STEP-INITIALIZE-TUF

{"level":"info","ts":1746468714.424221,"caller":"entrypoint/entrypointer.go:265","msg":"Step was skipped due to when expressions were evaluated to false."}


STEP-REDUCE

Single Component mode? true
SNAPSHOT_CREATION_TYPE: component
SNAPSHOT_CREATION_COMPONENT: cluster-permission-acm-213
Single Component mode is true and Snapshot type is component
COMPONENT_COUNT: 1
{
  "application": "release-acm-213",
  "components": [
    {
      "name": "cluster-permission-acm-213",
      "containerImage": "quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27",
      "source": {
        "git": {
          "url": "https://github.com/stolostron/cluster-permission",
          "revision": "5f2384d385548a83c13420c157ba3281613cc2a9"
        }
      }
    }
  ],
  "artifacts": {}
}


STEP-VALIDATE

Success: false
Result: FAILURE
Violations: 68, Warnings: 14, Successes: 212

Components:
- Name: cluster-permission-acm-213-sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431-amd64
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Violations: 34, Warnings: 7, Successes: 106

- Name: cluster-permission-acm-213
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Violations: 34, Warnings: 7, Successes: 106

Results:
✕ [Violation] hermetic_build_task.build_task_hermetic
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Build task was not invoked with the hermetic parameter set
  Title: Build task called with hermetic param set
  Description: Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build
  process hermetic. To exclude this rule add "hermetic_build_task.build_task_hermetic" to the `exclude` section of the policy
  configuration.
  Solution: Make sure the task that builds the image has a parameter named 'HERMETIC' and it's set to 'true'.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "com.redhat.component" label should not be inherited from the parent image
  Term: com.redhat.component
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:com.redhat.component" to the `exclude` section of the
  policy configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "description" label should not be inherited from the parent image
  Term: description
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:description" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "io.k8s.description" label should not be inherited from the parent image
  Term: io.k8s.description
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.k8s.description" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "io.k8s.display-name" label should not be inherited from the parent image
  Term: io.k8s.display-name
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.k8s.display-name" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "io.openshift.tags" label should not be inherited from the parent image
  Term: io.openshift.tags
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.openshift.tags" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "name" label should not be inherited from the parent image
  Term: name
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:name" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The "summary" label should not be inherited from the parent image
  Term: summary
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:summary" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] slsa_build_scripted_build.image_built_by_trusted_task
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Image
  "quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431"
  not built by a trusted task: Build Task(s) "build-image-index,buildah-remote-oci-ta" are not trusted
  Title: Image built by trusted Task
  Description: Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude
  this rule add "slsa_build_scripted_build.image_built_by_trusted_task" to the `exclude` section of the policy configuration.
  Solution: Make sure the build Pipeline definition uses a trusted Task to build images.

