Release Policy

The Enterprise Contract CLI now places the attestation data in a different location. This check fails if the expected new format is not found.

Solution: Use a newer version of the Enterprise Contract CLI.

Confirm the attestation found for the image has a known attestation type.

Solution: Make sure the "_type" field in the attestation is supported. Supported types are configured in data sources.

Confirm the known_attestation_types rule data was provided.

Solution: Provide a list of known attestation types.

Confirm at least one PipelineRun attestation is present.

Solution: Make sure the attestation being verified was generated from a Tekton pipelineRun.

Confirm the allowed_registry_prefixes rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure to configure a list of trusted registries as a data source.

Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the allowed_registry_prefixes list in the rule data.

Solution: Make sure the image used in each task comes from a trusted registry. The list of trusted registries is a configurable data source.

Verify the expected information was provided about which base images were used during the build process.The list of base images is a combination of two sources. One is extracted from the SLSA Provenance in the form of Tekton Task result called BASE_IMAGES_DIGESTS. The other comes from the components in the formulation attribute of any associated CycloneDX SBOMs.

Solution: Either a Tekton task must exist that emits a result named BASE_IMAGES_DIGESTS, or a CycloneDX SBOM must be associated with the image.

Verify that a DOCKERFILE parameter was provided to the buildah task.

Solution: Make sure the buildah task has a parameter named 'DOCKERFILE'.

Verify the Dockerfile used in the buildah task was not fetched from an external source.

Solution: Make sure the 'DOCKERFILE' parameter does not come from an external source.

Validates the cryptographic signature of the attestation.

Solution: Examine the signature of the attestation, provided key material or trust chain for verification.

Validates the syntax of the attestation.

Solution: Make sure that the attestation is well formed and syntactically correct.

Validates the cryptographic signature of the image.

Solution: Examine the signature of the image, provided key material or trust chain for verification.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key restrict_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: Make sure to address any CVE’s related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named CLAIR_SCAN_RESULT.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key restrict_unpatched_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named CLAIR_SCAN_RESULT.

Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline.

Solution: Make sure there is a successful task in the build pipeline that runs a Clair scan and creates a task result called CLAIR_SCAN_RESULT.

The CLAIR_SCAN_RESULT result name has been deprecated, and has been replaced with SCAN_OUTPUT. If any task results with the old name are found, this rule will raise a warning.

Solution: Use the newer SCAN_OUTPUT result name.

The CLAIR_SCAN_RESULT result name has been deprecated, and has been replaced with SCAN_OUTPUT. If any task results with the old name are found, this rule will raise a warning.

Solution: Use the newer SCAN_OUTPUT result name, including for unpached vulnerabilities.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key warn_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: Make sure to address any CVE’s related to the image. The CVEs are detected by the task that runs a Clair scan and emits a result named CLAIR_SCAN_RESULT.

The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key warn_unpatched_cve_security_levels. The available levels are critical, high, medium, low, and unknown.

Solution: CVEs without a known fix can only be remediated by either removing the impacted dependency, or by waiting for a fix to be available. The CVEs are detected by the task that emits a result named CLAIR_SCAN_RESULT.

Confirm the expected rule data keys have been provided in the expected format. The keys are restrict_cve_security_levels, warn_cve_security_levels, restrict_unpatched_cve_security_levels, and warn_unpatched_cve_security_levels.

Solution: If provided, ensure the rule data is in the expected format.

Verify the PipelineRun was initialized with a set of expected parameters. By default it asserts git-repo, git-revision, and output-image are provided with non-empty values. This is configurable by the rule data key pipeline_run_params. Any additional parameters are NOT allowed.

Confirm the pipeline_run_params rule data was provided.

Solution: Provide a non-empty list of expected PipelineRun parameters.

Verify the PipelineRun did not use any pre-existing PersistentVolumeClaim workspaces.

