2026-06-29T18:19:16.217401Z INFO vector::app: Log level is enabled. level="info" 2026-06-29T18:19:16.217838Z INFO vector::app: Loading configs. paths=["/etc/vector"] 2026-06-29T18:19:16.220432Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Obtained Kubernetes Node name to collect logs for (self). self_node_name="ip-10-0-171-253.ec2.internal" 2026-06-29T18:19:16.226930Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Including matching files. ret=["**/*"] 2026-06-29T18:19:16.226943Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}: vector::sources::kubernetes_logs: Excluding matching files. ret=["**/*.gz", "**/*.tmp"] 2026-06-29T18:19:16.229426Z INFO vector::topology::running: Running healthchecks. 2026-06-29T18:19:16.229485Z INFO vector: Vector has started. debug="false" version="0.45.0" arch="x86_64" revision="063cabb 2025-02-24 14:52:02.810034614" 2026-06-29T18:19:16.229500Z INFO vector::topology::builder: Healthcheck passed. 2026-06-29T18:19:16.230752Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: file_source::checkpointer: Attempting to read legacy checkpoint files. 2026-06-29T18:19:16.230774Z INFO vector::internal_events::api: API server running. address=127.0.0.1:8686 playground=off graphql=http://127.0.0.1:8686/graphql 2026-06-29T18:33:43.038925Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/prepare/0.log 2026-06-29T18:33:43.557708Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/place-scripts/0.log 2026/06/29 18:33:42 Entrypoint initialization 2026/06/29 18:33:43 Decoded script /tekton/scripts/script-0-f7fdt 2026/06/29 18:33:43 Decoded script /tekton/scripts/script-1-lc27h 2026/06/29 18:33:43 Decoded script /tekton/scripts/script-2-mwrm6 2026-06-29T18:33:57.908777Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-build/0.log 2026-06-29T18:34:10.206790Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-create-sbom/0.log 2026-06-29T18:34:24.551620Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-build/0.log 2026-06-29T18:34:24.551658Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-upload-sbom/0.log 2026-06-29T18:34:26.609608Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-create-sbom/0.log 2026-06-29T18:34:27.129847Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_buildah-demo-klugklvmyo-build-image-index-pod_31405d5f-dbfd-4a72-b16b-97c93fd3f80c/step-upload-sbom/0.log [2026-06-29T18:34:24,354459597+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' Running konflux-build-cli time="2026-06-29T18:34:26Z" level=info msg="[param] image: quay.io/redhat-appstudio-qe/test-images:buildah-demo-klugklvmyo" time="2026-06-29T18:34:26Z" level=info msg="[param] images: [quay.io/redhat-appstudio-qe/test-images:buildah-demo-klugklvmyo@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2]" time="2026-06-29T18:34:26Z" level=info msg="[param] buildah-format: docker" time="2026-06-29T18:34:26Z" level=info msg="[param] always-build-index: false" time="2026-06-29T18:34:26Z" level=info msg="[param] additional-tags: [buildah-demo-klugklvmyo-build-image-index]" time="2026-06-29T18:34:26Z" level=info msg="[param] output-manifest-path: /index-build-data/manifest_data.json" time="2026-06-29T18:34:26Z" level=info msg="[param] result-path-image-digest: /tekton/results/IMAGE_DIGEST" time="2026-06-29T18:34:26Z" level=info msg="[param] result-path-image-url: /tekton/results/IMAGE_URL" time="2026-06-29T18:34:26Z" level=info msg="[param] result-path-image-ref: /tekton/results/IMAGE_REF" time="2026-06-29T18:34:26Z" level=info msg="[param] result-path-images: /tekton/results/IMAGES" time="2026-06-29T18:34:26Z" level=info msg="Creating manifest list: quay.io/redhat-appstudio-qe/test-images:buildah-demo-klugklvmyo" time="2026-06-29T18:34:26Z" level=info msg="buildah [stdout] cae4f2ec1e798563b3fd21bfcd65bf40b8aa178001a8b8e1882bac4381f9bb2b" logger=CliExecutor time="2026-06-29T18:34:26Z" level=info msg="Skipping image index generation. Returning results for single image." [2026-06-29T18:34:26,663941227+00:00] Update CA trust INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' The index.spdx.json file does not exists. Skipping the SBOM upload... The manifest_data.json file does not exist. Skipping the SBOM creation... {"image_digest":"sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2","image_url":"quay.io/redhat-appstudio-qe/test-images:buildah-demo-klugklvmyo","image_ref":"quay.io/redhat-appstudio-qe/test-images@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2","images":"quay.io/redhat-appstudio-qe/test-images@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2"} 2026-06-29T18:35:20.429396Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/place-scripts/0.log 2026-06-29T18:35:20.429442Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/prepare/0.log 2026/06/29 18:35:18 Entrypoint initialization 