Version: 0.1


Verify the enterprise contract is met


IMAGES (string)

Spec section of an ApplicationSnapshot resource. Not all fields of the resource are required. A minimal example:

    "components": [
        "containerImage": ""

Each containerImage in the components array is validated.


Name of the policy configuration (EnterpriseContractPolicy resource) to use. namespace/name or name syntax supported. If namespace is omitted the namespace where the task runs is used. You can also specify a policy configuration using a git url, e.g.

Default: enterprise-contract-service/default

PUBLIC_KEY (string)

Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected attribute.

REKOR_HOST (string)

Rekor host for transparency log lookups


Skip Rekor transparency log checks during validation.

Default: false

TUF_MIRROR (string)

TUF mirror URL. Provide a value when NOT using public sigstore deployment.

SSL_CERT_DIR (string)

Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, /var/run/secrets/ is a good value. Multiple paths can be provided by using the : separator.

INFO (string)

Include rule titles and descriptions in the output. Set to "false" to disable it.

Default: true

STRICT (string)

Fail the task if policy fails. Set to "false" to disable it.

Default: true

HOMEDIR (string)

Value for the HOME environment variable.

Default: /tekton/home


Run policy checks with the provided time.

Default: now


Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2…​"



Short summary of the policy evaluation for each image