Success: false Result: FAILURE Violations: 11, Warnings: 0, Successes: 3 Component: ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Results: ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "build-container" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:c3712257615d206ef40013bf1c5c681670fc8f7fd6aac9fa4c86f7afeff627ef. Please upgrade the task version to: sha256:73628c0497b9d1fb068dffb997cf7bea57ed6dfa04e892abf1d6fc7f6828050a Term: buildah Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:buildah" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clair-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fba8170329ab00b864ee7d16e0358df4c4386880e10894fd7bbbb1457112477b. Please upgrade the task version to: sha256:d3af2290595378de7f8bc73b54aa7a5fac793090e2cef4f1822d31e18a64761f Term: clair-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clamav-scan" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:28b425322aa84f988c6c4f8d503787b3fb301668b2ad6728846b8f8c45ba012b. Please upgrade the task version to: sha256:1b186d53eeab12f0ae1b7aa333e9cf2b2c9dcc9751f5e940ca935a168bba5a7d Term: clamav-scan Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "deprecated-base-image-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:28d724dd6f6c365b2a839d9e52baac91559fd78c160774769c1ec724301f78d4. Please upgrade the task version to: sha256:409efc4464663225f96518776b3811c31ea4e988a18493a3114eedf01e0a0a17 Term: deprecated-image-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "clone-repository" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:f4e37778cba00296606ddfbc1c58181330899cafcaa1ee41c75a7cf8bed312f0. Please upgrade the task version to: sha256:81ce85de261ead6caf2e01101e7a817636ecad8f2b7c026a755f0c25ae3aba3c Term: git-clone Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:git-clone" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "init" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:5ce77110e2a49407a69a7922042dc0859f7e8f5f75dc0cd0bcc2d17860469bdb. Please upgrade the task version to: sha256:60e0a74b7f4b1166cb62672d6b6f262b4284b20ade9157a387b4a52283ccada8 Term: init Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:init" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-inspect-image" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:fd4efd9d12eea3a8d47532c4226e685618845d0ba95abb98e008020243d96301. Please upgrade the task version to: sha256:b9ad0ed56be21c9e3c8e2e636275f92d887e57681c718cd36f117eb6fa547824 Term: sanity-inspect-image Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-inspect-image" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sanity-optional-label-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:534770bf7a7c10277ab5f9c1e7b766abbffb343cc864dd9545aecc5278257dc3. Please upgrade the task version to: sha256:dd49667be76c81264a7fb28e3b43f72c527507e5691720c6262575255cb60689 Term: sanity-label-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sanity-label-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "sbom-json-check" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:ce6a0932da9b41080108284d1366fc2de8374fca5137500138e16ad9e04610c6. Please upgrade the task version to: sha256:32a7b681f947179b4df11f2e9f05f27478001247e519fa0b1a211cbf9562a205 Term: sbom-json-check Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:sbom-json-check" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available. ✕ [Violation] trusted_task.trusted ImageRef: quay.io/konflux-ci/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 Reason: PipelineTask "show-summary" uses an untrusted task reference: oci://quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:c0f66b28c338426774e34a8d4a00349fbab798b19df5841a95727148d5ef3c65. Please upgrade the task version to: sha256:4d7a2201ce4cb6dca8a48f4d9d4e02d5d3b57ef8eb99009675f1a34f2923ae49 Term: summary Title: Tasks are trusted Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add "trusted_task.trusted:summary" to the `exclude` section of the policy configuration. Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.