2026/06/29 18:35:19 Decoded script /tekton/scripts/script-2-xkblz 2026-06-29T18:35:32.735485Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-assert/0.log 2026-06-29T18:35:32.735516Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-detailed-report/0.log 2026-06-29T18:35:32.735524Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-initialize-tuf/0.log 2026-06-29T18:35:32.735530Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-reduce/0.log 2026-06-29T18:35:32.735537Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-report-json/0.log 2026-06-29T18:35:32.735544Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-show-config/0.log 2026-06-29T18:35:32.735576Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-summary/0.log 2026-06-29T18:35:32.735586Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-validate/0.log 2026-06-29T18:35:32.735594Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-version/0.log 2026-06-29T18:35:34.785375Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-initialize-tuf/0.log 2026-06-29T18:35:34.785429Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-reduce/0.log 2026/06/29 18:35:33 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/redhat-appstudio-qe/test-images:buildah-demo-klugklvmyo@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2", "source": {} } ], "artifacts": {} } 2026-06-29T18:35:45.039285Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-assert/0.log 2026-06-29T18:35:45.039332Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-detailed-report/0.log 2026-06-29T18:35:45.039369Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-report-json/0.log 2026-06-29T18:35:45.039387Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-show-config/0.log 2026-06-29T18:35:45.039403Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-summary/0.log 2026-06-29T18:35:45.039422Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-27ccb8e3f03b230399f6f745344b526f-pod_7f53ee27-ed72-4e5d-855a-10a0eb985778/step-version/0.log { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "test" ] } } ], "publicKey": "k8s://chains-e2e-yiyr/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3SBFTCIb7qyz2Ja7YWSKpjM+NMr9\nQBHau3RlF/023nlZPxcH0crJ6/oxTzj15jMQ3H/25A4dmPQuBUQ19IzSVA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T18:35:34.339765929Z" } Success: false Result: FAILURE Violations: 1, Warnings: 0, Successes: 5 Component: ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2 Results: ✕ [Violation] test.test_data_found ImageRef: quay.io/redhat-appstudio-qe/test-images@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2 Reason: No test data found Title: Test data found in task results Description: Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add "test.test_data_found" to the `exclude` section of the policy configuration. Solution: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "timestamp": "1782758143", "namespace": "", "successes": 5, "failures": 1, "warnings": 0, "result": "FAILURE" } false Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 2026-06-29T18:35:59.398567Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/prepare/0.log 2026-06-29T18:35:59.918094Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/place-scripts/0.log 2026-06-29T18:36:00.950050Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-initialize-tuf/0.log 2026-06-29T18:36:00.950083Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-reduce/0.log 2026-06-29T18:36:00.950091Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-report-json/0.log 2026-06-29T18:36:00.950107Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-show-config/0.log 2026-06-29T18:36:00.950114Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-summary/0.log 2026-06-29T18:36:00.950120Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-validate/0.log 2026-06-29T18:36:00.950126Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-version/0.log 2026-06-29T18:36:01.975342Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-assert/0.log 2026-06-29T18:36:01.975371Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-detailed-report/0.log 2026/06/29 18:35:59 Decoded script /tekton/scripts/script-2-mkwbk 2026/06/29 18:35:58 Entrypoint initialization 2026-06-29T18:36:04.024740Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-initialize-tuf/0.log 2026-06-29T18:36:04.024778Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-reduce/0.log 2026/06/29 18:36:03 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:latest", "source": {} } ], "artifacts": {} } 2026-06-29T18:36:14.284960Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-assert/0.log 2026-06-29T18:36:14.285000Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-detailed-report/0.log 2026-06-29T18:36:14.285038Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-report-json/0.log 