Success: false
Result: FAILURE
Violations: 3, Warnings: 6, Successes: 124
Component: tsf-demo-comp
ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953

Results:
✕ [Violation] cve.cve_blockers
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Found "CVE-2026-4424" vulnerability of high security level
  Term: CVE-2026-4424
  Title: Blocking CVE check
  Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain
  security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high
  security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels
  are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule
  data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current
  effective time, per severity level. To exclude this rule add "cve.cve_blockers:CVE-2026-4424" to the `exclude` section of the
  policy configuration.
  Solution: Make sure to address any CVE's related to the image.

✕ [Violation] tasks.required_untrusted_task_found
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Required task "rpms-signature-scan" is required and present but not from a trusted task
  Term: rpms-signature-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks. To exclude this rule add
  "tasks.required_untrusted_task_found:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Untrusted version of PipelineTask "rpms-signature-scan" (Task "rpms-signature-scan") was included in build chain
  comprised of: rpms-signature-scan. Please upgrade the task version to:
  sha256:0eb4cfb41181a158b6761c990cc7a9f7f77c70f7ff19bf276009c6ef59c9da5e
  Term: rpms-signature-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

› [Warning] cve.unpatched_cve_warnings
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Found "CVE-2026-34982" non-blocking unpatched vulnerability of high security level
  Term: CVE-2026-34982
  Title: Non-blocking unpatched CVE check
  Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a
  certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of
  critical and high security level cause a warning. This is configurable by the rule data key
  `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.
  Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to
  be available.

› [Warning] cve.unpatched_cve_warnings
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Found "CVE-2026-4786" non-blocking unpatched vulnerability of high security level
  Term: CVE-2026-4786
  Title: Non-blocking unpatched CVE check
  Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a
  certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of
  critical and high security level cause a warning. This is configurable by the rule data key
  `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.
  Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to
  be available.

› [Warning] cve.unpatched_cve_warnings
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Found "CVE-2026-4878" non-blocking unpatched vulnerability of high security level
  Term: CVE-2026-4878
  Title: Non-blocking unpatched CVE check
  Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a
  certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of
  critical and high security level cause a warning. This is configurable by the rule data key
  `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.
  Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to
  be available.

› [Warning] cve.unpatched_cve_warnings
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: Found "CVE-2026-6100" non-blocking unpatched vulnerability of high security level
  Term: CVE-2026-6100
  Title: Non-blocking unpatched CVE check
  Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a
  certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of
  critical and high security level cause a warning. This is configurable by the rule data key
  `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.
  Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to
  be available.

› [Warning] trusted_task.current
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: A newer version of task "deprecated-base-image-check" exists. Please update before 2026-05-17T00:00:00Z. The current
  bundle is
  "oci://quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
  and the latest bundle ref is "sha256:5ff16b7e6b4a8aa1adb352e74b9f831f77ff97bafd1b89ddb0038d63335f1a67"
  Term: deprecated-image-check
  Title: Tasks using the latest versions
  Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured
  using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which
  the warnings will be reported.
  Solution: Update the Task reference to a newer version.

› [Warning] trusted_task.current
  ImageRef: quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:fc458c2395c41477ab353297f90093a8ef589e5e0b4fa19c39637f408e6b7953
  Reason: A newer version of task "sast-shell-check" exists. Please update before 2026-05-30T00:00:00Z. The current bundle is
  "oci://quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a"
  and the latest bundle ref is "sha256:ab677246d5726fe774ac29cb8c07fd87852cdf91c396d62869dd785017c9fe07"
  Term: sast-shell-check-oci-ta-min
  Title: Tasks using the latest versions
  Description: Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured
  using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which
  the warnings will be reported.
  Solution: Update the Task reference to a newer version.

For more information about policy issues, see the policy documentation: https://conforma.dev/docs/policy/