Check if the image signature certificate contains the expected GitHub extensions. These are the extensions that represent the GitHub workflow trigger, sha, name, repository, and ref.

Check if the value of the GitHub Workflow Name extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_names to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Repository extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_repos to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Ref extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_refs to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Check if the value of the GitHub Workflow Trigger extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_triggers to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

Confirm the expected rule data keys have been provided in the expected format. The keys are allowed_gh_workflow_repos, allowed_gh_workflow_refs, allowed_gh_workflow_names, and allowed_gh_workflow_triggers.

Solution: If provided, ensure the rule data is in the expected format.

Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build process hermetic.

Solution: Make sure the task that builds the image has a parameter named 'HERMETIC' and it’s set to 'true'.

The SBOM_JAVA_COMPONENTS_COUNT task result finds dependencies that have originated from foreign repositories, i.e. ones that are not rebuilt or provided by Red Hat. Verify there are no dependencies from sources not listed in the allowed_java_component_sources rule data.

Solution: Make sure there are no build dependencies that originate from foreign repositories. The allowed sources are in the rule_data under the key 'allowed_java_component_sources'.

Confirm the allowed_java_component_sources rule data was provided, since it’s required by the policy rules in this package.

Solution: Add a data source that contains allowable source repositories for build dependencies. The source must be located under a key named 'allowed_java_component_sources'. More information on adding data sources.

Check the image for the presence of labels that have been deprecated. Use the rule data key deprecated_labels to set the list of labels to check.

Solution: Update the image build process to not set the deprecated labels.

Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data disallowed_inherited_labels key to set the list of labels to check, or the fbc_disallowed_inherited_labels key for fbc images.

Solution: Update the image build process to overwrite the inherited labels.

Check the image for the presence of labels that are recommended, but not required. Use the rule data optional_labels key to set the list of labels to check, or the fbc_optional_labels key for fbc images.

Solution: Update the image build process to set the optional labels.

Check the image for the presence of labels that are required. Use the rule data required_labels key to set the list of labels to check, or the fbc_required_labels key for fbc images.

Solution: Update the image build process to set the required labels.

Confirm the expected rule data keys have been provided in the expected format. The keys are required_labels, fbc_required_labels, optional_labels, fbc_optional_labels, disallowed_inherited_labels, fbc_disallowed_inherited_labels, and deprecated_labels.

Solution: If provided, ensure the rule data is in the expected format.

Check the spec.version value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the spec.version value to a valid semver.

Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string "true" or the string "false". The list of feature annotations can be customize via the required_olm_features_annotations rule data.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the feature annotations to the expected value.

Confirm the required_olm_features_annotations rule data was provided, since it’s required by the policy rules in this package.

Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.

Solution: Update the ClusterServiceVersion manifest of the OLM bundle to set the subscription annotation to the expected value.

Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in varying locations that do not contain a digest — uniquely identifying the version of the image being pulled.

Solution: Update the OLM bundle replacing the unpinned image reference with pinned image reference. Pinned image reference contains the image digest.

Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.

Solution: The build pipeline must contain a task named 'git-clone' and that task must emit results named 'url' and 'commit' and contain the clone git repository and commit, respectively.

Confirm that the attestation contains a git-clone task with commit and url task results.

Solution: Make sure the build pipeline contains a task named 'git-clone'.

Check the image metadata for the presence of a "quay.expires-after" label. If it’s present then produce a violation. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Make sure the image is built without setting the "quay.expires-after" label. This label is usually set if the container image was built by an "on-pr" pipeline during pre-merge CI.

Verify the expected Red Hat manifests are available in the image.

Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.

Solution: Update the image to not use a disallowed package.

Confirm the disallowed_packages rule data was provided, since it is required by the policy rules in this package.

Solution: Provide a list of disallowed packages in the expected format.

Confirm a CycloneDX SBOM exists.

Solution: Make sure the build process produces a CycloneDX SBOM.

Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.

Solution: Make sure the build process produces a valid CycloneDX SBOM.

Confirm the allowed_builder_ids rule data was provided, since it is required by the policy rules in this package.

Verify that the attestation attribute predicate.builder.id is set.

Solution: The builder id in the attestation is missing. Make sure the build system is setting the build id when generating an attestation.

Verify that the attestation attribute predicate.builder.id is set to one of the values in the allowed_builder_ids rule data, e.g. "https://tekton.dev/chains/v2".

Solution: Make sure the build id is set to an expected value. The expected values are set in the data sources.

Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.

Solution: There were no build tasks detected. Make sure the build pipeline contains tasks and that the build system is recording them properly when the attestation is generated.

Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.

Solution: Make sure the build pipeline contains a build task. The build task must contain results named 'IMAGE_DIGEST' and 'IMAGE_URL'.

Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result.

Solution: Make sure the build Pipeline definition uses a trusted Task to build images.

Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.

Solution: Make sure the subject in the attestation matches the 'IMAGE_URL' and 'IMAGE_DIGEST' results from the build task. The format for the subject should be 'IMAGE_URL@IMAGE_DIGEST'.

Confirm the allowed_predicate_types rule data was provided, since it is required by the policy rules in this package.

Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.

Solution: The predicate type field in the attestation does not match the 'allowed_predicate_types' field. This field is set in the data sources.

Ensure each entry in the predicate.materials array of the attestation uses a git URI.

Solution: Make sure the format of the URI in the materials section of the attestation is a valid URI. This information comes from the 'CHAINS-GIT_URL' result of the 'git-clone' task.

Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.

Solution: Make sure the attestation contains the repository URI and digest.sha1. This information comes from the 'CHAINS-GIT_URL' and 'CHAINS-GIT_COMMIT' results in the 'git-clone' task.

Ensure each entry in the predicate.materials array of the attestation includes a SHA1 digest which corresponds to a git commit.

Solution: Make sure the format of the digest.sha1 in the materials section of the attestation is a valid commit sha. This information comes from the 'CHAINS-GIT_COMMIT' result of the 'git-clone' task.

Verify that the provided source code reference is the one being attested.

Solution: The source code reference in the attestation doesn’t match the expected and provided source code reference. Make sure that the provided source code reference is correct, and if it is make sure that the build process is configured to retrieve the source code from the appropriate source code repository. Make sure that the source code reference is pointing to a explicit revision not to a symbolic identifier, e.g. a branch or tag name.

Confirm the expected rule data keys have been provided in the expected format. The keys are supported_vcs and supported_digests.

Warn if the expected source code reference is not provided.

Solution: Provide the expected source code reference in inputs.

Attestation contains source reference.

Solution: Check that the attestation creation process includes the source code reference in the predicate.materials for SLSA Provenance v0.2, or in predicate.buildDefinition.resolvedDependencies for SLSA Provenance v1.0 attestations. Check that the Version Control System prefix is the list of the supported VCS types in rule data (supported_vcs key).

Check the list of files in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the files in the image.

Check the list of packages in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the package in the image.

Confirm an SPDX SBOM attestation exists.

Solution: Make sure the build process produces an SPDX SBOM attestation.

Check the SPDX SBOM targets the image being validated.

Solution: The SPDX SBOM associated with the image describes a different image. Verify the integrity of the build system.

Check the SPDX SBOM has the expected format.

Solution: Make sure the build process produces a valid SPDX SBOM.

Check if the current date is not allowed based on the rule data value from the key disallowed_dates. By default, the list is empty in which case any day is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Try again on a different day.

Confirm the expected rule data keys have been provided in the expected format. The keys are disallowed_weekdays and disallowed_dates.

Solution: If provided, ensure the rule data is in the expected format.

Check if the current weekday is allowed based on the rule data value from the key disallowed_weekdays. By default, the list is empty in which case any weekday is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the pipeline_intention rule data.

Solution: Try again on a different weekday.

Verify the source container image exists.

Verify the source container image is signed.

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Create a lsit of trusted tasks. This is a list of task bundles with a top-level key of 'trusted_tasks'.

Check that a valid task bundle reference is being used.

Solution: Specify a task bundle with a reference as the full digest.

Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinned to a digest.

Solution: Specify the task bundle reference with a full digest rather than a tag.

For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is a trusted task.

Solution: For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is a trusted task.

For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is the most recent.

Solution: A task bundle used is not the most recent. The most recent task bundles are defined in the data source of your policy config.

Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.

Ensure that the all required tasks are resolved from trusted tasks.

Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

Ensure that the set of required tasks are included in the PipelineRun attestation.

Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as data under the key 'required-tasks'.

Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.

Solution: There is a task that will be required at a future date that is missing from the build pipeline.

Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.

Solution: Make sure the build pipeline uses Tasks via pinned references. For example, if the git resolver is used, use a commit ID instead of a branch name.

Ensure that at least one Task is present in the PipelineRun attestation.

Solution: Make sure the build pipeline ran any tasks and that the build system is generating a proper attestation.

Produce a warning if the required tasks list rule data was not provided.

Solution: The required task list is contained as data under the key 'required-tasks'. Make sure this list exists.

Confirm the required-tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure the data sources contains a key 'required-tasks' that contains a list of tasks that are required to run in the build pipeline.

Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.

Solution: Make sure the build pipeline is properly configured so all the tasks can be executed successfully.

The Tekton Task used is or will be unsupported. The Task is annotated with build.appstudio.redhat.com/expires-on annotation marking it as unsupported after a certain date.

Solution: Upgrade to a newer version of the Task.

Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.

Solution: Found an image not processed by a task. Make sure that the task processes and includes the image digest of all images in the IMAGES_PROCESSED result.

Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data.

Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any tests have their result set to "ERROR". The result type is configurable by the "erred_tests_results" key in the rule data.

Solution: There is a test that erred. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not err. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any non-informative tests have their result set to "FAILED". The result type is configurable by the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule data.

Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.

Produce a warning if any tests have their result set to "WARNING". The result type is configurable by the "warned_tests_results" key in the rule data.

Solution: There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in 'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.

Produce a violation if any tests have their result set to "SKIPPED". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the "skipped_tests_results" key in the rule data.

Solution: There is a test that was skipped. Make sure that each task with a result named 'TEST_OUTPUT' was not skipped. You can find which test was skipped by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.

Ensure all test data result values are in the set of known/supported result values.

Solution: The test results should be of a known value. Values can be set as a data source.

Confirm the expected rule data keys have been provided in the expected format. The keys are supported_tests_results, failed_tests_results, informative_tests, erred_tests_results, skipped_tests_results, and warned_tests_results.

Solution: If provided, ensure the rule data is in the expected format.

Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Enterprise Contract expects to find test result data.

Solution: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.

Each test result is expected to have a results key. Verify that the results key is present in all of the TEST_OUTPUT task results.

Solution: There was at least one result named TEST_OUTPUT found, but it did not contain a key named 'result'. For a TEST_OUTPUT result to be valid, this key must exist.

Check if all Tekton Tasks use the latest known Task reference.

Solution: Update the Task reference to a newer version.

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Create a, or use an existing, trusted tasks list as a data source.

Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.

Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.

Check if all Tekton Tasks use a trusted Task reference.

Solution: For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is a trusted task.

Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the allowed_rpm_ostree_builder_image_prefixes rule data.

Solution: Make sure the rpm-ostree Task uses a pinned image reference from a pre-approved location.

Verify the rule data used by this package, allowed_rpm_ostree_builder_image_prefixes, is in the expected format.

Solution: Make sure the allowed_rpm_ostree_builder_image_prefixes rule data is in the expected format in the data source.