verify artifacts, enforce policies

Securely verify supply chain artifacts, and enforce policies about how they were built and tested, in a manageable, scalable, and declarative way.

Download

Getting Started

Built with Sigstore and Open Policy Agent

Enterprise Contract builds on the industry standard open source solutions for artifact provenance verification and policy validation, backed by the Open Source Security Foundation and the Cloud Native Computing Foundation.

Verify provenance & apply policies in a single step

Produce human readable output for provenance or policy violations. Verify SLSA compliance with extensible policies. Verify single or multiple images with collated output. Access configuration, data and policy rules from multiple sources.

Fits into your existing CI/CD pipelines

Enterprise Contract is platform agnostic. With its multi-format output, it can easily fit into your CI/CD workflow. Use it as post-build CI, as a gate for releases, as a deploy-time verifier, or anywhere in between.

Red Hat Trusted Application Pipeline Integration

Adopted by Red Hat for their own next generation cloud build systems. Integrated with RHTAP & Konflux CI.

Recently Published

Policies Polyglot: Evaluating Custom Predicates

Posted on March 20, 2024

Attestations are a wonderful way to attach metadata to container images in a secure manner. One of the most popular formats is SLSA Provenance which is used to provide information on how the image was created. Our Hitchhiker’s Guide demonstrates how to write policies to assert the contents of the SLSA Provenance. Here, we expand on that approach to assert the contents of any attestation format, even completely made up ones.

Continue reading “Policies Polyglot: Evaluating Custom Predicates” …