verify artifacts, enforce policies
Securely verify supply chain artifacts, and enforce policies about how they were built and tested, in a manageable, scalable, and declarative way.
Enterprise Contract builds on the industry standard open source solutions for artifact provenance verification and policy validation, backed by the Open Source Security Foundation and the Cloud Native Computing Foundation.
Produce human readable output for provenance or policy violations. Verify SLSA compliance with extensible policies. Verify single or multiple images with collated output. Access configuration, data and policy rules from multiple sources.
Enterprise Contract is platform agnostic. With its multi-format output, it can easily fit into your CI/CD workflow. Use it as post-build CI, as a gate for releases, as a deploy-time verifier, or anywhere in between.
Adopted by Red Hat for their own next generation cloud build system and integrated in new RHTAP CI/CD pipelines.
In a previous blog post, we introduced the basic concepts of the Enterprise Contract. This time, we explore it further to showcase the usage of policies.
You may have heard of sigstore and its container image verification tool, cosign. This blog post introduces a policy-driven workflow, Enterprise Contract, built on those technologies.
We want to invite everyone to help to guide the future of Enterprise Contract.
Find our code on GitHub.
Join us for our weekly community meeting, held every Wednesday at 10am Eastern.
The meeting agenda and joining details are available as a Github issue shortly before the meeting.
Download calendar .ics file here