{"success": false,"components": [{"name": "tsf-comp-qthr","containerImage": "quay.io/rhtap_qe/default-tenant/tsf-comp-qthr@sha256:b0021eb794bde60d52bd6f3f38a7bd6e5de3449c291a1359fb8e32457a87e4ca","source": {"git": {"url": "https://github.com/rhads-tsf-qe/testrepo","revision": "1daf92b53b66c6ff3968606bc6496cc8c979bec2"}},"violations": [{"msg": "No image signatures found matching the given public key. Verify the correct public key was provided, and a signature was created. Error: no matching signatures: invalid signature when validating ASN.1 encoded signature","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}}],"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.source_code_reference_provided","collections": ["minimal","slsa3","redhat","redhat_rpms"],"description": "Check if the expected source code reference is provided.","title": "Source code reference provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": false,"attestations": [{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{
"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIF2LjEC4CLXK31CN8mZ1F2DAWJKici7O+J59E0+6/aT7AiBV0w1XRlaF4NWn5wH9irVrliDZI2tpI1KU0JER89m1Eg=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIQCzQkwj+7mHECJnaosbuT9T84fVYz16KKIRlwe41FObMAIgJgE7vgw5Uc1JVQ0JAsZVl4rEtkr984fOFgmWgUZS9oI="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCID7N9Rup9VAuzEdk+Unsdv270rB4EzNncNFkKeK3QSy0AiEAhJWDDpe11VOU8yDU5I/RTbHwj6C47h6NYdVk51sdlyo="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCICl3/WAeqYuFCYqSveZd+WR3bn8zoOXTYRB7zEZSwAu5AiEAuFjPnG4Dc1oQyG9lGUANdBBhqP1sleAhj9xgvtP87Bo="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIHXR+42E8tMYvNyk9pKVquHKG2vjZt/QM8FQDe/UXQLjAiB/iCg/mW+S/4LCxK4j6ZMtb2qmjXcnUIOKvwYsC4wjbA=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIEr8dSERRlMPPbHw30QLIqeZ4/NdpWE3rC/EhlzpkWNUAiAxmKtCdJ9F4QgTE15qqp/QOrcVLaaY4qg1yejTrQjMRA=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEYCIQDAtDVm6a1cQ9iyQj5l/SJAwqhg3oSH9sVqMOgE4k374wIhAOHtiftxmURpyLsN7P+s9KsIyEEx7FAIe6rM/UXquSgq"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIQCkE5lJ+gDS62vz68AXbP2c7cj4kkM3EdxzEsFoHsTzBQIgFbtELbWoJLwCGHv8YSHZT/+ZcNl8qg/qSRjN8ejH7Qc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIEnkBPa4Fg9H5dT+IhUuEJ0/x3pp0TgPSh556VeejyclAiEAz/o1zyniMCBW0FHucVs1j2j0I78BtLP0tyDPfFD4XOA="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIQDFYDc66T5nNHLhewUZ1tNTqAJsj6ILivOJPxmqaiegKQIgTNUEzJp2BbSlpJiF2Qa83R3FjRMOzNWXsr85+xC4v4Q="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIBqk2+FEr2GVH8A9Ch8ehUFPrs8DRPl+WwgWYRI/0xS8AiEArFkKRhWwzHD/lPFMTXbyIpfiVbEb8iPUQ7iEA79Ey98="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIFk+Nv28xpm6fYRMuUtH15elxxcwJ2shA/lbq8y+R6LVAiEAhZ31yUqxyJ4xUTXBnaKkiQG58ol7DRFg610JVPHFhh4="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIE8lPDo+/O2xdxfSTW6aElaoGSoekhZ3q70uE+T5fDGtAiEAwhyYiUM2mb2rF70EsWRenj8cJatwMkBW7gAG9p9FWHs="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIFErBJFSQYJ0Snp5UWVyvDqxqYLApk1nAgTbSoy7nkB3AiAyZWsoPljKtcx8oZHQK3V+918gemZgOtK8kYuoovkOXw=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIAT7Vq3es7DwnSjAG8jZ1mvnHj85bQ1/DZyaMDyPX+jGAiEAxy9PhgGCLSy6ktwsoRikdfPiT5WxVhU7aoIy/Kbq+jc="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIFEGLEASVn1VNDfZ5L3philmke6UxTyvq7L08aIcmA3sAiEA9P5w5YuiGWHHZhMsNzIANANuWYk8WCFdl6Z/NBbGLpE="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEYCIQC5vEoW2Iitto3qybgGj1mi5aOnkREQnB78PstZrBJKIAIhAPzJn62duj2V8kS8gw+mDPkGs3EKVfV7K/493nud5lfq"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEUCIHSijltSqA3wiXK9tR1hGs/g+BBJJMVW4SiIfjtE0Tm+AiEA+xQ7Mwk0jZpeEkWEMCB4nT+smAnNhZLaP8RmX4PKrS0="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIBvO3ncm8EvBhPLcJ379MMGUg6RCvNkPraSDX7/Ih60IAiBmAHTI36fF8KvqYiFHFEweJSQRqhy9rc2pJE9f7sfzQw=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIBWP849KikYuDqoQuilLOmFIoLYDEWEhN3xjAeGzbBnfAiBuinu5BIhQnebz5AXe+/7xNpcuzVr/p2+vEzQAwd1OGw=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEYCIQD8C0r0Nk3oT0ZUU9Z+8hQ7xM8QmRUFefMNElwEa7YGjQIhANYW3ksvWHP8BZI1BElS1WxtAn3qe+MLd0SVS4l1/e48"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIGdGySbkDpuqQh5rYGsWOoe8OKsp26YllrFCF75cvsYCAiBP+J4UBf+ZJkECm0jjihYVLBqJG28wbbNAFgS67SAyvg=="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEYCIQD60UpwIuVJacwq7ZWtX9Tmrx+uy0vscin3GbIo7Veq4QIhAIhwsjZGbT2IacLfckriXjyx43ib0smpIYA3LYg+H76y"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEQCIAJmpKXXLdGq0WdttujZs0xd8SL4sqLMY4iQy+6H6F12AiBCweCG0n3z/4ug/ewL0ODk6SAV63B8RMq3Z++z1l0/lQ=="}]},{"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:e4L3Gc1IzSdQHt8jUTiRVIZsVJYB68mN9nWcOYtwX4g","sig": "MEYCIQCBjT44ZL+Oe/sF53XsHKmTlfykhxDJTtKZ8j5VoznHXgIhAPgsWRY7ltJzwd8MnETqHyomWVRbchPu0DxhwXH3hRnJ"}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpxDuQXdjAQVvB2SJjY/3t0+JMF8V\npxXONvcjSt2WrphJN4G+kxpXAp47w/3k++967DMYO4NV4WJekH07uZT1rg==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.","sources": [{"name": "Default","policy": ["oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae"],"data": ["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:0affee8ccc186d69e31deb44106c1d6a0aac5774408935025033db7c1a5e8dd9","git::github.com/release-engineering/rhtap-ec-policy.git//data?ref=dd1a3dd1bf2299e1da9936b89e7279b6ab443bec"],"config": {"include": ["@slsa3"]}}],"publicKey": "k8s://openshift-pipelines/public-key"},"ec-version": "v0.9.2","effective-time": "2026-03-27T00:06:27.101013578Z"}