{"success": false,"components": [{"name": "tsf-comp-irgo","containerImage": "quay.io/rhtap_qe/default-tenant/tsf-comp-irgo@sha256:1542d6e770664c97b95b99aa0b0ea0cb9d9aced4eb57b40dd2b9856debf02776","source": {"git": {"url": "https://github.com/rhads-tsf-qe/testrepo","revision": "50396b6dcf0173a6d6d79291225f3cc330afbc91"}},"violations": [{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.source_code_reference_provided","collections": ["minimal","slsa3","redhat","redhat_rpms"],"description": "Check if the expected source code reference is provided.","title": "Source code reference provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": false,"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{
"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIAOVCj3BWb5StjUPVvARmwJVb6FfqwLr8Q/NlsAaSXCLAiAVjghvGVHX4MxgfhWKJIyhSiCYGj6WhmcLca9ERdcprQ=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCID5haXkmstnVeVBLHVzXE1V5uBRkY8ds99IVASIquYvvAiARgafuUHXrvtOEjeTvdQYi+0Gk/W+ICAKq+rvDaHhS/g=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQDShVnKGpdUt1k/VxnPeiw5p+4XnG0Fht6sfe9utUlGkAIhAPuyaYSVQurDq1S3t0g82KDJx/6/X0GQbOk7rZOeKLNh"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIHNDYRyDaNrfDXPogGXqHVlyB/7Aj2dkLJWVZ1sfN38ZAiEAkln4z1ICLKFL4NCPYiYh0RK6yeHE25Xq4yf2JIl3CoE="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIBICfD9OpIpACd1yBOX+AbpNqvbp5iFSN9vF+Jz3hQFOAiBPBLCe8OlOali1XY28Fa/K9odZ/mRa9ppGEroGCHHb4w=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQCLpEf8EYZRHF98hq+/TSHbQ4GYA9c/04R0N4TbMpaApwIhAL00StOuanpyT23L2BnAUM6z7Ogrzw4RgY7olHq9R6cz"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIFL4RV6DC4TnIwVMTX+TU+nrjCX7sLDyqfcIvcVinm9cAiEAi1R67XmKKdNfBQwPirRmVNVrqpjs6FgEInzezHAxQQ4="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIDvOUKvapdFSoFbHUpUJYA15eqqhl1PHVJ+RePVlDedwAiBq7WaiJghr5j65W/NF3I6TSnAhWMnHDdS5fSKjcFF2aQ=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIE+IsCJyW8JJpTE5zvTSlNhdzyvJ++/+02MF4odFpoObAiEAjaPRh/ilI0Dfeb5gweXHyl50OLXHz7v4w5PXtSosWq8="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIDJqXqLovDbg2YEgQCBuflYsKfWRK5vuFe+mHMAkaDNnAiEA4DRe4Dm8VI5ETAjmPGcULUH/H0C/Kj3lPTd/j4AvIZA="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIERHpmistooprSWjmG3aH1OGFPDNanQRedmKGWZxVvQ/AiB+/n1TRrLNh1kx04IDSA8OeTSRjtX/Hphz91WHZvKwUA=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQC2Q1PkRbuv5MRIEYYL56OF+gvGmvNRcyfpqyCPPdhe+AIhAKpeMGEGNTVD6ndeJVR5SNC2/B4hOlZb6x3SWMhvcskW"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQCczJg+7j97XRDG3nqHWTnnnfYDsuaRayw5H823HRP2ywIhANTFnDBtGOdOVxznuTwpmx5bvJ+MHh2MmAAcmaUGvDht"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIH4OljFze7VLjY1JuTR0I/nC30esblnD1H+VU5r9R1BoAiEAvL0H/SqpoMws+o2p4UiJQ1EapEUQ2qvMzlx44DRPeQc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIBOv+Bxdy99LyhGFGMF3pMkuFMvFFbQyQ+NUBZtlFAE3AiBsX4PQc5Pf9xnMEA1Lc2qTM8qLVb04H7B82+hYJwI9/w=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQD6hYxiGRjbxYjCOYzUXYZKRh8WBVMYNOPaas3Nf/AocwIhAM8kQRix/afa0B8vhGaE2Vq4L8W9Eud6xfcH8y8j75xA"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIBSz9N/hFBXQ62Uc//eNGbzEiopUFfY5CPkKdHyyqLfHAiBZEGtW9Ww6MC3D1/+vrE1jgnm8I7irx7D4e6UnmrXsiw=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIQCEE7CCW7SKRxtks+EQKoz5qdw9PfIOKWLfeflJ5rCmnwIgNJ2jhNrMoU6yRX54ceefZdl5tqwoEVtu2QTbM+JrwII="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIQDAv9S2E8xBdv1xri0jAiPymjrtZpOXGGTMTz/7XmK5UgIgSSISpz7+aXhaW/o716unmQ9rfH/00C09k7gahLJ1zGc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIEyfi1awR/5LIY9OD8RLj8sF7o+o1IbdaQS3WynOt1I4AiEA4ZOki34sSftsYKea2fuppRExggf0wRO4GZdhyisOMqw="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIQDvBXJC/p4ErArzIVi6rv7x11QWi2oTd3wqmVOa3HUdBwIgLoE4a1iCBFXfpvcyIHvwQFUIYXg74hDZVLP3qlGj+5o="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEUCIQCnMvM7yadec6eS3IQ8IKF12qFu073wsYel1Mxjec4ApgIgSDbt53okluhxhcQsfT+nhpZxtwfq84hmxrLubjWBzLw="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIBGoEx4licalCYVkwn1NP80MIj1bLhdzzm4gJ5HlyXFwAiAY8K83/YYjo0pK9roVIoVHrIdO3IbIpSZl9C9i/QQdKA=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEQCIBhqu9k7f+WrS8ucnGq8f5yf6z6Ttp8BM2ytI3zJ6E2XAiBHiMI/4uaiu22UkTPtN63SOFGJz+dvryYDtckKZ8Lqkw=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2",
"predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQCYJe/c+NctrRY2hsSCItpIowSbA3D7rCnkYMCB9tNZMQIhAJa4rKYKX3h1hMvqg93tS43RvsF020B83rhtQbXazuES"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:4scCObRepTUmuKO8RMw+hdZ3gWMA1LvOGhlz0H48g74","sig": "MEYCIQCGmn98cnvAbxYUJ6D2i2SfFoMyOra4PH19jb4hJM3jkAIhAKjQlpgGKsznSzSwSw60yJXyIlWJpeK78KDQwAsLnp+c"}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIyEr5CJg9L2ZsV4dO3F6z0gUGnMt\nkC/wwDhClpyqHAb/k4lN4KxF2j+ZBCG5tBLfHEpKX5mxDCaPq1aNpEB++Q==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.","sources": [{"name": "Default","policy": ["oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae"],"data": ["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:0affee8ccc186d69e31deb44106c1d6a0aac5774408935025033db7c1a5e8dd9","git::github.com/release-engineering/rhtap-ec-policy.git//data?ref=dd1a3dd1bf2299e1da9936b89e7279b6ab443bec"],"config": {"include": ["@slsa3"]}}],"publicKey": "k8s://openshift-pipelines/public-key"},"ec-version": "v0.9.2","effective-time": "2026-03-26T23:50:46.175052737Z"}