running verify-conforma Step: verify-conforma Results: /workspace/source/source/results/verify-conforma Custom root CA variable is not set. Make sure CA trust is established Running verify-conforma:version Version v0.7.173+redhat Source ID a5b9e51f69cb4ab0ef18db5a1d71bc7bd97dba4f Change date 2026-02-25 13:12:26 +0000 UTC (10 weeks ago) ECC v0.1.257 OPA v1.6.0 Conftest v0.62.0 Cosign v2.4.1 Sigstore v1.9.1 Rekor v1.3.10 Tekton Pipeline v0.70.0 Kubernetes Client v0.34.3 Running verify-conforma:initialize-tuf Initializing TUF root... Root status: { "local": "/root/.sigstore/root", "remote": "https://tuf-tssc-tas.apps.rosa.kx-1dd1aeb75e.nsxs.p3.openshiftapps.com", "metadata": { "root.json": { "version": 1, "len": 4128, "expiration": "08 May 27 19:01 UTC", "error": "" }, "snapshot.json": { "version": 1, "len": 994, "expiration": "08 May 27 19:01 UTC", "error": "" }, "targets.json": { "version": 1, "len": 2071, "expiration": "08 May 27 19:01 UTC", "error": "" }, "timestamp.json": { "version": 1, "len": 995, "expiration": "08 May 27 19:01 UTC", "error": "" } }, "targets": [ "trusted_root.json", "ctfe.pub", "rekor.pub", "fulcio_v1.crt.pem" ] } Done! Running verify-conforma:login --- Registry Auth Bypass Active --- Running verify-conforma:validate Images to verify: { "components": [ { "containerImage": "quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze:10feed0699f2c31a75f754d67e526f091fdc5127" } ] } Policy used: github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7 Rekor URL: https://rekor-server-tssc-tas.apps.rosa.kx-1dd1aeb75e.nsxs.p3.openshiftapps.com Success: true Result: SUCCESS Violations: 0, Warnings: 0, Successes: 16 Component: ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Results: ✓ [Success] builtin.attestation.signature_check ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Attestation signature check passed Description: The attestation signature matches available signing materials. ✓ [Success] builtin.attestation.syntax_check ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Attestation syntax check passed Description: The attestation has correct syntax. ✓ [Success] builtin.image.signature_check ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Image signature check passed Description: The image signature matches available signing materials. ✓ [Success] slsa_build_build_service.allowed_builder_ids_provided ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Allowed builder IDs provided Description: Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package. ✓ [Success] slsa_build_build_service.slsa_builder_id_accepted ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: SLSA Builder ID is known and accepted Description: Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. "https://tekton.dev/chains/v2". ✓ [Success] slsa_build_build_service.slsa_builder_id_found ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: SLSA Builder ID found Description: Verify that the attestation attribute predicate.builder.id is set. ✓ [Success] slsa_build_scripted_build.build_script_used ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Build task contains steps Description: Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty. ✓ [Success] slsa_build_scripted_build.build_task_image_results_found ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Build task set image digest and url task results Description: Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results. ✓ [Success] slsa_build_scripted_build.subject_build_task_matches ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Provenance subject matches build task image result Description: Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task. ✓ [Success] slsa_provenance_available.allowed_predicate_types_provided ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Allowed predicate types provided Description: Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package. ✓ [Success] slsa_provenance_available.attestation_predicate_type_accepted ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Expected attestation predicate type found Description: Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun. ✓ [Success] slsa_source_version_controlled.materials_format_okay ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Materials have uri and digest Description: Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1. ✓ [Success] slsa_source_version_controlled.materials_include_git_sha ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Materials include git commit shas Description: Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA. ✓ [Success] slsa_source_version_controlled.materials_uri_is_git_repo ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Material uri is a git repo Description: Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI. ✓ [Success] tasks.pipeline_has_tasks ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Pipeline run includes at least one task Description: Ensure that at least one Task is present in the PipelineRun attestation. ✓ [Success] tasks.successful_pipeline_tasks ImageRef: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 