Red Hat Release configuration

The configuration used in Red Hat Trusted Application Pipeline to configure the policy used by the Red Hat Release Engineering.

This document was generated on 2024-04-19 19:38:41 UTC based on the data in data/rule_data.yml and data/required_tasks.yml files from the https://github.com/release-engineering/rhtap-ec-policy.git repository at revision 4711bc87c7c90ff2816dc3c4e235959bce6c544e.

Allowed OCI registry prefixes

The following allowed_registry_prefixes are configured for the Base image comes from permitted registry rule.

  • registry.access.redhat.com/

  • registry.redhat.io/

  • brew.registry.redhat.io/rh-osbs/openshift-golang-builder

Allowed Task step OCI registry prefixes

The following allowed_step_image_registry_prefixes are configured for the Task steps ran on permitted container images rule.

  • quay.io/redhat-appstudio/

  • registry.access.redhat.com/

  • registry.redhat.io/

  • quay.io/opdev/preflight

Allowed Java component repositories

The following allowed_java_component_sources are configured for the Java builds have no foreign dependencies rule.

  • redhat

  • rebuilt

Allowed Tekton PipelineRun parameters

The following pipeline_run_params are configured for the Pipeline run params rule.

  • git-repo

  • git-revision

  • output-image

Deprecated OCI image labels

The following labels are deprecated with deprecated_labels for the Deprecated labels rule.

Deprecated label Replacement

INSTALL

install

Architecture

architecture

BZComponent

com.redhat.component

Name

name

RUN

run

Release

release

UNINSTALL

uninstall

Version

version

Required OCI image labels

The following labels are mandatory with required_labels for the Required labels rule.

Required label Description

architecture

Architecture the software in the image should target.

build-date

Date/Time image was built as RFC 3339 date-time.

com.redhat.component

The Bugzilla component name where bugs against this container should be reported by users.

description

Detailed description of the image.

distribution-scope

Scope of intended distribution of the image. (private/authoritative-source-only/restricted/public).

io.k8s.description

Description of the container displayed in Kubernetes.

name

Name of the Image or Container.

release

Release Number for this version.

url

A URL where the user can find more information about the image.

vcs-ref

A 'reference' within the version control repository; e.g. a git commit, or a subversion branch.

vcs-type

The type of version control used by the container source. Generally one of git, hg, svn, bzr, cvs

vendor

Name of the vendor.

version

Version of the image.

Optional OCI image labels

The following labels are optional with optional_labels for the Optional labels rule.

Required label Description

maintainer

The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.

summary

A short description of the image.

Disallowed OCI image labels

The following labels are optional with disallowed_inherited_labels for the Disallowed inherited labels rule.

  • description

  • io.k8s.description

  • io.k8s.display-name

  • io.openshift.tags

  • summary

  • name

  • com.redhat.component

Required File Based Catalog (FBC) image labels

The following labels are mandatory with fbc_required_labels for the Required labels rule.

None configured

Optional File Based Catalog (FBC) image labels

The following labels are optional with fbc_optional_labels for the Optional labels rule.

None configured

Disallowed File Based Catalog (FBC) image labels

The following labels are optional with fbc_disallowed_inherited_labels for the Disallowed inherited labels rule.

None configured

Required Tekton tasks

The following tasks are required for specific PipelineRuns types determined by the pipelines.openshift.io/runtime label for the All required tasks were included in the pipeline rule.

Pipeline type Since Tasks

fbc

  • buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote

  • deprecated-image-check

  • fbc-related-image-check

  • fbc-validation

  • git-clone

  • init

  • inspect-image

  • sbom-json-check

  • show-sbom

  • summary

docker

  • buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • source-build

  • summary

  • buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • summary

generic

  • buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • source-build

  • summary

  • buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • summary

java

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • s2i-java

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • source-build

  • summary

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • s2i-java

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • summary

nodejs

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • s2i-nodejs

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • source-build

  • summary

  • clair-scan

  • clamav-scan

  • deprecated-image-check

  • git-clone

  • init

  • prefetch-dependencies

  • s2i-nodejs

  • sast-snyk-check

  • sbom-json-check

  • show-sbom

  • summary

The following tasks are required for the for PipelineRuns that do not contain the pipelines.openshift.io/runtime label.

Since Tasks

  • clair-scan

  • clamav-scan

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • source-build

  • summary

  • clair-scan

  • clamav-scan

  • git-clone

  • init

  • prefetch-dependencies

  • sast-snyk-check

  • summary