About Enterprise Contract


The Enterprise Contract is a set of tools for maintaining software supply chain security, and for the definition and enforcement of policies related to how container images are built and tested.

Its main purpose is to verify the security and provenance of builds created by Red Hat Trusted Application Pipeline (RHTAP), a cloud based build and deployment system based on Tekton, Argo CD and OpenShift, provided by Red Hat.

The RHTAP build process uses Tekton Chains to produce a signed in-toto attestation of the build pipeline. Enterprise Contract then uses that signed attestation to cryptographically verify that the build was not tampered with, and to check the build against a set of policies. The policies attest that the build process followed a prescribed set of best practices, plus organization specific policies as required.


  • EC CLI - Command line utility

  • EC Task Definition - A Tekton Task wrapper for the EC CLI

  • EC Policy CRD - Defines a Kubernetes CR for EC configuration

  • EC Policies - A set of policies defined in OPA/Rego

There’s an additional overview of Enterprise Contract and its components in the Book of AppStudio.