Title: Successful pipeline tasks Description: Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome. Running verify-conforma:report components: - attestations: - predicateBuildType: tekton.dev/v1/TaskRun predicateType: https://slsa.dev/provenance/v0.2 signatures: - keyid: SHA256:BWLn3G2e6HJXZZEK47Ja2UPkmtp2+quL7Q4jfeFrY8k sig: MEUCIB5g71LMS5L3sTaypMAEvNubaxF3GUn3IEeVmKIhPUSBAiEAipi1H9ed65ofZ01ajfJpzTg7U8rn7HMDO8Kart7jdL0= type: https://in-toto.io/Statement/v0.1 - predicateBuildType: tekton.dev/v1/PipelineRun predicateType: https://slsa.dev/provenance/v0.2 signatures: - keyid: SHA256:BWLn3G2e6HJXZZEK47Ja2UPkmtp2+quL7Q4jfeFrY8k sig: MEUCIEhj2uTpoHx0yWb1uTkS/X2ZG0TL8yVVQbX51xlMT9EnAiEAreg04d1amNOV0farWS171t/l40+xHOH1KQ3LWQjU8vE= type: https://in-toto.io/Statement/v0.1 containerImage: quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566 name: "" signatures: - keyid: "" sig: MEQCIAC1YQSOlZMJ/0Yt0gHSSq8xBM5ZA/+OwkgrXJQE4YeUAiBGbYiYbE0LjVT+oCraygnj4gdHbgWbGr0n1KTYfm0jFw== source: {} success: true successes: - metadata: code: builtin.attestation.signature_check description: The attestation signature matches available signing materials. title: Attestation signature check passed msg: Pass - metadata: code: builtin.attestation.syntax_check description: The attestation has correct syntax. title: Attestation syntax check passed msg: Pass - metadata: code: builtin.image.signature_check description: The image signature matches available signing materials. title: Image signature check passed msg: Pass - metadata: code: slsa_build_build_service.allowed_builder_ids_provided collections: - slsa3 - redhat - redhat_rpms - policy_data description: Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package. title: Allowed builder IDs provided msg: Pass - metadata: code: slsa_build_build_service.slsa_builder_id_accepted collections: - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. "https://tekton.dev/chains/v2". title: SLSA Builder ID is known and accepted msg: Pass - metadata: code: slsa_build_build_service.slsa_builder_id_found collections: - slsa3 - redhat depends_on: - attestation_type.known_attestation_type description: Verify that the attestation attribute predicate.builder.id is set. title: SLSA Builder ID found msg: Pass - metadata: code: slsa_build_scripted_build.build_script_used collections: - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty. title: Build task contains steps msg: Pass - metadata: code: slsa_build_scripted_build.build_task_image_results_found collections: - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results. title: Build task set image digest and url task results msg: Pass - metadata: code: slsa_build_scripted_build.subject_build_task_matches collections: - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task. title: Provenance subject matches build task image result msg: Pass - metadata: code: slsa_provenance_available.allowed_predicate_types_provided collections: - minimal - slsa3 - redhat - redhat_rpms - policy_data description: Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package. title: Allowed predicate types provided msg: Pass - metadata: code: slsa_provenance_available.attestation_predicate_type_accepted collections: - minimal - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun. title: Expected attestation predicate type found msg: Pass - metadata: code: slsa_source_version_controlled.materials_format_okay collections: - minimal - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: 'Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.' title: Materials have uri and digest msg: Pass - metadata: code: slsa_source_version_controlled.materials_include_git_sha collections: - minimal - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA. title: Materials include git commit shas msg: Pass - metadata: code: slsa_source_version_controlled.materials_uri_is_git_repo collections: - minimal - slsa3 - redhat - redhat_rpms depends_on: - attestation_type.known_attestation_type description: Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI. title: Material uri is a git repo msg: Pass - metadata: code: tasks.pipeline_has_tasks collections: - minimal - redhat - redhat_rpms - slsa3 depends_on: - attestation_type.known_attestation_type description: Ensure that at least one Task is present in the PipelineRun attestation. title: Pipeline run includes at least one task msg: Pass - metadata: code: tasks.successful_pipeline_tasks collections: - minimal - redhat - redhat_rpms - slsa3 depends_on: - tasks.pipeline_has_tasks description: Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome. title: Successful pipeline tasks msg: Pass ec-version: v0.7.173+redhat effective-time: "2026-05-09T19:26:48.284136509Z" key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECUCft0A0Yj1uxdgQdPIjFdpwBn/L T1Qqk06/cWss1PvfgJuk13yK0JRtpagqm+vr34+l7K76Q/62oJt/YjVVVA== -----END PUBLIC KEY----- policy: description: Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.7 name: Tekton SLSA3 (v0.7) publicKey: /dev/fd/63 rekorUrl: https://rekor-server-tssc-tas.apps.rosa.kx-1dd1aeb75e.nsxs.p3.openshiftapps.com sources: - config: exclude: - slsa_source_correlated include: - '@slsa3' name: Default policy: - git::github.com/conforma/policy//policy/lib?ref=79e50141d7f5fe604ad53596452067878c3573f9 - git::github.com/conforma/policy//policy/release?ref=79e50141d7f5fe604ad53596452067878c3573f9 success: true Running verify-conforma:report-json EC_EYECATCHER_BEGIN {"success":true,"components":[{"name":"","containerImage":"quay.io/rhtap_qe/e2e-tests-java-springboot-kcbohpze@sha256:bc49df90960ce0f5c69ca44a695dc96a3a61a57b414d70ff11ace0723823d566","source":{},"successes":[{"msg":"Pass","metadata":{"code":"builtin.attestation.signature_check","description":"The attestation signature matches available signing materials.","title":"Attestation signature check passed"}},{"msg":"Pass","metadata":{"code":"builtin.attestation.syntax_check","description":"The attestation has correct syntax.","title":"Attestation syntax check passed"}},{"msg":"Pass","metadata":{"code":"builtin.image.signature_check","description":"The image signature matches available signing materials.","title":"Image signature check passed"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.allowed_builder_ids_provided","collections":["slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed builder IDs provided"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_accepted","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title":"SLSA Builder ID is known and accepted"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_found","collections":["slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set.","title":"SLSA Builder ID found"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_script_used","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title":"Build task contains steps"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_task_image_results_found","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title":"Build task set image digest and url task results"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.subject_build_task_matches","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title":"Provenance subject matches build task image result"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.allowed_predicate_types_provided","collections":["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed predicate types provided"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.attestation_predicate_type_accepted","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title":"Expected attestation predicate type found"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_format_okay","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title":"Materials have uri and digest"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_include_git_sha","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title":"Materials include git commit shas"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_uri_is_git_repo","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title":"Material uri is a git repo"}},{"msg":"Pass","metadata":{"code":"tasks.pipeline_has_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that at least one Task is present in the PipelineRun attestation.","title":"Pipeline run includes at least one task"}},{"msg":"Pass","metadata":{"code":"tasks.successful_pipeline_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title":"Successful pipeline tasks"}}],"success":true,"signatures":[{"keyid":"","sig":"MEQCIAC1YQSOlZMJ/0Yt0gHSSq8xBM5ZA/+OwkgrXJQE4YeUAiBGbYiYbE0LjVT+oCraygnj4gdHbgWbGr0n1KTYfm0jFw=="}],"attestations":[{"type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","predicateBuildType":"tekton.dev/v1/TaskRun","signatures":[{"keyid":"SHA256:BWLn3G2e6HJXZZEK47Ja2UPkmtp2+quL7Q4jfeFrY8k","sig":"MEUCIB5g71LMS5L3sTaypMAEvNubaxF3GUn3IEeVmKIhPUSBAiEAipi1H9ed65ofZ01ajfJpzTg7U8rn7HMDO8Kart7jdL0="}]},{"type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","predicateBuildType":"tekton.dev/v1/PipelineRun","signatures":[{"keyid":"SHA256:BWLn3G2e6HJXZZEK47Ja2UPkmtp2+quL7Q4jfeFrY8k","sig":"MEUCIEhj2uTpoHx0yWb1uTkS/X2ZG0TL8yVVQbX51xlMT9EnAiEAreg04d1amNOV0farWS171t/l40+xHOH1KQ3LWQjU8vE="}]}]}],"key":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECUCft0A0Yj1uxdgQdPIjFdpwBn/L\nT1Qqk06/cWss1PvfgJuk13yK0JRtpagqm+vr34+l7K76Q/62oJt/YjVVVA==\n-----END PUBLIC KEY-----\n","policy":{"name":"Tekton SLSA3 (v0.7)","description":"Includes rules for levels 1, 2 \u0026 3 of SLSA v0.1. For use with ec version v0.7","sources":[{"name":"Default","policy":["git::github.com/conforma/policy//policy/lib?ref=79e50141d7f5fe604ad53596452067878c3573f9","git::github.com/conforma/policy//policy/release?ref=79e50141d7f5fe604ad53596452067878c3573f9"],"config":{"exclude":["slsa_source_correlated"],"include":["@slsa3"]}}],"rekorUrl":"https://rekor-server-tssc-tas.apps.rosa.kx-1dd1aeb75e.nsxs.p3.openshiftapps.com","publicKey":"/dev/fd/63"},"ec-version":"v0.7.173+redhat","effective-time":"2026-05-09T19:26:48.284136509Z"} EC_EYECATCHER_END Running verify-conforma:summary { "timestamp": "1778354822", "namespace": "", "successes": 16, "failures": 0, "warnings": 0, "result": "SUCCESS" } Running verify-conforma:assert true