetch-dependencies-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "push-dockerfile" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.3@sha256:7855471abfe87de080b914f2f3ca27c59e64f6448a7c2435e51435b764494c71" and the latest bundle ref is "sha256:581ddbb0b8dc388678cea65b9b3b6265db59f6de1d473006fb84fb0b456886bd" Term: push-dockerfile-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "sast-shell-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:3cbb3535af6e7d4396858179a6427caaffb2e68775594795692fc01f28ae313f" and the latest bundle ref is "sha256:fc685d6f7dfb7c9ab2f2db38bbe2c8d383407847350ccd8b96352322c487b13c" Term: sast-shell-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "sast-snyk-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:0ebf28a0abd5a167438d4628938a74ade6f00a44a4b7ed1cfa9cfc57a5b24748" and the latest bundle ref is "sha256:8d794f3c04de1b47b76f9e48a2be19520568d8b467598976cbd440c44532f970" Term: sast-snyk-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "sast-unicode-check" exists. Please update before 2026-08-03T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:223812001607b07f0e07d56bef7b7d619144e660c0c57f21ddd44ce0c8c4785b" and the latest bundle ref is "sha256:5807ffe3a0cca5cf970076bbc7a404642cc6e3eebe64e9e5e6a4f20da740bf73" Term: sast-unicode-check-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. › [Warning] trusted_task.current ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: A newer version of task "build-source-image" exists. Please update before 2026-08-24T00:00:00Z. The current bundle is "oci://quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:8567bb7bf8fa9147c96b297533336fa7079ecf972cb86c09ccdd6bddedb25711" and the latest bundle ref is "sha256:d8115c74aed42fe9b1b3df149c534ced09f33c7bc6e51449bcaf8ec50699b8a0" Term: source-build-oci-ta Title: Tasks using the latest versions Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported. Solution: Update the Task reference to a newer version. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ true { "policy": { "name": "Red Hat", "description": "Includes the full set of rules and policies required internally by Red Hat when building Red Hat products. Source: https://github.com/conforma/config/blob/main/redhat/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "exclude": [ "slsa_source_correlated.source_code_reference_provided", "cve.cve_results_found" ], "include": [ "@redhat" ] } } ], "publicKey": "k8s://chains-e2e-neqh/golden-image-public-keynojeubhkrb" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:17:23.331002734Z" } 2026-06-30T11:17:55.571327Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/place-scripts/0.log 2026-06-30T11:17:55.571381Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/prepare/0.log 2026-06-30T11:17:56.093044Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-initialize-tuf/0.log 2026-06-30T11:17:56.093086Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-reduce/0.log 2026-06-30T11:17:56.093097Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-report-json/0.log 2026-06-30T11:17:56.093107Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-validate/0.log 2026-06-30T11:17:56.608849Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-assert/0.log 2026-06-30T11:17:56.608880Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-detailed-report/0.log 2026-06-30T11:17:56.608901Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-show-config/0.log 2026-06-30T11:17:56.608908Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-summary/0.log 2026-06-30T11:17:56.608919Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-version/0.log time="2026-06-30T11:17:46Z" level=error msg="failed to fetch image" action="fetch image" error="GET https://quay.io/v2/konflux-ci/ec-golden-image/manifests/sha256:b5fe51b58bacb35acf4dfa522b1b4183700fd78d97ee418f7b535f3e5c5623f9: MANIFEST_UNKNOWN: manifest unknown; map[]" function=ec.oci.image_manifest input_ref="quay.io/konflux-ci/ec-golden-image@sha256:b5fe51b58bacb35acf4dfa522b1b4183700fd78d97ee418f7b535f3e5c5623f9" time="2026-06-30T11:17:47Z" level=error msg="failed to fetch image" action="fetch image" error="GET https://quay.io/v2/konflux-ci/ec-golden-image/manifests/sha256:b5fe51b58bacb35acf4dfa522b1b4183700fd78d97ee418f7b535f3e5c5623f9: MANIFEST_UNKNOWN: manifest unknown; map[]" function=ec.oci.image_manifest input_ref="quay.io/konflux-ci/ec-golden-image@sha256:b5fe51b58bacb35acf4dfa522b1b4183700fd78d97ee418f7b535f3e5c5623f9" 2026/06/30 11:17:54 Decoded script /tekton/scripts/script-2-c7fsn 2026/06/30 11:17:54 Entrypoint initialization 2026-06-30T11:17:59.687089Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-initialize-tuf/0.log 2026-06-30T11:17:59.687134Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-reduce/0.log Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task", "source": {} } ], "artifacts": {} } 2026/06/30 11:17:58 INFO Step was skipped due to when expressions were evaluated to false. 