About Enterprise Contract

Overview

The Enterprise Contract is a set of tools for maintaining software supply chain security, and for the definition and enforcement of policies related to how container images are built and tested.

Its main purpose is to verify the security and provenance of builds created by CI/CD systems such as Konflux CI, (formerly Red Hat App Studio), Red Hat Trusted Application Pipeline (RHTAP).

The Konflux build process uses Tekton Chains to produce a signed in-toto attestation of the build pipeline. Enterprise Contract then uses that signed attestation to cryptographically verify that the build was not tampered with, and to check the build against a set of policies. The policies attest that the build process followed a prescribed set of best practices, plus organization specific policies as required.

While Enterprise Contract was originally created to work with Tekton and Tekton Chains' attestations, it is flexible enough to be used with other CI/CD systems, for example GitHub Actions.

Components

EC CLI - Command line utility
EC Task Definition - A Tekton Task wrapper for the EC CLI
EC Policy CRD - Defines a Kubernetes CR for EC configuration
EC Policies - A set of policies defined in OPA/Rego

There’s an additional overview of Enterprise Contract and its components in the Book of AppStudio.

Code

github.com/enterprise-contract