Created
March 21, 2023 10:28
-
-
Save sahil143/2a5a83b3acdd6429d1f6946001808361 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
components: | |
- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-code-with-quarkus-skok | |
name: devfile-sample-code-with-quarkus-skok | |
success: false | |
violations: | |
- msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-code-with-quarkus-skok: | |
unexpected status code 404 Not Found (HEAD responses have no body, use GET for | |
details)' | |
- containerImage: quay.io/redhat-appstudio/user-workload:GE4iZ-devfile-sample-python-basic-pd53 | |
name: devfile-sample-python-basic-pd53 | |
success: false | |
violations: | |
- msg: 'Image URL is not accessible: HEAD https://quay.io/v2/redhat-appstudio/user-workload/manifests/GE4iZ-devfile-sample-python-basic-pd53: | |
unexpected status code 404 Not Found (HEAD responses have no body, use GET for | |
details)' | |
- containerImage: quay.io/redhat-appstudio/user-workload@sha256:086df3bae1e7965f395950017fafa4162fff87ed74e6297212fe38b9132007b1 | |
name: devfile-sample-go-basic-0pgi | |
signatures: | |
- keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c | |
metadata: | |
predicateBuildType: tekton.dev/v1beta1/TaskRun | |
predicateType: https://slsa.dev/provenance/v0.2 | |
type: https://in-toto.io/Statement/v0.1 | |
sig: MEQCIDkLPr826ueK0KsUaa3fOotvbPTxC8OdgXCHav5KM1P6AiA7QOlwv2bxWMwUX3Hlv/3ZWPACgOIhhMckdDV6cY+lvA== | |
- keyid: SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c | |
metadata: | |
predicateBuildType: tekton.dev/v1beta1/PipelineRun | |
predicateType: https://slsa.dev/provenance/v0.2 | |
type: https://in-toto.io/Statement/v0.1 | |
sig: MEYCIQCv/4cS3wqlX7AupDrk5gd0dp0JKYOwvBpiGKvzCBWc+QIhAMP7xdOTPVta3U+kPMVq+aIHMwbVDHnakJR2md509S5I | |
success: false | |
successes: | |
- metadata: | |
code: attestation_task_bundle.disallowed_task_reference | |
collections: | |
- minimal | |
description: Check for existence of a task bundle. Enforcing this rule will | |
fail the contract if the task is not called from a bundle. | |
title: Task bundle was not used or is not defined | |
msg: Pass | |
- metadata: | |
code: attestation_task_bundle.empty_task_bundle_reference | |
collections: | |
- minimal | |
description: Check for a valid task bundle reference being used. | |
title: Task bundle reference is empty | |
msg: Pass | |
- metadata: | |
code: attestation_type.missing_pipelinerun_attestation | |
collections: | |
- minimal | |
description: At least one PipelineRun attestation must be present. | |
title: Missing pipelinerun attestation | |
msg: Pass | |
- metadata: | |
code: attestation_type.unknown_att_type | |
collections: | |
- minimal | |
description: A sanity check to confirm the attestation found for the image has | |
a known attestation type. | |
title: Unknown attestation type found | |
msg: Pass | |
- metadata: | |
code: base_image_registries.base_images_missing | |
collections: | |
- minimal | |
description: The attestation must provide the expected information about which | |
base images were used during the build process. | |
title: Base images must be provided | |
msg: Pass | |
- metadata: | |
code: base_image_registries.disallowed_base_image | |
collections: | |
- minimal | |
description: The base images used when building a container image must come | |
from a known set of trusted registries to reduce potential supply chain attacks. | |
This policy defines trusted registries as registries that are fully maintained | |
by Red Hat and only contain content produced by Red Hat. | |
title: Restrict registry of base images | |
msg: Pass | |
- metadata: | |
code: base_image_registries.missing_rule_data | |
collections: | |
- minimal | |
description: The policy rules in this package require the allowed_registry_prefixes | |
rule data to be provided. | |
title: Missing rule data | |
msg: Pass | |
- metadata: | |
code: cve.found_cve_vulnerabilities | |
collections: | |
- minimal | |
description: |- | |
The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key "restrict_cve_security_levels". The available levels are critical, high, | |
medium, and low. | |
title: Found CVE vulnerabilities | |
msg: Pass | |
- metadata: | |
code: cve.found_non_blocking_cve_vulnerabilities | |
collections: | |
- minimal | |
description: |- | |
The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key "warn_cve_security_levels". The available levels are critical, high, | |
medium, and low. | |
title: Found non-blocking CVE vulnerabilities | |
msg: Pass | |
- metadata: | |
code: slsa_provenance_available.unexpected_predicate_type | |
collections: | |
- minimal | |
- slsa1 | |
- slsa2 | |
- slsa3 | |
description: The predicateType field of the attestation must indicate the in-toto | |
SLSA Provenance format was used to attest the PipelineRun. | |
title: Attestation predicate type | |
msg: Pass | |
- metadata: | |
code: slsa_source_version_controlled.material_non_git_uri | |
collections: | |
- minimal | |
- slsa2 | |
- slsa3 | |
description: Each entry in the predicate.materials array of the attestation | |
uses a git URI. | |
title: Material from a git repository | |
msg: Pass | |
- metadata: | |
code: slsa_source_version_controlled.material_without_git_commit | |
collections: | |
- minimal | |
- slsa2 | |
- slsa3 | |
description: Each entry in the predicate.materials array of the attestation | |
includes a SHA1 digest which corresponds to a git commit. | |
title: Material with git commit digest | |
msg: Pass | |
- metadata: | |
code: slsa_source_version_controlled.missing_materials | |
collections: | |
- minimal | |
- slsa2 | |
- slsa3 | |
description: 'At least one entry in the predicate.materials array of the attestation | |
contains the expected attributes: uri and digest.sha1.' | |
title: Material format | |
msg: Pass | |
- metadata: | |
code: tasks.tasks_missing | |
collections: | |
- minimal | |
description: This policy enforces that at least one Task is present in the PipelineRun | |
attestation. | |
title: No tasks run | |
msg: Pass | |
violations: | |
- metadata: | |
code: cve.missing_cve_scan_results | |
collections: | |
- minimal | |
description: The clair-scan task results have not been found in the SLSA Provenance | |
attestation of the build pipeline. | |
effective_on: "2022-01-01T00:00:00Z" | |
title: Missing CVE scan results | |
msg: CVE scan results not found | |
key: | | |
-----BEGIN PUBLIC KEY----- | |
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWVUppvU1x8t866CQQSXbKpojoaTq | |
imMnVnZ31e2ubZHKL1LdfgPG2gHIPeSeouTa8upOz9W+xxBFnA0X515Nsw== | |
-----END PUBLIC KEY----- | |
policy: | |
configuration: | |
collections: | |
- minimal | |
exclude: | |
- step_image_registries | |
description: | | |
Use the policy rules from the "minimal" collection. This and other collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections The minimal collection is a small set of policy rules that should be easy to pass for brand new Stonesoup users. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules | |
publicKey: k8s://tekton-chains/public-key | |
sources: | |
- data: | |
- oci::https://quay.io/hacbs-contract/ec-policy-data:git-9c9b9ad@sha256:350298530cd57866aec60b01c88c25f98eae08002bdb77e209ef36a5f42d5924 | |
name: Release Policies | |
policy: | |
- oci::https://quay.io/hacbs-contract/ec-release-policy:git-deaf0d2@sha256:270894294050c27a6308ad53c08d14e0250aebbef351d20c0bff0a3a4023a192 | |
success: false | |
Error: success criteria not met |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment