sahil143/multi-comp-ec.yaml

## multi-comp-ec.yaml
components:
- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-code-with-quarkus-skok
  name: devfile-sample-code-with-quarkus-skok
  success: false
  violations:
  - msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-code-with-quarkus-skok:
      unexpected status code 404 Not Found (HEAD responses have no body, use GET for
      details)'
- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-python-basic-pd53
  name: devfile-sample-python-basic-pd53
  success: false
  violations:
  - msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-python-basic-pd53:
      unexpected status code 404 Not Found (HEAD responses have no body, use GET for
      details)'
- containerImage: quay.io/redhat-appstudio/user-workload@sha256:086df3bae1e7965f395950017fafa4162fff87ed74e6297212fe38b9132007b1
  name: devfile-sample-go-basic-0pgi
  signatures:
  - keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c
    metadata:
      predicateBuildType: tekton.dev/v1beta1/TaskRun
      predicateType: https://slsa.dev/provenance/v0.2
      type: https://in-toto.io/Statement/v0.1
    sig: MEQCIDkLPr826ueK0KsUaa3fOotvbPTxC8OdgXCHav5KM1P6AiA7QOlwv2bxWMwUX3Hlv/3ZWPACgOIhhMckdDV6cY+lvA==
  - keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c
    metadata:
      predicateBuildType: tekton.dev/v1beta1/PipelineRun
      predicateType: https://slsa.dev/provenance/v0.2
      type: https://in-toto.io/Statement/v0.1
    sig: MEYCIQCv/4cS3wqlX7AupDrk5gd0dp0JKYOwvBpiGKvzCBWc+QIhAMP7xdOTPVta3U+kPMVq+aIHMwbVDHnakJR2md509S5I
  success: false
  successes:
  - metadata:
      code: attestation_task_bundle.disallowed_task_reference
      collections:
      - minimal
      description: Check for existence of a task bundle. Enforcing this rule will
        fail the contract if the task is not called from a bundle.
      title: Task bundle was not used or is not defined
    msg: Pass
  - metadata:
      code: attestation_task_bundle.empty_task_bundle_reference
      collections:
      - minimal
      description: Check for a valid task bundle reference being used.
      title: Task bundle reference is empty
    msg: Pass
  - metadata:
      code: attestation_type.missing_pipelinerun_attestation
      collections:
      - minimal
      description: At least one PipelineRun attestation must be present.
      title: Missing pipelinerun attestation
    msg: Pass
  - metadata:
      code: attestation_type.unknown_att_type
      collections:
      - minimal
      description: A sanity check to confirm the attestation found for the image has
        a known attestation type.
      title: Unknown attestation type found
    msg: Pass
  - metadata:
      code: base_image_registries.base_images_missing
      collections:
      - minimal
      description: The attestation must provide the expected information about which
        base images were used during the build process.
      title: Base images must be provided
    msg: Pass
  - metadata:
      code: base_image_registries.disallowed_base_image
      collections:
      - minimal
      description: The base images used when building a container image must come
        from a known set of trusted registries to reduce potential supply chain attacks.
        This policy defines trusted registries as registries that are fully maintained
        by Red Hat and only contain content produced by Red Hat.
      title: Restrict registry of base images
    msg: Pass
  - metadata:
      code: base_image_registries.missing_rule_data
      collections:
      - minimal
      description: The policy rules in this package require the allowed_registry_prefixes
        rule data to be provided.
      title: Missing rule data
    msg: Pass
  - metadata:
      code: cve.found_cve_vulnerabilities
      collections:
      - minimal
      description: |-
        The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key "restrict_cve_security_levels". The available levels are critical, high,
         medium, and low.
      title: Found CVE vulnerabilities
    msg: Pass
  - metadata:
      code: cve.found_non_blocking_cve_vulnerabilities
      collections:
      - minimal
      description: |-
        The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key "warn_cve_security_levels". The available levels are critical, high,
         medium, and low.
      title: Found non-blocking CVE vulnerabilities
    msg: Pass
  - metadata:
      code: slsa_provenance_available.unexpected_predicate_type
      collections:
      - minimal
      - slsa1
      - slsa2
      - slsa3
      description: The predicateType field of the attestation must indicate the in-toto
        SLSA Provenance format was used to attest the PipelineRun.
      title: Attestation predicate type
    msg: Pass
  - metadata:
      code: slsa_source_version_controlled.material_non_git_uri
      collections:
      - minimal
      - slsa2
      - slsa3
      description: Each entry in the predicate.materials array of the attestation
        uses a git URI.
      title: Material from a git repository
    msg: Pass
  - metadata:
      code: slsa_source_version_controlled.material_without_git_commit
      collections:
      - minimal
      - slsa2
      - slsa3
      description: Each entry in the predicate.materials array of the attestation
        includes a SHA1 digest which corresponds to a git commit.
      title: Material with git commit digest
    msg: Pass
  - metadata:
      code: slsa_source_version_controlled.missing_materials
      collections:
      - minimal
      - slsa2
      - slsa3
      description: 'At least one entry in the predicate.materials array of the attestation
        contains the expected attributes: uri and digest.sha1.'
      title: Material format
    msg: Pass
  - metadata:
      code: tasks.tasks_missing
      collections:
      - minimal
      description: This policy enforces that at least one Task is present in the PipelineRun
        attestation.
      title: No tasks run
    msg: Pass
  violations:
  - metadata:
      code: cve.missing_cve_scan_results
      collections:
      - minimal
      description: The clair-scan task results have not been found in the SLSA Provenance
        attestation of the build pipeline.
      effective_on: "2022-01-01T00:00:00Z"
      title: Missing CVE scan results
    msg: CVE scan results not found
key: |
  -----BEGIN PUBLIC KEY-----
  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWVUppvU1x8t866CQQSXbKpojoaTq
  imMnVnZ31e2ubZHKL1LdfgPG2gHIPeSeouTa8upOz9W+xxBFnA0X515Nsw==
  -----END PUBLIC KEY-----
policy:
  configuration:
    collections:
    - minimal
    exclude:
    - step_image_registries
  description: |
    Use the policy rules from the "minimal" collection. This and other collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections The minimal collection is a small set of policy rules that should be easy to pass for brand new Stonesoup users. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules
  publicKey: k8s://tekton-chains/public-key
  sources:
  - data:
    - oci::https://quay.io/hacbs-contract/ec-policy-data:git-9c9b9ad@sha256:350298530cd57866aec60b01c88c25f98eae08002bdb77e209ef36a5f42d5924
    name: Release Policies
    policy:
    - oci::https://quay.io/hacbs-contract/ec-release-policy:git-deaf0d2@sha256:270894294050c27a6308ad53c08d14e0250aebbef351d20c0bff0a3a4023a192
success: false
Error: success criteria not met
	components:
	- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-code-with-quarkus-skok
	name: devfile-sample-code-with-quarkus-skok
	success: false
	violations:
	- msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-code-with-quarkus-skok:
	unexpected status code 404 Not Found (HEAD responses have no body, use GET for
	details)'
	- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-python-basic-pd53
	name: devfile-sample-python-basic-pd53
	success: false
	violations:
	- msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-python-basic-pd53:
	unexpected status code 404 Not Found (HEAD responses have no body, use GET for
	details)'
	- containerImage: quay.io/redhat-appstudio/user-workload@sha256:086df3bae1e7965f395950017fafa4162fff87ed74e6297212fe38b9132007b1
	name: devfile-sample-go-basic-0pgi
	signatures:
	- keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c
	metadata:
	predicateBuildType: tekton.dev/v1beta1/TaskRun
	predicateType: https://slsa.dev/provenance/v0.2
	type: https://in-toto.io/Statement/v0.1
	sig: MEQCIDkLPr826ueK0KsUaa3fOotvbPTxC8OdgXCHav5KM1P6AiA7QOlwv2bxWMwUX3Hlv/3ZWPACgOIhhMckdDV6cY+lvA==
	- keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c
	metadata:
	predicateBuildType: tekton.dev/v1beta1/PipelineRun
	predicateType: https://slsa.dev/provenance/v0.2
	type: https://in-toto.io/Statement/v0.1
	sig: MEYCIQCv/4cS3wqlX7AupDrk5gd0dp0JKYOwvBpiGKvzCBWc+QIhAMP7xdOTPVta3U+kPMVq+aIHMwbVDHnakJR2md509S5I
	success: false
	successes:
	- metadata:
	code: attestation_task_bundle.disallowed_task_reference
	collections:
	- minimal
	description: Check for existence of a task bundle. Enforcing this rule will
	fail the contract if the task is not called from a bundle.
	title: Task bundle was not used or is not defined
	msg: Pass
	- metadata:
	code: attestation_task_bundle.empty_task_bundle_reference
	collections:
	- minimal
	description: Check for a valid task bundle reference being used.
	title: Task bundle reference is empty
	msg: Pass
	- metadata:
	code: attestation_type.missing_pipelinerun_attestation
	collections:
	- minimal
	description: At least one PipelineRun attestation must be present.
