Policy Bundles

The policies and the data used by the policies are available as OCI artifacts compatible with the conftest pull command.

1. Location

The latest versions of the bundles can be found in the following repos:

quay.io/enterprise-contract/ec-release-policy

Used for validating attestations created by Tekton Chains. Contains the contents of policy/release and policy/lib in this repo.

quay.io/enterprise-contract/ec-pipeline-policy

Used for validating Tekton Pipeline definitions. Contains the contents of policy/pipeline and policy/lib.

2. Artifact Hub entries

The bundles mentioned above are also listed in Artifact Hub.

3. Example usage

The bundles are designed to be used with the ec-cli, but you can also use them with conftest directly. The input should include a top level key called attestations which contains a list of attestations for the image being validated. For example:

cosign download attestation quay.io/konflux-ci/ec-golden-image:latest | jq --slurp '{"attestations":[.[].payload|@base64d|fromjson]}' > input.json
conftest pull -p . quay.io/enterprise-contract/ec-release-policy quay.io/enterprise-contract/ec-policy-data
conftest test input.json -d data -p policy --all-namespaces -o json | yq -P