Release Policy

The Enterprise Contract CLI now places the attestation data in a different location. This check fails if the expected new format is not found.

Solution: Use a newer version of the Enterprise Contract CLI.

Confirm the attestation found for the image has a known attestation type.

Solution: Make sure the "_type" field in the attestation is supported. Supported types are configured in data sources.

Confirm the known_attestation_types rule data was provided.

Solution: Provide a list of known attestation types.

Confirm at least one PipelineRun attestation is present.

Solution: Make sure the attestation being verified was generated from a Tekton pipelineRun.

Confirm the allowed_registry_prefixes rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure to configure a list of trusted registries as a data source.

Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the allowed_registry_prefixes list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.

Solution: Make sure the image used in each task comes from a trusted registry. The list of trusted registries is a configurable data source.

Verify the expected information was provided about which base images were used during the build process.The list of base images comes from the components in the formulation attribute of any associated CycloneDX SBOMs.

Solution: Ensure a CycloneDX SBOM is associated with the image.

Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.

Solution: The ADD_CAPABILITIES parameter is not allowed for most container image builds. This, however, might be required for certain build types, e.g. flatpaks. Either unset the parameter or use a policy config that excludes this policy rule.

Verify the Dockerfile used in the buildah task was not fetched from an external source.

Solution: Make sure the 'DOCKERFILE' parameter does not come from an external source.

Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the disallowed_platform_patterns rule data key. If empty, all values are allowed.

Solution: Use a different PLATFORM value that is not disallowed by the policy config.

Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to true.

Solution: Setting PRIVILEGED_NESTED parameter to true is not allowed for most container image builds. Either set the parameter value to false or use a policy config that excludes this policy rule.

Confirm the disallowed_platform_patterns rule data, if provided matches the expected format.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key restrict_cve_security_levels. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the cve_leeway rule data key containing days of allowed leeway, measured as time between found vulnerability’s public disclosure date and current effective time, per severity level.

Solution: Make sure to address any CVE’s related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named SCAN_OUTPUT.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key restrict_unpatched_cve_security_levels. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the cve_leeway rule data key containing days of allowed leeway, measured as time between found vulnerability’s public disclosure date and current effective time, per severity level.

Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named SCAN_OUTPUT.

Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline.

Solution: Make sure there is a successful task in the build pipeline that runs a Clair scan and creates a task result called SCAN_OUTPUT.

The CLAIR_SCAN_RESULT result name has been deprecated, and has been replaced with SCAN_OUTPUT. If any task results with the old name are found, this rule will raise a warning.

Solution: Use the newer SCAN_OUTPUT result name.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key warn_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: Make sure to address any CVE’s related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named SCAN_OUTPUT.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key warn_unpatched_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named SCAN_OUTPUT.

Confirm the expected rule data keys have been provided in the expected format. The keys are restrict_cve_security_levels, warn_cve_security_levels, restrict_unpatched_cve_security_levels, and warn_unpatched_cve_security_levels.

Solution: If provided, ensure the rule data is in the expected format.

Verify the PipelineRun was initialized with a set of expected parameters. By default it asserts git-repo, git-revision, and output-image are provided with non-empty values. This is configurable by the rule data key pipeline_run_params. Any additional parameters are NOT allowed.

Confirm the pipeline_run_params rule data was provided.

Solution: Provide a non-empty list of expected PipelineRun parameters.

Verify the PipelineRun did not use any pre-existing PersistentVolumeClaim workspaces.

Check if the image signature certificate contains the expected GitHub extensions. These are the extensions that represent the GitHub workflow trigger, sha, name, repository, and ref.

Check if the value of the GitHub Workflow Name extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_names to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Repository extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_repos to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Ref extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_refs to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Trigger extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_triggers to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Confirm the expected rule data keys have been provided in the expected format. The keys are allowed_gh_workflow_repos, allowed_gh_workflow_refs, allowed_gh_workflow_names, and allowed_gh_workflow_triggers.

Solution: If provided, ensure the rule data is in the expected format.

Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build process hermetic.

Solution: Make sure the task that builds the image has a parameter named 'HERMETIC' and it’s set to 'true'.

The SBOM_JAVA_COMPONENTS_COUNT task result finds dependencies that have originated from foreign repositories, i.e. ones that are not rebuilt or provided by Red Hat. Verify there are no dependencies from sources not listed in the allowed_java_component_sources rule data.

