Trusted Task checks Package

Confirm the expected trusted_tasks data keys have been provided in the expected format.

Solution: If provided, ensure the data is in the expected format.

Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.

Solution: Update the Pipeline definition so that all Task references have a pinned value as mentioned in the description.

Check if all Tekton Tasks defined with the bundle format contain a tag reference.

Solution: Update the Pipeline definition so that all Task references have a tagged value as mentioned in the description.

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Solution: Create a, or use an existing, trusted tasks list as a data source.

Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, all Tasks in the build Pipeline must be trusted.

Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure all Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.

Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the task_expiry_warning_days rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.

Solution: Update the Task reference to a newer version.

All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.

Solution: Audit the pipeline to make sure all inputs are produced by the pipeline.

Confirm certain parameters provided to each builder Task have come from trusted Tasks.

Solution: Update your build Pipeline to ensure all the parameters provided to your builder Tasks come from trusted Tasks.