2026-06-30T11:18:09.953605Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-assert/0.log 2026-06-30T11:18:09.953666Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-detailed-report/0.log 2026-06-30T11:18:09.953706Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-report-json/0.log 2026-06-30T11:18:09.953719Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-show-config/0.log 2026-06-30T11:18:09.953734Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-summary/0.log 2026-06-30T11:18:09.953751Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-78f60d33611f43eb8b11898e51a2a380-pod_178ea8f0-a17f-43e9-bf24-f8be414e63ba/step-version/0.log false { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "trusted_task.trusted" ] } } ], "publicKey": "k8s://chains-e2e-neqh/golden-image-public-keyklhvmxjahr" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:17:59.370750231Z" } {"success": false,"components": [{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25","source": {},"violations": [{"msg": "PipelineTask \"build-container\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:buildah\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "buildah","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clair-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clair-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clair-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clamav-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clamav-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clamav-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"deprecated-base-image-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "deprecated-image-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clone-repository\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "git-clone","title": "Tasks are trusted"}},{"msg": "PipelineTask \"init\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:init\" to the `exclude` section of the policy configuration.", "solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "init","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-inspect-image\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-inspect-image\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-inspect-image","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-optional-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sbom-json-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sbom-json-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sbom-json-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"show-summary\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:summary\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "summary","title": "Tasks are trusted"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false,"signatures": [{"keyid": "","sig": "MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv+QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ="}],"attestations": [{ Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 { "timestamp": "1782818288", "namespace": "", "successes": 3, "failures": 11, "warnings": 0, "result": "FAILURE" } Success: false Result: FAILURE Violations: 11, Warnings: 0, Successes: 3 Component: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Results: ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "build-container" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a Term: buildah Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clair-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f Term: clair-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clamav-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d Term: clamav-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "deprecated-base-image-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17 Term: deprecated-image-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clone-repository" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3 Term: git-clone Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:git-clone" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "init" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8 Term: init Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:init" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-inspect-image" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824 Term: sanity-inspect-image Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-inspect-image" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-optional-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sbom-json-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205 Term: sbom-json-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sbom-json-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "show-summary" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49 Term: summary Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:summary" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ 2026-06-30T11:18:14.087003Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/place-scripts/0.log 2026-06-30T11:18:14.087052Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/prepare/0.log 2026-06-30T11:18:14.087064Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-initialize-tuf/0.log 2026-06-30T11:18:14.087075Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-reduce/0.log 