verify-enterprise-contract

Version: 0.1

Synopsis

Verify the enterprise contract is met

Params

IMAGES (string)

Spec section of an ApplicationSnapshot resource. Not all fields of the resource are required. A minimal example:

  {
    "components": [
      {
        "containerImage": "quay.io/example/repo:latest"
      }
    ]
  }

Each containerImage in the components array is validated.

POLICY_CONFIGURATION (string)

Name of the policy configuration (EnterpriseContractPolicy resource) to use. namespace/name or name syntax supported. If namespace is omitted the namespace where the task runs is used. You can also specify a policy configuration using a git url, e.g. github.com/enterprise-contract/config//slsa3.

Default: enterprise-contract-service/default

PUBLIC_KEY (string)

Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.

REKOR_HOST (string)

Rekor host for transparency log lookups

IGNORE_REKOR (string)

Skip Rekor transparency log checks during validation.

Default: false

TUF_MIRROR (string)

TUF mirror URL. Provide a value when NOT using public sigstore deployment.

SSL_CERT_DIR (string)

Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, /var/run/secrets/kubernetes.io/serviceaccount is a good value. Multiple paths can be provided by using the : separator.

CA_TRUST_CONFIGMAP_NAME (string)

The name of the ConfigMap to read CA bundle data from.

Default: trusted-ca

CA_TRUST_CONFIG_MAP_KEY (string)

The name of the key in the ConfigMap that contains the CA bundle data.

Default: ca-bundle.crt

INFO (string)

Include rule titles and descriptions in the output. Set to "false" to disable it.

Default: true

STRICT (string)

Fail the task if policy fails. Set to "false" to disable it.

Default: true

HOMEDIR (string)

Value for the HOME environment variable.

Default: /tekton/home

EFFECTIVE_TIME (string)

Run policy checks with the provided time.

Default: now

EXTRA_RULE_DATA (string)

Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2…​"

TIMEOUT (string)

Timeout setting for ec validate.

Default: 5m0s

WORKERS (string)

Number of parallel workers to use for policy evaluation.

Default: 1

SINGLE_COMPONENT (string)

Reduce the Snapshot to only the component whose build caused the Snapshot to be created

Default: false

SINGLE_COMPONENT_CUSTOM_RESOURCE (string)

Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.

Default: unknown

SINGLE_COMPONENT_CUSTOM_RESOURCE_NS (string)

Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.

Results

TEST_OUTPUT

Short summary of the policy evaluation for each image