{"success": true,"components": [{"name": "tsf-comp-azfv","containerImage": "quay.io/rhtap_qe/default-tenant/tsf-comp-azfv@sha256:2d81b1b9a1f9067a512ed2b29653a4f121d0e1df5e379383cb1eba02caed249f","source": {"git": {"url": "https://github.com/rhads-tsf-qe/testrepo","revision": "174c7d828cd45dca81f791bc05f0a85b237b6ff3"}},"successes": [{"msg": "Pass","metadata": {"code": "attestation_type.known_attestation_type","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.pipelinerun_attestation_found"],"description": "Confirm the attestation found for the image has a known attestation type.","title": "Known attestation type found"}},{"msg": "Pass","metadata": {"code": "attestation_type.pipelinerun_attestation_found","collections": ["minimal","redhat","redhat_rpms","slsa3"],"description": "Confirm at least one PipelineRun attestation is present.","title": "PipelineRun attestation found"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.signature_check","description": "The attestation signature matches available signing materials.","title": "Attestation signature check passed"}},{"msg": "Pass","metadata": {"code": "builtin.attestation.syntax_check","description": "The attestation has correct syntax.","title": "Attestation syntax check passed"}},{"msg": "Pass","metadata": {"code": "builtin.image.signature_check","description": "The image signature matches available signing materials.","title": "Image signature check passed"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.allowed_builder_ids_provided","collections": ["slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed builder IDs provided"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_accepted","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title": "SLSA Builder ID is known and accepted"}},{"msg": "Pass","metadata": {"code": "slsa_build_build_service.slsa_builder_id_found","collections": ["slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the attestation attribute predicate.builder.id is set.","title": "SLSA Builder ID found"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_script_used","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title": "Build task contains steps"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.build_task_image_results_found","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title": "Build task set image digest and url task results"}},{"msg": "Pass","metadata": {"code": "slsa_build_scripted_build.subject_build_task_matches","collections": ["slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title": "Provenance subject matches build task image result"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.allowed_predicate_types_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title": "Allowed predicate types provided"}},{"msg": "Pass","metadata": {"code": "slsa_provenance_available.attestation_predicate_type_accepted","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title": "Expected attestation predicate type found"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.attested_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Attestation contains source reference.","title": "Source reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.expected_source_code_reference","collections": ["minimal","slsa3","redhat"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Verify that the provided source code reference is the one being attested.","title": "Expected source code reference"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.rule_data_provided","collections": ["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description": "Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title": "Rule data provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_correlated.source_code_reference_provided","collections": ["minimal","slsa3","redhat","redhat_rpms"],"description": "Check if the expected source code reference is provided.","title": "Source code reference provided"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_format_okay","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title": "Materials have uri and digest"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_include_git_sha","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title": "Materials include git commit shas"}},{"msg": "Pass","metadata": {"code": "slsa_source_version_controlled.materials_uri_is_git_repo","collections": ["minimal","slsa3","redhat","redhat_rpms"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title": "Material uri is a git repo"}},{"msg": "Pass","metadata": {"code": "tasks.pipeline_has_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["attestation_type.known_attestation_type"],"description": "Ensure that at least one Task is present in the PipelineRun attestation.","title": "Pipeline run includes at least one task"}},{"msg": "Pass","metadata": {"code": "tasks.successful_pipeline_tasks","collections": ["minimal","redhat","redhat_rpms","slsa3"],"depends_on": ["tasks.pipeline_has_tasks"],"description": "Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title": "Successful pipeline tasks"}}],"success": true,"signatures": [{"keyid": "","sig": "MEQCIDid+XHsXEQlhYGa1PwjXD6+UgVJU7LRYtKxfjwFxcrEAiBWGRXIV80bKZWO7z6QvFtP2OhiFjxs7oXPfvQ8zbxOkg=="},{"keyid": "","sig": "MEYCIQCpCTMEd51L6L5PPkWIccN86W96tLEcrJH3xkA07msaOAIhAMFmShgkVBRCLv7584WDhgWAxf2dhuQc6AayYD414gks"},{"keyid": "","sig": "MEUCIFChhI+zzJbgC/WF9RonGv7ekdBm+cX0lXUWf0jmF2/yAiEAv5pzYXWgsHvxUhNVxeMsA5CfakNGka/R2qzUnAESGPc="}],"attestations": [{"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:7P3JgGW26veYhsqQ4wg19EILLRPUIYIEetEdNvGd2nI","sig": "MEYCIQDyzwGC07rQGfJT2IlnDzh4Bvkid8LYTLYerbLgcm6c6QIhALyPEyO6PbbqpKNqfyNRmsjHbyWz1oxyyPBs4yJCXGG+"}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/TaskRun","signatures": [{"keyid": "SHA256:7P3JgGW26veYhsqQ4wg19EILLRPUIYIEetEdNvGd2nI","sig": "MEUCIQDlRrsmtqEtvPmaQdyog4UX7SbuozeJ1oqqwMdt9nNr2QIgLyIc1Os4y0lTunKW/FvYFz70+l8zQbhWoqNz04FasL4="}]},{"type": "https://in-toto.io/Statement/v0.1","predicateType": "https://slsa.dev/provenance/v0.2","predicateBuildType": "tekton.dev/v1beta1/PipelineRun","signatures": [{"keyid": "SHA256:7P3JgGW26veYhsqQ4wg19EILLRPUIYIEetEdNvGd2nI","sig": "MEUCIH4lLjdwU0GkDlkBdRdh29R/GotQc8USWOxXF6mn4nVUAiEAu4Agb7CNxzNrq+REN+Xfq7ff3CwsQV1L6a4Rde7mdb0="}]}]}],"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcerC/71b6uIt/4/TYwfevSMdq5MN\nWt1Zl9VUwx/tKRdIkpkHg4EhvUI5xQhH/Fr6bbU6IUJED5+YQ1f83hoGTQ==\n-----END PUBLIC KEY-----\n","policy": {"name": "Default","description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.","sources": [{"name": "Default","policy": ["oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae"],"data": ["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:0affee8ccc186d69e31deb44106c1d6a0aac5774408935025033db7c1a5e8dd9","git::github.com/release-engineering/rhtap-ec-policy.git//data?ref=dd1a3dd1bf2299e1da9936b89e7279b6ab443bec"],"config": {"include": ["@slsa3"]}}],"publicKey": "k8s://openshift-pipelines/public-key"},"ec-version": "v0.9.2","effective-time": "2026-03-26T23:56:33.213012123Z"}