	title: Missing pipelinerun attestation
	msg: Pass
	- metadata:
	code: attestation_type.unknown_att_type
	collections:
	- minimal
	description: A sanity check to confirm the attestation found for the image has
	a known attestation type.
	title: Unknown attestation type found
	msg: Pass
	- metadata:
	code: base_image_registries.base_images_missing
	collections:
	- minimal
	description: The attestation must provide the expected information about which
	base images were used during the build process.
	title: Base images must be provided
	msg: Pass
	- metadata:
	code: base_image_registries.disallowed_base_image
	collections:
	- minimal
	description: The base images used when building a container image must come
	from a known set of trusted registries to reduce potential supply chain attacks.
	This policy defines trusted registries as registries that are fully maintained
	by Red Hat and only contain content produced by Red Hat.
	title: Restrict registry of base images
	msg: Pass
	- metadata:
	code: base_image_registries.missing_rule_data
	collections:
	- minimal
	description: The policy rules in this package require the allowed_registry_prefixes
	rule data to be provided.
	title: Missing rule data
	msg: Pass
	- metadata:
	code: cve.found_cve_vulnerabilities
	collections:
	- minimal
	description: \|-
	The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key "restrict_cve_security_levels". The available levels are critical, high,
	medium, and low.
	title: Found CVE vulnerabilities
	msg: Pass
	- metadata:
	code: cve.found_non_blocking_cve_vulnerabilities
	collections:
	- minimal
	description: \|-
	The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key "warn_cve_security_levels". The available levels are critical, high,
	medium, and low.
	title: Found non-blocking CVE vulnerabilities
	msg: Pass
	- metadata:
	code: slsa_provenance_available.unexpected_predicate_type
	collections:
	- minimal
	- slsa1
	- slsa2
	- slsa3
	description: The predicateType field of the attestation must indicate the in-toto
	SLSA Provenance format was used to attest the PipelineRun.
	title: Attestation predicate type
	msg: Pass
	- metadata:
	code: slsa_source_version_controlled.material_non_git_uri
	collections:
	- minimal
	- slsa2
	- slsa3
	description: Each entry in the predicate.materials array of the attestation
	uses a git URI.
	title: Material from a git repository
	msg: Pass
	- metadata:
	code: slsa_source_version_controlled.material_without_git_commit
	collections:
	- minimal
	- slsa2
	- slsa3
	description: Each entry in the predicate.materials array of the attestation
	includes a SHA1 digest which corresponds to a git commit.
	title: Material with git commit digest
	msg: Pass
	- metadata:
	code: slsa_source_version_controlled.missing_materials
	collections:
	- minimal
	- slsa2
	- slsa3
	description: 'At least one entry in the predicate.materials array of the attestation
	contains the expected attributes: uri and digest.sha1.'
	title: Material format
	msg: Pass
	- metadata:
	code: tasks.tasks_missing
	collections:
	- minimal
	description: This policy enforces that at least one Task is present in the PipelineRun
	attestation.
	title: No tasks run
	msg: Pass
	violations:
	- metadata:
	code: cve.missing_cve_scan_results
	collections:
	- minimal
	description: The clair-scan task results have not been found in the SLSA Provenance
	attestation of the build pipeline.
	effective_on: "2022-01-01T00:00:00Z"
	title: Missing CVE scan results
	msg: CVE scan results not found
	key: \|
	-----BEGIN PUBLIC KEY-----
	MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWVUppvU1x8t866CQQSXbKpojoaTq
	imMnVnZ31e2ubZHKL1LdfgPG2gHIPeSeouTa8upOz9W+xxBFnA0X515Nsw==
	-----END PUBLIC KEY-----
	policy:
	configuration:
	collections:
	- minimal
	exclude:
	- step_image_registries
	description: \|
	Use the policy rules from the "minimal" collection. This and other collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections The minimal collection is a small set of policy rules that should be easy to pass for brand new Stonesoup users. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules
	publicKey: k8s://tekton-chains/public-key
	sources:
	- data:
	- oci::https://quay.io/hacbs-contract/ec-policy-data:git-9c9b9ad@sha256:350298530cd57866aec60b01c88c25f98eae08002bdb77e209ef36a5f42d5924
	name: Release Policies
	policy:
	- oci::https://quay.io/hacbs-contract/ec-release-policy:git-deaf0d2@sha256:270894294050c27a6308ad53c08d14e0250aebbef351d20c0bff0a3a4023a192
	success: false
	Error: success criteria not met