Solution: Make sure there are no build dependencies that originate from foreign repositories. The allowed sources are in the rule_data under the key 'allowed_java_component_sources'.

Confirm the allowed_java_component_sources rule data was provided, since it’s required by the policy rules in this package.

Solution: Add a data source that contains allowable source repositories for build dependencies. The source must be located under a key named 'allowed_java_component_sources'. More information on adding data sources.

Check the image for the presence of labels that have been deprecated. Use the rule data key deprecated_labels to set the list of labels to check.

Solution: Update the image build process to not set the deprecated labels.

Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data disallowed_inherited_labels key to set the list of labels to check, or the fbc_disallowed_inherited_labels key for fbc images.

Solution: Update the image build process to overwrite the inherited labels.

The image config is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

The image manifest is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

The parent image config is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

The parent image manifest is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

Check the image for the presence of labels that are recommended, but not required. Use the rule data optional_labels key to set the list of labels to check, or the fbc_optional_labels key for fbc images.

Solution: Update the image build process to set the optional labels.

Check the image for the presence of labels that are required. Use the rule data required_labels key to set the list of labels to check, or the fbc_required_labels key for fbc images.

Solution: Update the image build process to set the required labels.

Confirm the expected rule data keys have been provided in the expected format. The keys are required_labels, fbc_required_labels, optional_labels, fbc_optional_labels, disallowed_inherited_labels, fbc_disallowed_inherited_labels, and deprecated_labels.

Solution: If provided, ensure the rule data is in the expected format.

Check the spec.version value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the spec.version value to a valid semver.

Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string "true" or the string "false". The list of feature annotations can be customize via the required_olm_features_annotations rule data.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the feature annotations to the expected value.

Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key allowed_registry_prefixes in your policy configuration.

Solution: Use image from an allowed registry, or modify your policy configuration to include additional registry prefixes.

Confirm the required_olm_features_annotations rule data was provided, since it’s required by the policy rules in this package.

Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the subscription annotation to the expected value.

Check the input snapshot and make sure all the images are accessible.

Solution: Ensure all images in the input snapshot are valid.

Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in varying locations that are either not in the RPA about to be released or not accessible already.

Solution: Add the missing image to the snapshot or check if the CSV pullspec is valid and accessible.

Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in varying locations that do not contain a digest — uniquely identifying the version of the image being pulled.

Solution: Update the OLM bundle replacing the unpinned image reference with pinned image reference. Pinned image reference contains the image digest.

Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest — uniquely identifying the version of the image being pulled.

Solution: Update the input snapshot replacing the unpinned image reference with pinned image reference. Pinned image reference contains the image digest.

Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.

Solution: The build pipeline must contain a task named 'git-clone' and that task must emit results named 'url' and 'commit' and contain the clone git repository and commit, respectively.

Confirm that the attestation contains a git-clone task with commit and url task results.

Solution: Make sure the build pipeline contains a task named 'git-clone'.

Check the image metadata for the presence of a "quay.expires-after" label. If it’s present then produce a violation. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Make sure the image is built without setting the "quay.expires-after" label. This label is usually set if the container image was built by an "on-pr" pipeline during pre-merge CI.

Confirm the attestation created by the RHTAP Multi-CI build pipeline matches the expected format.

Solution: This check looks for some fields expected to be present in the SLSA attestation. Modifying the scripts that produce the attestation predicate might cause this to fail. See also the att-predicate-*.sh scripts at https://github.com/redhat-appstudio/tssc-dev-multi-ci/tree/main/rhtap

Verify an attestation created by the RHTAP Multi-CI build pipeline is present.

Solution: It appears the build pipeline did not create the expected SLSA provenance attestation. Check for relevant error messages in the 'cosign-sign-attest' pipeline step logs.

Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.

Solution: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.

A list of known and permitted repository ids should be available in the rule data.

Solution: Include a data source that provides a list of known repository ids under the 'known_rpm_repositories' key under the top level 'rule_data' key.

The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the allowed_rpm_signature_keys rule data. Use the special value "unsigned" to allow unsigned RPMs.

Solution: Make sure to use RPMs that have been signed by the expected signing key. An RPM lacking such signature, usually indicated the RPM is not ready for consumption.

Confirm the format of the RPMS_DATA result is in the expected format.

