Conforma CLI

The Conforma CLI is used to verify signatures and evaluate policies for Software Supply Chain artifacts. Various sub-commands can be used to assert facts about an artifact such as:

  • Validating container image signature

  • Validating container image provenance

  • Evaluating policies over the container image provenance

This documentation includes Conforma Command Line reference documentation, and documentation on the Verify Enterprise Contract Task used to run Conforma in a Tekton pipeline.