2026-06-29T18:36:14.285051Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-show-config/0.log 2026-06-29T18:36:14.285063Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-summary/0.log 2026-06-29T18:36:14.285078Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-8be2d78de1c76e8753fff8cbfe2d5196-pod_baa6d2c0-5c9e-456b-85a8-22ec213895e1/step-version/0.log false Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 {"success": false,"components": [{"name": "","containerImage": "quay.io/redhat-appstudio-qe/test-images@sha256:58ea0b03fc65ddfde8d16f937b103ae26206e13c81b08eb940886646160afda2","source": {},"violations": [{"msg": "No test data found","metadata": {"code": "test.test_data_found","collections": ["redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data. To exclude this rule add \"test.test_data_found\" to the `exclude` section of the policy configuration.","solution": "Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.","title": "Test data found in task results"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "test.rule_data_provided","collections": ["redhat","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "test.test_all_images","collections": ["redhat"],"description": "Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on": "2024-05-29T00:00:00Z","title": "Image digest is present in IMAGES_PROCESSED result"}}],"success": false,"signatures": [{"keyid": "","sig": "MEQCIGQziCycBFdqklyTkYBCqSrCTntlbiBb+zFEv/+HWI0sAiAHgh9dU8Uw8hSAd1XF6XaOA2CqkyDBM7YTPE+g1JAHPg=="},{"keyid": "","sig": "MEQCIGldtXFIwmQ+tXbb+fq1KPzmy8XuyfTpn+VUd8oRBql2AiA7S8PaYkM5T39zCz61NFREz6wPQpW8tkJRxq65nhnSOA=="},{"keyid": "","sig": "MEUCIFf+6mCW1aOG8cxJi0ETyeTS/IJ3dwBo/qKzcGRH6hAGAiEAt+/HoOm0Z8aXeXiG/+tokuPhbJi59aoz3zNaf83B8vA="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1/PipelineRun","signatures": [{"keyid": "SHA256:fbrj+MzVVarGoY4LIeBWxrpgTKi8UUfwBCCm+Fs5apM","sig": "MEQCIA0DFIEsgdUKPcyZcpYKyUCiuU5HuKed0dZsjuNAM5rDAiArgNZj2mnw0GNda231yYuw2Oo/DB2WpJRLoV6g6B4JuQ=="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3SBFTCIb7qyz2Ja7YWSKpjM+NMr9\nQBHau3RlF/023nlZPxcH0crJ6/oxTzj15jMQ3H/25A4dmPQuBUQ19IzSVA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["test"]}}],"publicKey": "k8s://chains-e2e-yiyr/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-29T18:35:34.339765929Z"} { "timestamp": "1782758172", "namespace": "", "successes": 0, "failures": 6, "warnings": 0, "result": "FAILURE" } Success: false Result: FAILURE Violations: 6, Warnings: 0, Successes: 0 Components: - Name: -sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Violations: 2, Warnings: 0, Successes: 0 - Name: -sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64 ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Violations: 2, Warnings: 0, Successes: 0 - Name: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Violations: 2, Warnings: 0, Successes: 0 Results: ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414 Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. ✕ [Violation] builtin.attestation.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✕ [Violation] builtin.image.signature_check ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d Reason: No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature Title: Image signature check passed Description: The image signature matches available signing materials. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "slsa_provenance_available" ] } } ], "publicKey": "k8s://chains-e2e-yiyr/cosign-public-key" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3SBFTCIb7qyz2Ja7YWSKpjM+NMr9\nQBHau3RlF/023nlZPxcH0crJ6/oxTzj15jMQ3H/25A4dmPQuBUQ19IzSVA==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T18:36:04.253486087Z" } {"success": false,"components": [{"name": "-sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf-arm64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:bd819da15920ef731002630e2b2d49e03b3209ee5edae6c74f2094bb9825b7cf","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false},{"name": "-sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414-amd64","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:4b8339806ff0774bdfc73676c57c6985fd311d8c8d0ea3062d13c00136f19414","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature\n invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false},{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:0e61e9c81f2e5f05c82aa07135835be5c14e5d4fb7e49734cc581c3856875c8d","source": {},"violations": [{"msg": "No image attestations found matching the given public key. Verify the correct public key was provided, and one or more attestations were created. Error: no matching attestations: accepted signatures do not match threshold, Found: 0, Expected 