API Version:


Verify the enterprise contract is met


  • IMAGES: Spec section of an ApplicationSnapshot resource. Not all fields of the resource are required. A minimal example: { "components": [ { "containerImage": "" } ] } Each "containerImage" in the "components" array is validated.

  • POLICY_CONFIGURATION: Name of the policy configuration (EnterpriseContractPolicy resource) to use. `namespace/name` or `name` syntax supported. If namespace is omitted the namespace where the task runs is used.

    Default: enterprise-contract-service/default

  • PUBLIC_KEY: Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected attribute.

  • REKOR_HOST: Rekor host for transparency log lookups

  • IGNORE_REKOR: Skip Rekor transparency log checks during validation.

    Default: false

  • TUF_MIRROR: TUF mirror URL. Provide a value when NOT using public sigstore deployment.

  • SSL_CERT_DIR: Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, "/var/run/secrets/" is a good value. Multiple paths can be provided by using the ":" separator.

  • INFO: Include rule titles and descriptions in the output. Set to "false" to disable it.

    Default: true

  • STRICT: Fail the task if policy fails. Set to "false" to disable it.

    Default: true

  • HOMEDIR: Value for the HOME environment variable.

    Default: /tekton/home

  • EFFECTIVE_TIME: Run policy checks with the provided time.

    Default: now


  • TEST_OUTPUT: Short summary of the policy evaluation for each image