2026-06-30T11:18:14.607253Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-assert/0.log 2026-06-30T11:18:14.607286Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-detailed-report/0.log 2026-06-30T11:18:14.607303Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-report-json/0.log 2026-06-30T11:18:14.607310Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-show-config/0.log 2026-06-30T11:18:14.607318Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-summary/0.log 2026-06-30T11:18:14.607324Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-validate/0.log 2026-06-30T11:18:14.607331Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-version/0.log 2026/06/30 11:18:12 Entrypoint initialization 2026/06/30 11:18:12 Decoded script /tekton/scripts/script-2-mbmxb 2026-06-30T11:18:18.200269Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-initialize-tuf/0.log 2026-06-30T11:18:18.200326Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-reduce/0.log Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/enterprise-contract-tests:e2e-test-unpinned-task-bundle", "source": {} } ], "artifacts": {} } 2026/06/30 11:18:17 INFO Step was skipped due to when expressions were evaluated to false. "metadata": {"code": "trusted_task.data_format","collections": ["redhat","redhat_rpms","policy_data"],"description": "Confirm the expected `trusted_tasks` data keys have been provided in the expected format.","title": "Data format"}},{"msg": "Pass","metadata": {"code": "trusted_task.future_deny_rule","collections": ["redhat"],"description": "Warn when a task matches a deny rule that has an effective_on date in the future. This provides advance notice that a task will become untrusted when the deny rule takes effect.","title": "Future deny rule will apply"}},{"msg": "Pass","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are pinned"}},{"msg": "Pass","metadata": {"code": "trusted_task.tagged","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks defined with the bundle format contain a tag reference.","effective_on": "2024-05-07T00:00:00Z","title": "Task references are tagged"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted.","effective_on": "2024-05-07T00:00:00Z","title": "Tasks are trusted"}},{"msg": "Pass","metadata": {"code": "trusted_task.trusted_parameters","collections": ["redhat"],"description": "Confirm certain parameters provided to each builder Task have come from trusted Tasks. Trust can be defined using pattern-based rules (trusted_task_rules) or an explicit allow list with expiry dates (trusted_tasks).","effective_on": "2021-07-04T00:00:00Z","title": "Trusted parameters"}},{"msg": "Pass","metadata": {"code": "trusted_task.valid_trusted_artifact_inputs","collections": ["redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.","title": "Trusted Artifact produced in pipeline"}},{"msg": "Pass","metadata": {"code": "volatile_config.expired_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has passed its effectiveUntil date. Expired rules are no longer active and should be removed from the policy configuration.","title": "Volatile rule has expired"}},{"msg": "Pass","metadata": {"code": "volatile_config.expiring_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule will expire within the configured warning threshold (default 30 days). This provides advance notice to extend or replace the rule before it expires.","title": "Volatile rule expiring soon"}},{"msg": "Pass","metadata": {"code": "volatile_config.invalid_config","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has invalid date values that cannot be parsed. This indicates a configuration error that should be corrected.","title": "Volatile rule has invalid configuration"}},{"msg": "Pass","metadata": {"code": "volatile_config.no_expiration","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has no effectiveUntil date set. Rules without expiration dates may accumulate over time and should be periodically reviewed.","title": "Volatile rule has no expiration"}},{"msg": "Pass","metadata": {"code": "volatile_config.pending_rule","collections": ["minimal","redhat"],"description": "Generates a warning when a volatile configuration rule has an effectiveOn date in the future, indicating it will become active at that time.","title": "Volatile rule pending activation"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIH1WSpsKcqzY11HkZUBkW2EtnAsuE1DXjFSvEMiekoYhAiEA8DWjnDJelQVizV67I8B3hE7HzqVdoitHQYtE52UYnfU="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIFDe/HK4zGEf6ReCdi9lKIHt+F3RAQVbVz+9njVgeByoAiEA07g5JSnXBDpV2QlW7s4GuY7DoGVO8rwgOzJDsFR4Vhg="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Red Hat","description": "Includes the full set of rules and policies required internally by Red Hat when building Red Hat products. Source: https://github.com/conforma/config/blob/main/redhat/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"exclude": ["slsa_source_correlated.source_code_reference_provided","cve.cve_results_found"],"include": ["@redhat"]}}],"publicKey": "k8s://chains-e2e-neqh/golden-image-public-keynojeubhkrb"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:17:23.331002734Z"} 