1","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3SBFTCIb7qyz2Ja7YWSKpjM+NMr9\nQBHau3RlF/023nlZPxcH0crJ6/oxTzj15jMQ3H/25A4dmPQuBUQ19IzSVA==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["slsa_provenance_available"]}}],"publicKey": "k8s://chains-e2e-yiyr/cosign-public-key"},"ec-version": "v0.9.25","effective-time": "2026-06-29T18:36:04.253486087Z"} 2026-06-29T18:37:28.083721Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/place-scripts/0.log 2026-06-29T18:37:28.083757Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/prepare/0.log 2026-06-29T18:37:28.083765Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-initialize-tuf/0.log 2026-06-29T18:37:28.083772Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-reduce/0.log 2026-06-29T18:37:28.083779Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-validate/0.log 2026-06-29T18:37:28.605051Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-assert/0.log 2026-06-29T18:37:28.605080Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-detailed-report/0.log 2026-06-29T18:37:28.605097Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-report-json/0.log 2026-06-29T18:37:28.605104Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-show-config/0.log 2026-06-29T18:37:28.605111Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-summary/0.log 2026-06-29T18:37:28.605136Z WARN source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Currently ignoring file too small to fingerprint. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-version/0.log 2026/06/29 18:37:26 Decoded script /tekton/scripts/script-2-r4szg 2026/06/29 18:37:26 Entrypoint initialization 2026-06-29T18:37:32.193923Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-initialize-tuf/0.log 2026-06-29T18:37:32.193975Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-reduce/0.log 2026/06/29 18:37:30 INFO Step was skipped due to when expressions were evaluated to false. Single Component mode? false { "application": "", "componentGroup": "", "components": [ { "name": "", "version": "", "containerImage": "quay.io/konflux-ci/ec-golden-image:e2e-test-unacceptable-task", "source": {} } ], "artifacts": {} } 2026-06-29T18:37:44.501725Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-assert/0.log 2026-06-29T18:37:44.501768Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-detailed-report/0.log 2026-06-29T18:37:44.501806Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-report-json/0.log 2026-06-29T18:37:44.501821Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-show-config/0.log 2026-06-29T18:37:44.501835Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-summary/0.log 2026-06-29T18:37:44.501851Z INFO source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Found new file to watch. file=/var/log/pods/chains-e2e-yiyr_verify-enterprise-contract-6f381e7708b4a3cc023ea0d52bf8ff06-pod_e597ac1d-16e2-4fce-96e1-c0760d1901d5/step-version/0.log false Success: false Result: FAILURE Violations: 11, Warnings: 0, Successes: 3 Component: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Results: ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "build-container" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a Term: buildah Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clair-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f Term: clair-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clamav-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d Term: clamav-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "deprecated-base-image-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17 Term: deprecated-image-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clone-repository" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3 Term: git-clone Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:git-clone" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "init" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8 Term: init Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:init" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-inspect-image" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824 Term: sanity-inspect-image Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-inspect-image" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-optional-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sbom-json-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205 Term: sbom-json-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sbom-json-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "show-summary" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49 Term: summary Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:summary" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/ { "policy": { "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml", "sources": [ { "name": "Default", "policy": [ "oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1" ], "data": [ "git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f", "oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9", "oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea", "oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc" ], "config": { "include": [ "trusted_task.trusted" ] } } ], "publicKey": "k8s://chains-e2e-yiyr/golden-image-public-keyneuskeaawf" }, "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n", "effective-time": "2026-06-29T18:37:31.332924342Z" } {"success": false,"components": [{"name": "","containerImage": "quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25","source": {},"violations": [{"msg": "PipelineTask \"build-container\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:buildah\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "buildah","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clair-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clair-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clair-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clamav-scan\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clamav-scan\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "clamav-scan","title": "Tasks are trusted"}},{"msg": "PipelineTask \"deprecated-base-image-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "deprecated-image-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"clone-repository\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:39efcb7d049d84feccce65e589996a89b19ab7c9f504015c3792e3daee697da3","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "git-clone","title": "Tasks are trusted"}},{"msg": "PipelineTask \"init\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:init\" to the `exclude` section of the policy configuration.", "solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "init","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-inspect-image\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-inspect-image\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-inspect-image","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sanity-optional-label-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sanity-label-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sanity-label-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"sbom-json-check\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sbom-json-check\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "sbom-json-check","title": "Tasks are trusted"}},{"msg": "PipelineTask \"show-summary\" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49","metadata": {"code": "trusted_task.trusted","collections": ["redhat"],"description": "Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:summary\" to the `exclude` section of the policy configuration.","solution": "If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term": "summary","title": "Tasks are trusted"}}],"successes": [{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"success": false,"signatures": [{"keyid": "","sig": "MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv+QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ="}],"attestations": [{ { "timestamp": "1782758263", "namespace": "", "successes": 3, "failures": 11, "warnings": 0, "result": "FAILURE" } Version v0.9.25 Source ID b345847182602d9a5ce9e957fa76fe02575c8018 Change date 2026-04-27 12:52:43 +0000 UTC (9 weeks ago) ECC v0.1.7 OPA v1.15.2 Conftest v0.68.2 Cosign v3.0.4 Sigstore v1.10.4 Rekor v1.5.0 Tekton Pipeline v1.9.2 Kubernetes Client v0.35.0 "type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm+xJ5AoyO3qg+aj8QIgb9xDpjYGRMmpVk+QATeVKlHonzBiu51HtT3J+lQXPXc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig": "MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa"}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Source: https://github.com/conforma/config/blob/main/default/policy.yaml","sources": [{"name": "Default","policy": ["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:614408c473895bc7263173ccadcbf782e0c3c7c0a8c10851e6b0c94b5ea448c1"],"data": ["git::github.com/release-engineering/rhtap-ec-policy//data?ref=e7ebca9822d7378140b7207c7bc7062fa883dd5f","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6a9e3fcc0d89419c967a86d00ad221d5bd8bd9988db467efa3a115cf5bbef6f9","oci::quay.io/konflux-ci/konflux-vanguard/data-acceptable-bundles:latest@sha256:0b31c7bc77a7463a1bc52f3d3625ef0e0e75443da7fd2de8005d7885282138ea","oci::quay.io/konflux-ci/integration-service-catalog/data-acceptable-bundles:latest@sha256:7b00455045ea3873a72caeb1e7ac7d036bd53963a26409891a4cc9d0d242b9fc"],"config": {"include": ["trusted_task.trusted"]}}],"publicKey": "k8s://chains-e2e-yiyr/golden-image-public-keyneuskeaawf"},"ec-version": "v0.9.25","effective-time": "2026-06-29T18:37:31.332924342Z"}