Red Hat Release configuration

The configuration used in Red Hat Trusted Application Pipeline to configure the policy used by the Red Hat Release Engineering.

This document was generated on 2024-05-16 15:44:55 UTC based on the data in data/rule_data.yml and data/required_tasks.yml files from the https://github.com/release-engineering/rhtap-ec-policy.git repository at revision 31b6ea21a3d80ef52133c0b224fda09e802e6afb.

Allowed OCI registry prefixes

The following allowed_registry_prefixes are configured for the Base image comes from permitted registry rule.

registry.access.redhat.com/
registry.redhat.io/
brew.registry.redhat.io/rh-osbs/openshift-golang-builder

Allowed Task step OCI registry prefixes

The following allowed_step_image_registry_prefixes are configured for the Task steps ran on permitted container images rule.

quay.io/redhat-appstudio/
quay.io/konflux-ci/
registry.access.redhat.com/
registry.redhat.io/
quay.io/opdev/preflight

Allowed Java component repositories

The following allowed_java_component_sources are configured for the Java builds have no foreign dependencies rule.

redhat
rebuilt

Allowed Tekton PipelineRun parameters

The following pipeline_run_params are configured for the Pipeline run params rule.

git-repo
git-revision
output-image

Deprecated OCI image labels

The following labels are deprecated with deprecated_labels for the Deprecated labels rule.

Deprecated label Replacement

Deprecated label	Replacement
`INSTALL`	`install`
`Architecture`	`architecture`
`BZComponent`	`com.redhat.component`
`Name`	`name`
`RUN`	`run`
`Release`	`release`
`UNINSTALL`	`uninstall`
`Version`	`version`

INSTALL

install

Architecture

architecture

BZComponent

com.redhat.component

Name

name

RUN

run

Release

release

UNINSTALL

uninstall

Version

version

Required OCI image labels

The following labels are mandatory with required_labels for the Required labels rule.

Required label Description

Required label	Description
`architecture`	Architecture the software in the image should target.
`build-date`	Date/Time image was built as RFC 3339 date-time.
`com.redhat.component`	The Bugzilla component name where bugs against this container should be reported by users.
`description`	Detailed description of the image.
`distribution-scope`	Scope of intended distribution of the image. (private/authoritative-source-only/restricted/public).
`io.k8s.description`	Description of the container displayed in Kubernetes.
`name`	Name of the Image or Container.
`release`	Release Number for this version.
`url`	A URL where the user can find more information about the image.
`vcs-ref`	A 'reference' within the version control repository; e.g. a git commit, or a subversion branch.
`vcs-type`	The type of version control used by the container source. Generally one of git, hg, svn, bzr, cvs
`vendor`	Name of the vendor.
`version`	Version of the image.

architecture

Architecture the software in the image should target.

build-date

Date/Time image was built as RFC 3339 date-time.

com.redhat.component

The Bugzilla component name where bugs against this container should be reported by users.

description

Detailed description of the image.

distribution-scope

Scope of intended distribution of the image. (private/authoritative-source-only/restricted/public).

io.k8s.description

Description of the container displayed in Kubernetes.

name

Name of the Image or Container.

release

Release Number for this version.

url

A URL where the user can find more information about the image.

vcs-ref

A 'reference' within the version control repository; e.g. a git commit, or a subversion branch.

vcs-type

The type of version control used by the container source. Generally one of git, hg, svn, bzr, cvs

vendor

Name of the vendor.

version

Version of the image.

Optional OCI image labels

The following labels are optional with optional_labels for the Optional labels rule.

Required label Description

Required label	Description
`maintainer`	The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.
`summary`	A short description of the image.

maintainer

The name and email of the maintainer (usually the submitter). Should contain `@redhat.com` or `Red Hat`.

summary

A short description of the image.

Disallowed OCI image labels

The following labels are optional with disallowed_inherited_labels for the Disallowed inherited labels rule.

description
io.k8s.description
io.k8s.display-name
io.openshift.tags
summary
name
com.redhat.component

Required File Based Catalog (FBC) image labels

The following labels are mandatory with fbc_required_labels for the Required labels rule.

None configured

Optional File Based Catalog (FBC) image labels

The following labels are optional with fbc_optional_labels for the Optional labels rule.

None configured

Disallowed File Based Catalog (FBC) image labels

The following labels are optional with fbc_disallowed_inherited_labels for the Disallowed inherited labels rule.

None configured

Required Tekton tasks

The following tasks are required for specific PipelineRuns types determined by the pipelines.openshift.io/runtime label for the All required tasks were included in the pipeline rule.

Pipeline type Since Tasks

Pipeline type	Since	Tasks
fbc	2023-08-31T00:00:00Z	`buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote` `deprecated-image-check` `fbc-related-image-check` `fbc-validation` `git-clone` `init` `inspect-image` `show-sbom` `summary`
docker	2023-12-31T00:00:00Z	`buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote` `clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `show-sbom` `source-build` `summary`
2023-11-11T00:00:00Z	`buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote` `clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `sbom-json-check` `show-sbom` `summary`
generic	2023-12-31T00:00:00Z	`buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote` `clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `show-sbom` `source-build` `summary`
2023-08-31T00:00:00Z	`buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote` `clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `sbom-json-check` `show-sbom` `summary`
java	2023-12-31T00:00:00Z	`clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `s2i-java` `sast-snyk-check` `show-sbom` `source-build` `summary`
2023-08-31T00:00:00Z	`clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `s2i-java` `sast-snyk-check` `sbom-json-check` `show-sbom` `summary`
nodejs	2023-12-31T00:00:00Z	`clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `s2i-nodejs` `sast-snyk-check` `show-sbom` `source-build` `summary`
2023-08-31T00:00:00Z	`clair-scan` `clamav-scan` `deprecated-image-check` `git-clone` `init` `prefetch-dependencies` `s2i-nodejs` `sast-snyk-check` `sbom-json-check` `show-sbom` `summary`

fbc

2023-08-31T00:00:00Z

buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote
deprecated-image-check
fbc-related-image-check
fbc-validation
git-clone
init
inspect-image
show-sbom
summary

docker

2023-12-31T00:00:00Z

buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote
clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
sast-snyk-check
show-sbom
source-build
summary

2023-11-11T00:00:00Z

buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote
clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
sast-snyk-check
sbom-json-check
show-sbom
summary

generic

2023-12-31T00:00:00Z

buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote
clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
sast-snyk-check
show-sbom
source-build
summary

2023-08-31T00:00:00Z

buildah,buildah-10gb,buildah-6gb,buildah-8gb,buildah-remote
clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
sast-snyk-check
sbom-json-check
show-sbom
summary

java

2023-12-31T00:00:00Z

clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
s2i-java
sast-snyk-check
show-sbom
source-build
summary

2023-08-31T00:00:00Z

clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
s2i-java
sast-snyk-check
sbom-json-check
show-sbom
summary

nodejs

2023-12-31T00:00:00Z

clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
s2i-nodejs
sast-snyk-check
show-sbom
source-build
summary

2023-08-31T00:00:00Z

clair-scan
clamav-scan
deprecated-image-check
git-clone
init
prefetch-dependencies
s2i-nodejs
sast-snyk-check
sbom-json-check
show-sbom
summary

The following tasks are required for the for PipelineRuns that do not contain the pipelines.openshift.io/runtime label.

Since Tasks

Since	Tasks
2023-12-31T00:00:00Z	`clair-scan` `clamav-scan` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `source-build` `summary`
2023-08-31T00:00:00Z	`clair-scan` `clamav-scan` `git-clone` `init` `prefetch-dependencies` `sast-snyk-check` `summary`

2023-12-31T00:00:00Z

clair-scan
clamav-scan
git-clone
init
prefetch-dependencies
sast-snyk-check
source-build
summary

2023-08-31T00:00:00Z

clair-scan
clamav-scan
git-clone
init
prefetch-dependencies
sast-snyk-check
summary