{"success": true,"components": [{"name": "tsf-comp-tbnf","containerImage": "quay.io/rhtap_qe/default-tenant/tsf-comp-tbnf@sha256:524d75507fd87088bf3bb8eae9e01a2f9aa7a8f1fec040912ac2d960c09c9858","source": {"git": {"url": "https://github.com/rhads-tsf-qe/testrepo","revision": "092b6523563a5987239cb90f64324164f5c55077"}},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.source_code_reference_provided","collections": ["minimal","slsa3","redhat","redhat_rpms"],"description": "Check if the expected source code reference is provided.","title": "Source code reference provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEUCIFabM7vvykiDkUqzOl2ciw68V93VXmZN9qRwRvUkIdTlAiEAqnMUXN2oZfqrUpAJzlqkMqBOhrG8FuokdOd1PQr4aUE="},{"keyid": "","sig": "MEQCIC1gkf06Y2A8dXymOo6yIOfFTy2wEj3BybIIRC4AAm5DAiAvIQeuSTHJXzQDYiNdeTxBupLvvqGRcp2QtbCyc3qk1A=="},{"keyid": "","sig": "MEUCIQDX+A707XVmAKera9tMTOHB1upigK1bWaKw1fJF20le4QIgSCyYrA2YyB7fso7JqzFzhtyF2dmqtsRl1Q0mThY5so0="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEQCIGHDxZSXYAW/qarplVaVgVReNHuwYyCmsqTBkjei2QZoAiBrEG6IiicpZ2jhIEZ/BmCVoESvl8A5iVtXvBhku6EjSA=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEQCIFMwKYtG1dbGrv7dx+l6uebx0czRKgKhOSoXoKF2I4y8AiAOoAeyA1sBbu7tt0hLMdjUKF64BAh1hHL3TrFsbpw5sg=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIFIvBGafwTAmP362juGDY7VotV1RZXSyCkX069j9B5B1AiEAm2KBSxLciyb4LX5Sn1dMTMTvAlVPxKLcZ2W0kXnrp6M="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEYCIQCLVXLV1fyB0VQWA/IDstP6ekFIPy9Uk5gkf82bZhf+QgIhAIjwqHfVYRCTwKbuWczwllshTiSPTEFq7saDb1T/gXHW"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIEmowgNcydGZLTtjnA3OUJS90MIAD0aJAtT4Ud0q5+9rAiEAiuf83++fekwQj6Q0guEfvI0YV99fR2KI6Qqvb/wsYGg="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEYCIQCAIvZeTE6C76IKF8mDAeLsHXV9dVoNPIkz47ZIpiL6jQIhANJBTCuPdlg1pv2sY4sHHHGHjbEtIfCo2WTvTLjcfKon"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIHswgmY61HFr/Gd1igM+lR98YS10ZpaDmiw+39Ky9/BPAiEA/xvJgvaL5kFRvTGtKL09njm89WjqaRwQ5ev2Q6YUk0w="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIEtvsJScYxPVwLNXdfTMeLDJTcYeab3OylAXce0Bx2g5AiEA4AyocxiYzZHBvY28s6sfzonYYVfwpT0S1JLnZSF0lUk="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIFtb1x8k9461ovHveZdPQzbM482C2fNq5TnPrCuOwQVnAiEAvTztRfeDFFh//2RiT6CduIxtCbK+P9p7L2I5dujAuMk="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:l1pdcR0+ERFJmc0y8id8LqCZ4U28HcV8m/25kY7DLZM","sig": "MEUCIQDflOpAvV/VU0mlpUYQZkq1y8D3MEIdxIQ+0RqJynxOBAIgGESi6zF9RCorypjKY/zThvRCCTfJyr3yKyYnFjJ6wF0="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEH22X8nWKAS2MTLb20AKwZjle+FFO\nqJIu1CNAn500do0meXQ/BRNcL/m87u86gtrWlRgbRFZfXLCX+2ZC+lyxQw==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.","sources": [{"name": "Default","policy": ["oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae"],"data": ["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:0affee8ccc186d69e31deb44106c1d6a0aac5774408935025033db7c1a5e8dd9","git::github.com/release-engineering/rhtap-ec-policy.git//data?ref=dd1a3dd1bf2299e1da9936b89e7279b6ab443bec"],"config": {"include": ["@slsa3"]}}],"publicKey": "k8s://openshift-pipelines/public-key"},"ec-version": "v0.9.2","effective-time": "2026-03-27T00:07:23.375278761Z"}