Conforma Workflow Diagram

The workflow begins when continuous integration events occur within a Konflux Component. These events include code commits, pull requests, or manual triggers that initiate the build process. When a developer pushes code changes to a repository that is configured as a Konflux Component, the system automatically detects these changes and triggers a Build PipelineRun. This pipeline is responsible for compiling the source code into container images and other distributable artifacts. The Component represents the logical unit of software being built, while the Build PipelineRun is the actual execution context that will orchestrate all the build tasks, including compilation, testing, and artifact generation.

During the Build PipelineRun execution, the pipeline generates several critical build artifacts that will later be used for security validation. The primary artifacts include the Software Bill of Materials (SBOM), which is a comprehensive inventory of all software components and dependencies used in the build; the Provenance Attestation, which provides cryptographic proof of how the software was built, including build environment details, source code references, and build parameters; and the Component manifest, which describes the metadata and configuration of the built component. These artifacts are automatically generated by approved Konflux build tasks and are stored in Quay.io, Red Hat’s container registry. The SBOM uses the CycloneDX format and contains detailed information about all packages, libraries, and dependencies, while the provenance attestation follows the SLSA (Supply-chain Levels for Software Artifacts) specification to ensure build integrity and traceability.

Once the Build PipelineRun completes successfully, the system automatically creates a Snapshot resource. The Snapshot represents a point-in-time capture of all components within an Application, including the newly built component and its associated artifacts. This Snapshot serves as an immutable reference to the specific versions of all components that will undergo testing and potentially be released together. The Snapshot creation is a crucial step because it establishes the exact artifact versions that will be validated by Conforma and other security tools. It includes references to the container images stored in Quay.io, along with their cryptographic digests, ensuring that the artifacts cannot be tampered with after this point.

The creation of a new Snapshot automatically triggers the KNative Conforma Controller, which is a Kubernetes controller running within the OpenShift build cluster. This controller is responsible for orchestrating the security validation process for all artifacts referenced in the Snapshot. The controller monitors Snapshot creation events and initiates the Conforma validation workflow whenever new artifacts need to be evaluated.

The Conforma Controller performs a comprehensive validation of the Snapshot and its associated build artifacts by executing the 'ec validate image' command from the Conforma CLI tool. This validation process involves downloading and inspecting the SBOM, provenance attestations, and container images from Quay.io. The controller verifies the cryptographic signatures on these artifacts using Cosign and validates that they were produced by trusted build processes. It checks the SBOM for known vulnerabilities, validates that all dependencies come from approved sources, and ensures that the provenance attestation correctly describes the build process. The controller also verifies that all required build tasks were executed and that the build environment met the necessary security requirements, such as running in a hermetic (network-isolated) environment when required for release builds.

Upon validation of the build artifacts, the Conforma Controller generates a Verification Summary Attestation (VSA). The VSA is a cryptographically signed document that contains the complete output of the policy bundle evaluation, including all successes, warnings, and violations found during the validation process. It includes comprehensive information about which policies were evaluated, all validation results regardless of their severity, and references to the specific artifacts that were validated. This attestation is stored in Rekor, the transparency log component of Sigstore, ensuring that the validation results are tamper-evident and publicly verifiable. The VSA serves as a complete record of the security evaluation that can be processed by downstream validation tasks.

In parallel with the Conforma validation process, the creation of the Snapshot also triggers Integration Test PipelineRuns. These integration tests are designed to validate the functional correctness and compatibility of the components in the Snapshot. Integration Test Scenarios are automatically created for every Application and include both functional tests and policy validation tests. The integration test pipeline executes various test suites to ensure that the software works correctly in realistic deployment scenarios and that it integrates properly with other system components.

During the Integration Test PipelineRun, a dedicated Conforma task is executed that includes a decision point to check whether a VSA attestation already exists for the current Snapshot. If a VSA is present from the earlier controller validation (step 6), the task processes the VSA content and applies the current policy configuration to determine which results (successes, warnings, violations) are relevant for this specific validation context. If the VSA contains relevant violations based on the applied policy configuration, the Conforma task fails. If no VSA is present, the task executes the same 'ec validate image' command that the controller uses, but applies the policy configuration to consider only the relevant subset of results for the final pass/fail determination. This approach ensures consistent validation while allowing different policy configurations to focus on different aspects of the security evaluation.

When a development team is ready to release their software, they initiate a release process by creating a Release resource that references the validated Snapshot. This action triggers a Release PipelineRun, which is responsible for promoting the validated artifacts from the development environment to production or customer-facing registries. The release process is only initiated for Snapshots that have successfully passed all integration tests and security validations, ensuring that only high-quality, secure software is released.

The final step in the workflow occurs during the Release PipelineRun, where Conforma acts as a security gate that must be passed before the release can proceed. Similar to step 8, this involves a Conforma task that checks for the presence of a VSA attestation. If a VSA exists, the task processes the VSA content and applies the release policy configuration to determine if there are any relevant violations that would block the release. If the VSA contains violations that are relevant to the release policy configuration, the release process is blocked. If no VSA is present, the task performs the same validation as the controller by executing 'ec validate image', but only considers the subset of results that are relevant according to the release policy configuration. If this validation reveals relevant violations, the release process is blocked, preventing potentially insecure or non-compliant software from being released to customers. This final validation step ensures that all released software meets the specific security and compliance requirements defined for the release process.