Confirm the expected allowed_rpm_signature_keys rule data key has been provided in the expected format.

Confirm the disallowed_packages and disallowed_attributes rule data were provided, since they are required by the policy rules in this package.

Solution: Provide a list of disallowed packages or package attributes in the expected format.

Confirm an SBOM attestation exists.

Solution: Make sure the build process produces an SBOM attestation.

Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.

Solution: Update the image to not use a disallowed package.

Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the "allowed_external_references" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to use only packages with explicitly allowed external references.

For each of the components fetched by Cachi2 which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.

Solution: Update the image to not use a package from a disallowed source.

Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the "disallowed_attributes" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.

Solution: Update the image to not use a disallowed package attributes.

Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the "disallowed_external_references" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to not use a package with a disallowed external reference.

Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.

Solution: Make sure the build process produces a valid CycloneDX SBOM.

Confirm the allowed_builder_ids rule data was provided, since it is required by the policy rules in this package.

Verify that the attestation attribute predicate.builder.id is set.

Solution: The builder id in the attestation is missing. Make sure the build system is setting the build id when generating an attestation.

Verify that the attestation attribute predicate.builder.id is set to one of the values in the allowed_builder_ids rule data, e.g. "https://tekton.dev/chains/v2".

Solution: Make sure the build id is set to an expected value. The expected values are set in the data sources.

Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.

Solution: There were no build tasks detected. Make sure the build pipeline contains tasks and that the build system is recording them properly when the attestation is generated.

Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.

Solution: Make sure the build pipeline contains a build task. The build task must contain results named 'IMAGE_DIGEST' and 'IMAGE_URL'.

Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result.

Solution: Make sure the build Pipeline definition uses a trusted Task to build images.

Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.

Solution: Make sure the subject in the attestation matches the 'IMAGE_URL' and 'IMAGE_DIGEST' results from the build task. The format for the subject should be 'IMAGE_URL@IMAGE_DIGEST'.

Confirm the allowed_predicate_types rule data was provided, since it is required by the policy rules in this package.

Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.

Solution: The predicate type field in the attestation does not match the 'allowed_predicate_types' field. This field is set in the data sources.

Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.

Solution: Ensure the URI associated with a SHA-1 digest in the materials section of the attestation is valid. This URI is derived from the 'CHAINS-GIT_URL' output of the 'git-clone' task.

Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.

Solution: Make sure the attestation contains the repository URI and digest.sha1. This information comes from the 'CHAINS-GIT_URL' and 'CHAINS-GIT_COMMIT' results in the 'git-clone' task.

Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.

Solution: Ensure the digest.sha1 in the materials section of the attestation is a valid Git commit SHA. This commit information is derived from the 'CHAINS-GIT_COMMIT' output of the 'git-clone' task.

Verify that the provided source code reference is the one being attested.

Solution: The source code reference in the attestation doesn’t match the expected and provided source code reference. Make sure that the provided source code reference is correct, and if it is make sure that the build process is configured to retrieve the source code from the appropriate source code repository. Make sure that the source code reference is pointing to a explicit revision not to a symbolic identifier, e.g. a branch or tag name.

Confirm the expected rule data keys have been provided in the expected format. The keys are supported_vcs and supported_digests.

Check if the expected source code reference is provided.

Solution: Provide the expected source code reference in inputs.

Attestation contains source reference.

Solution: Check that the attestation creation process includes the source code reference in the predicate.materials for SLSA Provenance v0.2, or in predicate.buildDefinition.resolvedDependencies for SLSA Provenance v1.0 attestations. Check that the Version Control System prefix is the list of the supported VCS types in rule data (supported_vcs key).

Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.

Solution: Update the image to not use a disallowed package.

Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the "allowed_external_references" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to use only packages with explicitly allowed external references.

Check the list of files in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the files in the image.

Check the list of packages in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the package in the image.

Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the "disallowed_external_references" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to not use a package with a disallowed external reference.

Check the SPDX SBOM targets the image being validated.

Solution: The SPDX SBOM associated with the image describes a different image. Verify the integrity of the build system.

Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.

Solution: Make sure the build process produces a valid SPDX SBOM.

Check if the current date is not allowed based on the rule data value from the key disallowed_dates. By default, the list is empty in which case any day is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Try again on a different day.

Confirm the expected rule data keys have been provided in the expected format. The keys are disallowed_weekdays and disallowed_dates.

Solution: If provided, ensure the rule data is in the expected format.

