verify-conforma-konflux-ta

Version: 0.1

Synopsis

Verify the enterprise contract is met

Params

SNAPSHOT_FILENAME (string)

The filename of the Snapshot that is located within the trusted artifact

SOURCE_DATA_ARTIFACT (string)

Trusted Artifact to use to obtain the Snapshot to validate.

POLICY_CONFIGURATION (string)

Name of the policy configuration (EnterpriseContractPolicy resource) to use. namespace/name or name syntax supported. If namespace is omitted the namespace where the task runs is used. You can also specify a policy configuration using a git url, e.g. github.com/conforma/config//slsa3.

Default: enterprise-contract-service/default

PUBLIC_KEY (string)

Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.

REKOR_HOST (string)

Rekor host for transparency log lookups

IGNORE_REKOR (string)

Skip Rekor transparency log checks during validation.

Default: false

TUF_MIRROR (string)

TUF mirror URL. Provide a value when NOT using public sigstore deployment.

SSL_CERT_DIR (string)

Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, /var/run/secrets/kubernetes.io/serviceaccount is a good value. Multiple paths can be provided by using the : separator.

CA_TRUST_CONFIGMAP_NAME (string)

The name of the ConfigMap to read CA bundle data from.

Default: trusted-ca

CA_TRUST_CONFIG_MAP_KEY (string)

The name of the key in the ConfigMap that contains the CA bundle data.

Default: ca-bundle.crt

INFO (string)

Include rule titles and descriptions in the output. Set to "false" to disable it.

Default: true

STRICT (string)

Fail the task if policy fails. Set to "false" to disable it.

Default: true

HOMEDIR (string)

Value for the HOME environment variable.

Default: /tekton/home

EFFECTIVE_TIME (string)

Run policy checks with the provided time.

Default: now

EXTRA_RULE_DATA (string)

Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2…​"

TIMEOUT (string)

This param is deprecated and will be removed in future. Its value is ignored. EC will be run without a timeout. (If you do want to apply a timeout use the Tekton task timeout.)

WORKERS (string)

Number of parallel workers to use for policy evaluation. This parameter is currently not used. All policy evaluations are run with 35 workers.

Default: 35

SINGLE_COMPONENT (string)

Reduce the Snapshot to only the component whose build caused the Snapshot to be created

Default: false

SINGLE_COMPONENT_CUSTOM_RESOURCE (string)

Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.

Default: unknown

SINGLE_COMPONENT_CUSTOM_RESOURCE_NS (string)

Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.

ORAS_OPTIONS (string)

oras options to pass to Trusted Artifacts calls

TRUSTED_ARTIFACTS_DEBUG (string)

Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.

TRUSTED_ARTIFACTS_EXTRACT_DIR (string)

Directory to use to extract trusted artifact archive.

Default: /var/workdir/conforma

Results

TEST_OUTPUT

Short summary of the policy evaluation for each image