Created
March 15, 2023 12:09
-
-
Save sahil143/646562cf8d90cc5e07e2c51d1adf4608 to your computer and use it in GitHub Desktop.
enterprise contract sample data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "components": [ | |
| { | |
| "containerImage": "quay.io/redhat-appstudio/user-workload@sha256:7edda485ba347dd02ea616d32b3c49539d5e23946bb27bb88910d60bbf828e55", | |
| "name": "credit-review-portal-xcvp", | |
| "signatures": [ | |
| { | |
| "keyid": "SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c", | |
| "metadata": { | |
| "predicateBuildType": "tekton.dev/v1beta1/TaskRun", | |
| "predicateType": "https://slsa.dev/provenance/v0.2", | |
| "type": "https://in-toto.io/Statement/v0.1" | |
| }, | |
| "sig": "MEQCIBXNEelLPQwvoWmcGy22X+brGA41aiybeQCS1uM3CxLmAiB1nepaOdJA4mzcw16LtVvmKp3p1iCpycHXxZEzfXMhJw==" | |
| }, | |
| { | |
| "keyid": "SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c", | |
| "metadata": { | |
| "predicateBuildType": "tekton.dev/v1beta1/PipelineRun", | |
| "predicateType": "https://slsa.dev/provenance/v0.2", | |
| "type": "https://in-toto.io/Statement/v0.1" | |
| }, | |
| "sig": "MEYCIQCEPczkpEIt5S1CBcQiTUDuxD+ckhFtS6YX5LfzAKAauQIhAJZftqUKv8GDqfJOjwBmYq3n0ODQTKfd4OEN/Nz+NsSl" | |
| }, | |
| { | |
| "keyid": "SHA256:ngBmVXGMzx/ZriUdur0MtnnIuZLYWY5tvPslf7LvE3c", | |
| "metadata": { | |
| "predicateBuildType": "tekton.dev/v1beta1/PipelineRun", | |
| "predicateType": "https://slsa.dev/provenance/v0.2", | |
| "type": "https://in-toto.io/Statement/v0.1" | |
| }, | |
| "sig": "MEQCIFnUAQYoh2L5a37ClWLYXo2dMusfN+yyYl87LbskPDdzAiB84gj/9w+/UrMwvHWHHJruk37BiYTl1o7cmaNPxZ5PsA==" | |
| } | |
| ], | |
| "success": false, | |
| "successes": [ | |
| { | |
| "metadata": { | |
| "code": "attestation_task_bundle.disallowed_task_reference", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "Check for existence of a task bundle. Enforcing this rule will\nfail the contract if the task is not called from a bundle.", | |
| "title": "Task bundle was not used or is not defined" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "attestation_task_bundle.empty_task_bundle_reference", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "Check for a valid task bundle reference being used.", | |
| "title": "Task bundle reference is empty" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "attestation_type.missing_pipelinerun_attestation", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "At least one PipelineRun attestation must be present.\n", | |
| "title": "Missing pipelinerun attestation" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "attestation_type.unknown_att_type", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "A sanity check to confirm the attestation found for the image has a known\nattestation type.", | |
| "title": "Unknown attestation type found" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "base_image_registries.base_images_missing", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The attestation must provide the expected information about which base images\nwere used during the build process.", | |
| "title": "Base images must be provided" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "base_image_registries.missing_rule_data", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The policy rules in this package require the allowed_registry_prefixes\nrule data to be provided.", | |
| "title": "Missing rule data" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "cve.found_non_blocking_cve_vulnerabilities", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key \"warn_cve_security_levels\". The available levels are critical, high,\n medium, and low.", | |
| "title": "Found non-blocking CVE vulnerabilities" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "cve.missing_cve_scan_results", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The clair-scan task results have not been found in the SLSA Provenance attestation of the build pipeline.", | |
| "title": "Missing CVE scan results" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "slsa_provenance_available.unexpected_predicate_type", | |
| "collections": [ | |
| "minimal", | |
| "slsa1", | |
| "slsa2", | |
| "slsa3" | |
| ], | |
| "description": "The predicateType field of the attestation must indicate the in-toto SLSA Provenance format\nwas used to attest the PipelineRun.", | |
| "title": "Attestation predicate type" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "slsa_source_version_controlled.material_non_git_uri", | |
| "collections": [ | |