2026-06-30T11:18:26.417783Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-report-json/0.log 2026-06-30T11:18:26.417833Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-summary/0.log 2026-06-30T11:18:26.938532Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-assert/0.log 2026-06-30T11:18:26.938587Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-detailed-report/0.log 2026-06-30T11:18:26.938634Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-show-config/0.log 2026-06-30T11:18:26.938662Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-neqh_verify-enterprise-contract-db2529051d96e11c5e79b762fb5d0005-pod_cfae1904-8454-4f00-b511-593ed742a9bd/step-version/0.log {"success": true,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10","source": {},"warnings": [{"msg": "Pipeline task \"build-container\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "buildah","title": "Task references are pinned"}},{"msg": "Pipeline task \"clamav-scan\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "clamav-scan","title": "Task references are pinned"}},{"msg": "Pipeline task \"appstudio-configure-build\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "configure-build","title": "Task references are pinned"}},{"msg": "Pipeline task \"conftest-clair\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "conftest-clair","title": "Task references are pinned"}},{"msg": "Pipeline task \"deprecated-base-image-check\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "deprecated-image-check","title": "Task references are pinned"}},{"msg": "Pipeline task \"get-clair-results\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "get-clair-scan","title": "Task references are pinned"}},{"msg": "Pipeline task \"clone-repository\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "git-clone","title": "Task references are pinned"}},{"msg": "Pipeline task \"hacbs-test-evaluation\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "hacbs-test-evaluation","title": "Task references are pinned"}},{"msg": "Pipeline task \"appstudio-init\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "init","title": "Task references are pinned"}},{"msg": "Pipeline task \"sanity-inspect-image\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sanity-inspect-image","title": "Task references are pinned"}},{"msg": "Pipeline task \"sanity-label-check\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.", { "timestamp": "1782818305", "namespace": "", "successes": 3, "failures": 0, "warnings": 16, "result": "WARNING" } Success: true Result: WARNING Violations: 0, Warnings: 16, Successes: 3 Component: ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Results: › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "build-container" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: buildah Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "clamav-scan" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: clamav-scan Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "appstudio-configure-build" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: configure-build Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "conftest-clair" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: conftest-clair Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "deprecated-base-image-check" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: deprecated-image-check Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "get-clair-results" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: get-clair-scan Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "clone-repository" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: git-clone Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "hacbs-test-evaluation" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: hacbs-test-evaluation Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "appstudio-init" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-1@ Term: init Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sanity-inspect-image" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sanity-inspect-image Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sanity-label-check" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sanity-label-check Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sanity-optional-label-check" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sanity-label-check Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sast-go" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sast-go Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sast-java-sec-check" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sast-java-sec-check Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "sast-snyk-check" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: sast-snyk-check Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. › [Warning] trusted_task.pinned ImageRef: quay.io/redhat-appstudio-qe/enterprise-contract-tests@sha256:c1a2330b0117c4ccd642ba95539a499ae54f0282b124f0514ee57b274d674f10 Reason: Pipeline task "show-summary" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@ Term: summary Title: Task references are pinned Description: Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest. Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 true { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "trusted_task.pinned" ] } } ], "publicKey": "k8s://chains-e2e-neqh/unpinned-task-bundle-public-keynkiwkwmzoa" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfwkY/ru2JRd6FSqIp7lT3gzjaEC\nEAg+paWtlme2KNcostCsmIbwz+bc2aFV+AxCOpRjRpp3vYrbS5KhkmgC1Q==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-30T11:18:17.888591151Z" } "type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm+xJ5AoyO3qg+aj8QIgb9xDpjYGRMmpVk+QATeVKlHonzBiu51HtT3J+lQXPXc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa"}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["trusted_task.trusted"]}}],"publicKey": "k8s://chains-e2e-neqh/golden-image-public-keyklhvmxjahr"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:17:59.370750231Z"} "solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sanity-label-check","title": "Task references are pinned"}},{"msg": "Pipeline task \"sanity-optional-label-check\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sanity-label-check","title": "Task references are pinned"}},{"msg": "Pipeline task \"sast-go\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sast-go","title": "Task references are pinned"}},{"msg": "Pipeline task \"sast-java-sec-check\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sast-java-sec-check","title": "Task references are pinned"}},{"msg": "Pipeline task \"sast-snyk-check\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "sast-snyk-check","title": "Task references are pinned"}},{"msg": "Pipeline task \"show-summary\" uses an unpinned task reference, oci://quay.io/redhat-appstudio/appstudio-tasks:8be37c13984bc3f8af4d6314d87b1ec5e494b6ca-2@","metadata": {"code": "trusted_task.pinned","collections": ["redhat","redhat_rpms"],"description": "Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","solution": "Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.","term": "summary","title": "Task references are pinned"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": true,"signatures": [{"keyid": "","sig": "MEYCIQD0M+eFk8KPeOHvC6GNIQkaJGZvtOvvDqBvzi+qYgiS2gIhAP7stpq7Nl9vpF4tjqLC7/gr6t5yXc9Y353Btfe3DcEM"},{"keyid": "","sig": "MEUCIDkj9PKADlbayhD4DIUm5SRw2pCzSTeak1dJHAZOyQyQAiEApp4BQneeSKSbKbojFEzeJbVTPGBQrA7QnTzTblnU7nE="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "https://tekton.dev/attestations/chains@v2","signatures": [{"keyid": "SHA256:w1ABTR6Lt6NlJapY8sIR8F2BvXZ6qn2q+GrC+jWwpqE","sig": "MEQCICXkO7VwYxRHIYd+EbSeIvN+tKMyM4YSZkbUewMSefclAiBCoWnkdF5X4z6rY2YnOlwF5NrrPJh4f/tIvGJe1E3HIQ=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "https://tekton.dev/attestations/chains@v2","signatures": [{"keyid": "SHA256:w1ABTR6Lt6NlJapY8sIR8F2BvXZ6qn2q+GrC+jWwpqE","sig": "MEUCIQCmcnxF+boyOwR1RSLnZHUJgGtuQ5y0pm+hBjAhyb9TOwIgTtn/WYNIDWeW9WEALawsVBBtcsdeG91wuwIHpYo2zpc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2","signatures": [{"keyid": "SHA256:w1ABTR6Lt6NlJapY8sIR8F2BvXZ6qn2q+GrC+jWwpqE","sig": "MEUCIQCrK8Zvo5I45A0j/gvxmsJV30nb6/iQxQVeOMhELH964AIgXm12BtB+JHO5YWoFZAAAR+yMrpgeNBvn5vvVLYoYpHA="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfwkY/ru2JRd6FSqIp7lT3gzjaEC\nEAg+paWtlme2KNcostCsmIbwz+bc2aFV+AxCOpRjRpp3vYrbS5KhkmgC1Q==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:62c93b5041683cf2c88fbe5b8b857f7c90a9b2cc1f8c9efde39abda01c567128","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["trusted_task.pinned"]}}],"publicKey": "k8s://chains-e2e-neqh/unpinned-task-bundle-public-keynkiwkwmzoa"},"ec-version": "v0.9.25","effective-time": "2026-06-30T11:18:17.888591151Z"} 2026-06-30T12:00:19.604402Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/place-scripts/0.log 2026-06-30T12:00:19.604443Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/prepare/0.log 2026/06/30 12:00:18 Entrypoint initialization 2026/06/30 12:00:18 Decoded script /tekton/scripts/script-0-xhlsz 2026/06/30 12:00:18 Decoded script /tekton/scripts/script-1-r8bw4 2026/06/30 12:00:18 Decoded script /tekton/scripts/script-2-rhl8n 2026-06-30T12:00:23.719297Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/step-prepare-db/0.log 2026/06/30 12:00:23 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied 2026-06-30T12:00:27.832932Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/step-prepare-rpm-cert/0.log 2026/06/30 12:00:27 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/root": unable to create destination directory: mkdir /root/.docker: permission denied 2026-06-30T12:02:18.613531Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/step-prepare-rpm-cert/0.log reached_eof="true" 2026-06-30T12:02:20.664878Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/place-scripts/0.log reached_eof="true" 2026-06-30T12:02:20.664927Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/prepare/0.log reached_eof="true" 2026-06-30T12:02:20.664941Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Stopped watching file. file=/var/log/pods/mintmaker_renovate-06301200-edac3108-build-pod_34db95be-69d2-47db-af76-0e2a98fc1975/step-prepare-db/0.log reached_eof="true"