Check if the current weekday is allowed based on the rule data value from the key disallowed_weekdays. By default, the list is empty in which case any weekday is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Try again on a different weekday.

Verify the source container image exists.

Verify the source container image is signed.

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Create a lsit of trusted tasks. This is a list of task bundles with a top-level key of 'trusted_tasks'.

Check that a valid task bundle reference is being used.

Solution: Specify a task bundle with a reference as the full digest.

Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinned to a digest.

Solution: Specify the task bundle reference with a full digest rather than a tag.

For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is a trusted task.

Solution: For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is a trusted task.

For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is the most recent.

Solution: A task bundle used is not the most recent. The most recent task bundles are defined in the data source of your policy config.

Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.

Ensure that the all required tasks are resolved from trusted tasks.

Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

Ensure that the set of required tasks are included in the PipelineRun attestation.

Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as data under the key 'required-tasks'.

Confirm the expected data keys have been provided in the expected format. The keys are pipeline-required-tasks and required-tasks.

Solution: If provided, ensure the data is in the expected format.

Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.

Solution: There is a task that will be required at a future date that is missing from the build pipeline.

Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.

Solution: Make sure the build pipeline uses Tasks via pinned references. For example, if the git resolver is used, use a commit ID instead of a branch name.

Ensure that at least one Task is present in the PipelineRun attestation.

Solution: Make sure the build pipeline ran any tasks and that the build system is generating a proper attestation.

Produce a warning if the required tasks list rule data was not provided.

Solution: The required task list is contained as data under the key 'required-tasks'. Make sure this list exists.

Confirm the required-tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure the data sources contains a key 'required-tasks' that contains a list of tasks that are required to run in the build pipeline.

Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.

Solution: Make sure the build pipeline is properly configured so all the tasks can be executed successfully.

The Tekton Task used is or will be unsupported. The Task is annotated with build.appstudio.redhat.com/expires-on annotation marking it as unsupported after a certain date.

Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.

Solution: Found an image not processed by a task. Make sure that the task processes and includes the image digest of all images in the IMAGES_PROCESSED result.

Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data.

Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any tests have their result set to "ERROR". The result type is configurable by the "erred_tests_results" key in the rule data.

Solution: There is a test that erred. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not err. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any non-informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data.

Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.

Produce a warning if any tests have their result set to "WARNING". The result type is configurable by the "warned_tests_results" key in the rule data.

Solution: There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in 'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any tests have their result set to "SKIPPED". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the "skipped_tests_results" key in the rule data.

Solution: There is a test that was skipped. Make sure that each task with a result named 'TEST_OUTPUT' was not skipped. You can find which test was skipped by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.

Ensure all test data result values are in the set of known/supported result values.

Solution: The test results should be of a known value. Values can be set as a data source.

Confirm the expected rule data keys have been provided in the expected format. The keys are supported_tests_results, failed_tests_results, informative_tests, erred_tests_results, skipped_tests_results, and warned_tests_results.

Solution: If provided, ensure the rule data is in the expected format.

Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Enterprise Contract expects to find test result data.

Solution: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.

Each test result is expected to have a results key. Verify that the results key is present in all of the TEST_OUTPUT task results.

Solution: There was at least one result named TEST_OUTPUT found, but it did not contain a key named 'result'. For a TEST_OUTPUT result to be valid, this key must exist.

Confirm the expected trusted_tasks data keys have been provided in the expected format.

Solution: If provided, ensure the data is in the expected format.

Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.

Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Create a, or use an existing, trusted tasks list as a data source.

Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, all Tasks in the build Pipeline must be trusted.

Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure all Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.

Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the task_expiry_warning_days rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.

Solution: Update the Task reference to a newer version.

All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rouge task.

Solution: Audit the pipeline to make sure all inputs are produced by the pipeline.

Confirm certain parameters provided to each builder Task have come from trusted Tasks.

Solution: Update your build Pipeline to ensure all the parameters provided to your builder Tasks come from trusted Tasks.

Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the allowed_rpm_ostree_builder_image_prefixes rule data.

Solution: Make sure the rpm-ostree Task uses a pinned image reference from a pre-approved location.

Verify the rule data used by this package, allowed_rpm_ostree_builder_image_prefixes, is in the expected format.

Solution: Make sure the allowed_rpm_ostree_builder_image_prefixes rule data is in the expected format in the data source.