Blog
Gating Image Promotion on GitLab
Once you have a container image ready for promotion, it is important to first verify the image meets a certain criteria before it is made available to consumers. In this blog post, we look at how to achieve this in a GitLab pipeline.
Policies Polyglot: Evaluating Custom Predicates
Attestations are a wonderful way to attach metadata to container images in a secure manner. One of the most popular formats is SLSA Provenance which is used to provide information on how the image was created. Our Hitchhiker’s Guide demonstrates how to write policies to assert the contents of the SLSA Provenance. Here, we expand on that approach to assert the contents of any attestation format, even completely made up ones.
Introducing Action Validate for GitHub
You may already be familiar
with using the EC-CLI Validate command for local container image validation.
Now, you can seamlessly integrate this functionality directly into your build
processes or any other automated workflow in GitHub.
A Taste of Policies
In a previous blog post, we introduced the basic concepts of the Enterprise Contract. This time, we explore it further to showcase the usage of policies.
Introducing the Enterprise Contract
You may have heard of sigstore and its container image verification tool, cosign. This blog post introduces a policy-driven workflow, Enterprise Contract, built on those technologies.