| "minimal", | |
| "slsa2", | |
| "slsa3" | |
| ], | |
| "description": "Each entry in the predicate.materials array of the attestation uses\na git URI.", | |
| "title": "Material from a git repository" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "slsa_source_version_controlled.material_without_git_commit", | |
| "collections": [ | |
| "minimal", | |
| "slsa2", | |
| "slsa3" | |
| ], | |
| "description": "Each entry in the predicate.materials array of the attestation includes\na SHA1 digest which corresponds to a git commit.", | |
| "title": "Material with git commit digest" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "slsa_source_version_controlled.missing_materials", | |
| "collections": [ | |
| "minimal", | |
| "slsa2", | |
| "slsa3" | |
| ], | |
| "description": "At least one entry in the predicate.materials array of the attestation contains\nthe expected attributes: uri and digest.sha1.", | |
| "title": "Material format" | |
| }, | |
| "msg": "Pass" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "tasks.tasks_missing", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "This policy enforces that at least one Task is present in the PipelineRun\nattestation.", | |
| "title": "No tasks run" | |
| }, | |
| "msg": "Pass" | |
| } | |
| ], | |
| "violations": [ | |
| { | |
| "metadata": { | |
| "code": "base_image_registries.disallowed_base_image", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The base images used when building a container image must come from a known set\nof trusted registries to reduce potential supply chain attacks. This policy\ndefines trusted registries as registries that are fully maintained by Red Hat\nand only contain content produced by Red Hat.", | |
| "effective_on": "2022-01-01T00:00:00Z", | |
| "title": "Restrict registry of base images" | |
| }, | |
| "msg": "Base image \"docker.io/library/openjdk:11-jdk@sha256:99bac5bf83633e3c7399aed725c8415e7b569b54e03e4599e580fc9cdb7c21ab\" is from a disallowed registry" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "base_image_registries.disallowed_base_image", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "effective_on": "2022-01-01T00:00:00Z" | |
| }, | |
| "msg": "Base image \"quay.io/devfile/maven:3.8.1-openjdk-17-slim@sha256:a65cb519660f51b06f487a6f5de8c264e1e2bcdb32033f3f45b0899f7740ca0f\" is from a disallowed registry" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "cve.found_cve_vulnerabilities", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "description": "The SLSA Provenance attestation for the image is inspected to ensure CVEs of certain security levels have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key \"restrict_cve_security_levels\". The available levels are critical, high,\n medium, and low.", | |
| "effective_on": "2022-01-01T00:00:00Z", | |
| "term": "critical", | |
| "title": "Found CVE vulnerabilities" | |
| }, | |
| "msg": "Found 1 CVE vulnerabilities of critical security level" | |
| }, | |
| { | |
| "metadata": { | |
| "code": "cve.found_cve_vulnerabilities", | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "effective_on": "2022-01-01T00:00:00Z", | |
| "term": "high" | |
| }, | |
| "msg": "Found 1 CVE vulnerabilities of high security level" | |
| } | |
| ] | |
| } | |
| ], | |
| "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWVUppvU1x8t866CQQSXbKpojoaTq\nimMnVnZ31e2ubZHKL1LdfgPG2gHIPeSeouTa8upOz9W+xxBFnA0X515Nsw==\n-----END PUBLIC KEY-----\n", | |
| "policy": { | |
| "configuration": { | |
| "collections": [ | |
| "minimal" | |
| ], | |
| "exclude": [ | |
| "step_image_registries" | |
| ] | |
| }, | |
| "description": "Use the policy rules from the \"minimal\" collection. This and other collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections The minimal collection is a small set of policy rules that should be easy to pass for brand new Stonesoup users. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules\n", | |
| "publicKey": "k8s://tekton-chains/public-key", | |
| "sources": [ | |
| { | |
| "data": [ | |
| "oci::https://quay.io/hacbs-contract/ec-policy-data:latest@sha256:948877d0564c922d60dac24b4fce82ee2da74fa9bd1a4cdc6900b77dfd93af75" | |
| ], | |
| "name": "Release Policies", | |
| "policy": [ | |
| "oci::https://quay.io/hacbs-contract/ec-release-policy:latest@sha256:a41da88e27bab10dec2e61b1844a4053e73ea4a422fa2a4997a1a1366becd68d" | |
| ] | |
| } | |
| ] | |
| }, | |
| "success": false, | |
| "Error": "success criteria not met" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment