Task Policy

Confirm that each step in the Task uses a container image that is accessible.

Solution: Make sure the container image used in each step of the Task is pushed to the registry and that it can be fetched.

Confirm the allowed_step_image_registry_prefixes rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure the data sources contains a key 'allowed_step_image_registry_prefixes' that contains a list of approved registries that can be used to run tasks in the build pipeline.

Confirm that each step in the Task uses a container image with a URL that matches one of the prefixes in the provided list of allowed step image registry prefixes. The list is customizeable via the allowed_step_image_registry_prefixes rule data key.

Solution: Make sure the container image used in each step of the Task comes from an approved registry.

Make sure to use the date format in RFC3339 format in the "build.appstudio.redhat.com/expires-on" annotation.

Verify if Task defines the required result. This is controlled by the required_task_results rule data key. By default this is empty making this rule a no-op.

Confirm the expected required_task_results rule data key has been provided in the expected format.

Solution: If provided, ensure the rule data is in the expected format.

Confirm the task definition includes the kind field.

Confirm the task definition has the kind "Task".

Trusted Artifact parameters follow the expected naming convention.

Trusted Artifact results follow the expected naming convention.

Tasks that implement the Trusted Artifacts pattern should not allow general purpose workspaces to share data. Instead, data should be passed around via Trusted Artifacts. Workspaces used for other purposes, e.g. provide auth credentials, are allowed. Use the rule data key allowed_trusted_artifacts_workspaces to specify which workspace names are allowed. By default this value is empty which effectively disallows any workspace.