verify-enterprise-contract

IMAGES: Spec section of an ApplicationSnapshot resource. Not all fields of the resource are required. A minimal example: { "components": [ { "containerImage": "quay.io/example/repo:latest" } ] } Each "containerImage" in the "components" array is validated.

POLICY_CONFIGURATION: Name of the policy configuration (EnterpriseContractPolicy resource) to use. `namespace/name` or `name` syntax supported. If namespace is omitted the namespace where the task runs is used.

PUBLIC_KEY: Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.

REKOR_HOST: Rekor host for transparency log lookups

IGNORE_REKOR: Skip Rekor transparency log checks during validation.

TUF_MIRROR: TUF mirror URL. Provide a value when NOT using public sigstore deployment.

SSL_CERT_DIR: Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator.

INFO: Include rule titles and descriptions in the output. Set to "false" to disable it.

STRICT: Fail the task if policy fails. Set to "false" to disable it.

HOMEDIR: Value for the HOME environment variable.

EFFECTIVE_TIME: Run policy checks with the provided time.

TEST_OUTPUT: Short summary of the policy evaluation for each image