{"success": true,"components": [{"name": "tsf-comp-uyop","containerImage": "quay.io/rhtap_qe/default-tenant/tsf-comp-uyop@sha256:180832613e4094a96b4a95814169fb89621baefdc980df7daeaa69080e636f2b","source": {"git": {"url": "https://github.com/rhads-tsf-qe/testrepo","revision": "e3c9097c7fe9e020436ba9f337a22fe1736561c5"}},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.source_code_reference_provided","collections": ["minimal","slsa3","redhat","redhat_rpms"],"description": "Check if the expected source code reference is provided.","title": "Source code reference provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEYCIQDSpzkeyYXyVeKY+h65BaqNBrCAVX699eGcUQQn8aoblQIhAP5YuNfjJjTSaGJUUic5QLH/n7CgsaZSivb0FZZjQl6F"},{"keyid": "","sig": "MEYCIQD0urS9Zfh/CTafDz/bzzUYD6q5qu+49JgBeLgYax9j9QIhAPr7eLwF4tLcseB+dpt7up3yGpwSPp0RNsC3k65GFfcn"},{"keyid": "","sig": "MEYCIQCM3oZcurVX2j8RYoRtZOhk4VwBXj5YoP3aV/KeDwHwewIhAKOuXEdxyXwp7bDuWJKdZNWeflYO/lffbdKcqKEtG8MF"}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:GU+OWj1IFxG2W4CkCUUKXIMKG6FNwxH9GFTeEkxw5eM","sig": "MEYCIQCivJf5D96r6L0z4TXJTQcVOFWKoJuBzBSKgKN2cKZSVQIhAPXZaZneY622m5HuL4xa2NyNqc1Zg6zm5twt21ChHy+7"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:GU+OWj1IFxG2W4CkCUUKXIMKG6FNwxH9GFTeEkxw5eM","sig": "MEYCIQD0+/DFEVNKBJMa7qu88Q5YmsZzZEFSjPjkgjJ/88sqiQIhALKOybeCJb8Utpe79hQB8bKhIyEk6g8DnS2XoXdXXtH+"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:GU+OWj1IFxG2W4CkCUUKXIMKG6FNwxH9GFTeEkxw5eM","sig": "MEUCIQDU6/Po3NdYhXtxyTA3fxxGxflC1VVAZsRDO7CZZ7GBGQIgDkLGkbD6XYHT+ogyiRbWpkwn9uYei+lAroWhjfDvcMg="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXvWSmX4HlLBH8zSxzsmozSukmlEX\nxnD6ZO2zCXGhkdilnaBSTUni57EkKyV9rAWbJ06TZuZAdAiJhTzb4dohRw==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.","sources": [{"name": "Default","policy": ["oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae"],"data": ["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:0affee8ccc186d69e31deb44106c1d6a0aac5774408935025033db7c1a5e8dd9","git::github.com/release-engineering/rhtap-ec-policy.git//data?ref=dd1a3dd1bf2299e1da9936b89e7279b6ab443bec"],"config": {"include": ["@slsa3"]}}],"publicKey": "k8s://openshift-pipelines/public-key"},"ec-version": "v0.9.2","effective-time": "2026-03-27T08:00:30.228138944Z"}