✕ [Violation] source_image.exists
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: No source image references found
  Title: Exists
  Description: Verify the source container image exists. To exclude this rule add "source_image.exists" to the `exclude` section
  of the policy configuration.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "buildah", "buildah-10gb", "buildah-6gb", "buildah-8gb", "buildah-remote", "buildah-oci-ta",
  "buildah-remote-oci-ta" tasks is missing
  Terms: buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:buildah", "tasks.required_tasks_found:buildah-10gb",
  "tasks.required_tasks_found:buildah-6gb", "tasks.required_tasks_found:buildah-8gb", "tasks.required_tasks_found:buildah-remote",
  "tasks.required_tasks_found:buildah-oci-ta", "tasks.required_tasks_found:buildah-remote-oci-ta" to the `exclude` section of the
  policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "clair-scan" is missing
  Term: clair-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clair-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "clamav-scan" is missing
  Term: clamav-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clamav-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "deprecated-image-check" is missing
  Term: deprecated-image-check
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "git-clone", "git-clone-oci-ta" tasks is missing
  Terms: git-clone, git-clone-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:git-clone", "tasks.required_tasks_found:git-clone-oci-ta" to the `exclude` section of the
  policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "init" is missing
  Term: init
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:init" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "prefetch-dependencies", "prefetch-dependencies-oci-ta" tasks is missing
  Terms: prefetch-dependencies, prefetch-dependencies-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:prefetch-dependencies", "tasks.required_tasks_found:prefetch-dependencies-oci-ta" to the
  `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "rpms-signature-scan" is missing
  Term: rpms-signature-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "sast-shell-check", "sast-shell-check-oci-ta" tasks is missing
  Terms: sast-shell-check, sast-shell-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-shell-check", "tasks.required_tasks_found:sast-shell-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "sast-snyk-check", "sast-snyk-check-oci-ta" tasks is missing
  Terms: sast-snyk-check, sast-snyk-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-snyk-check", "tasks.required_tasks_found:sast-snyk-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "sast-unicode-check", "sast-unicode-check-oci-ta" tasks is missing
  Terms: sast-unicode-check, sast-unicode-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-unicode-check", "tasks.required_tasks_found:sast-unicode-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: One of "source-build", "source-build-oci-ta" tasks is missing
  Terms: source-build, source-build-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:source-build", "tasks.required_tasks_found:source-build-oci-ta" to the `exclude` section of
  the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "build-image-index" (Task "build-image-index") was included in build
  chain comprised of: build-image-index
  Term: build-image-index
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:build-image-index" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "build-images" (Task "buildah-remote-oci-ta") was included in build
  chain comprised of: build-images, clone-repository, prefetch-dependencies
  Term: buildah-remote-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:buildah-remote-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "clair-scan" (Task "clair-scan") was included in build chain comprised
  of: clair-scan
  Term: clair-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "clamav-scan" (Task "clamav-scan") was included in build chain comprised
  of: clamav-scan
  Term: clamav-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "deprecated-base-image-check" (Task "deprecated-image-check") was
  included in build chain comprised of: deprecated-base-image-check
  Term: deprecated-image-check
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "ecosystem-cert-preflight-checks" (Task
  "ecosystem-cert-preflight-checks") was included in build chain comprised of: ecosystem-cert-preflight-checks
  Term: ecosystem-cert-preflight-checks
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:ecosystem-cert-preflight-checks" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "clone-repository" (Task "git-clone-oci-ta") was included in build chain
  comprised of: build-images, clone-repository, prefetch-dependencies
  Term: git-clone-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:git-clone-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "clone-repository" (Task "git-clone-oci-ta") was included in build chain
  comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: git-clone-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:git-clone-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "prefetch-dependencies" (Task "prefetch-dependencies-oci-ta") was
  included in build chain comprised of: build-images, clone-repository, prefetch-dependencies
  Term: prefetch-dependencies-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:prefetch-dependencies-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "prefetch-dependencies" (Task "prefetch-dependencies-oci-ta") was
  included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: prefetch-dependencies-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:prefetch-dependencies-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "rpms-signature-scan" (Task "rpms-signature-scan") was included in build
  chain comprised of: rpms-signature-scan
  Term: rpms-signature-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Code tampering detected, untrusted PipelineTask "sast-snyk-check" (Task "sast-snyk-check-oci-ta") was included in build
  chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: sast-snyk-check-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:sast-snyk-check-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] hermetic_build_task.build_task_hermetic
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Build task was not invoked with the hermetic parameter set
  Title: Build task called with hermetic param set
  Description: Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build
  process hermetic. To exclude this rule add "hermetic_build_task.build_task_hermetic" to the `exclude` section of the policy
  configuration.
  Solution: Make sure the task that builds the image has a parameter named 'HERMETIC' and it's set to 'true'.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "com.redhat.component" label should not be inherited from the parent image
  Term: com.redhat.component
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:com.redhat.component" to the `exclude` section of the
  policy configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "description" label should not be inherited from the parent image
  Term: description
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:description" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "io.k8s.description" label should not be inherited from the parent image
  Term: io.k8s.description
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.k8s.description" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "io.k8s.display-name" label should not be inherited from the parent image
  Term: io.k8s.display-name
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.k8s.display-name" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "io.openshift.tags" label should not be inherited from the parent image
  Term: io.openshift.tags
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:io.openshift.tags" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "name" label should not be inherited from the parent image
  Term: name
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:name" to the `exclude` section of the policy configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] labels.disallowed_inherited_labels
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The "summary" label should not be inherited from the parent image
  Term: summary
  Title: Disallowed inherited labels
  Description: Check that certain labels on the image have different values than the labels from the parent image. If the label is
  inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule
  data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc
  images. To exclude this rule add "labels.disallowed_inherited_labels:summary" to the `exclude` section of the policy
  configuration.
  Solution: Update the image build process to overwrite the inherited labels.

✕ [Violation] slsa_build_scripted_build.image_built_by_trusted_task
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Image
  "quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27"
  not built by a trusted task: Build Task(s) "build-image-index" are not trusted
  Title: Image built by trusted Task
  Description: Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude
  this rule add "slsa_build_scripted_build.image_built_by_trusted_task" to the `exclude` section of the policy configuration.
  Solution: Make sure the build Pipeline definition uses a trusted Task to build images.

✕ [Violation] source_image.exists
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: No source image references found
  Title: Exists
  Description: Verify the source container image exists. To exclude this rule add "source_image.exists" to the `exclude` section
  of the policy configuration.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "buildah", "buildah-10gb", "buildah-6gb", "buildah-8gb", "buildah-remote", "buildah-oci-ta",
  "buildah-remote-oci-ta" tasks is missing
  Terms: buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:buildah", "tasks.required_tasks_found:buildah-10gb",
  "tasks.required_tasks_found:buildah-6gb", "tasks.required_tasks_found:buildah-8gb", "tasks.required_tasks_found:buildah-remote",
  "tasks.required_tasks_found:buildah-oci-ta", "tasks.required_tasks_found:buildah-remote-oci-ta" to the `exclude` section of the
  policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "clair-scan" is missing
  Term: clair-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clair-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "clamav-scan" is missing
  Term: clamav-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:clamav-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "deprecated-image-check" is missing
  Term: deprecated-image-check
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "git-clone", "git-clone-oci-ta" tasks is missing
  Terms: git-clone, git-clone-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:git-clone", "tasks.required_tasks_found:git-clone-oci-ta" to the `exclude` section of the
  policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "init" is missing
  Term: init
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:init" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "prefetch-dependencies", "prefetch-dependencies-oci-ta" tasks is missing
  Terms: prefetch-dependencies, prefetch-dependencies-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:prefetch-dependencies", "tasks.required_tasks_found:prefetch-dependencies-oci-ta" to the
  `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "rpms-signature-scan" is missing
  Term: rpms-signature-scan
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add
  "tasks.required_tasks_found:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "sast-shell-check", "sast-shell-check-oci-ta" tasks is missing
  Terms: sast-shell-check, sast-shell-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-shell-check", "tasks.required_tasks_found:sast-shell-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "sast-snyk-check", "sast-snyk-check-oci-ta" tasks is missing
  Terms: sast-snyk-check, sast-snyk-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-snyk-check", "tasks.required_tasks_found:sast-snyk-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "sast-unicode-check", "sast-unicode-check-oci-ta" tasks is missing
  Terms: sast-unicode-check, sast-unicode-check-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:sast-unicode-check", "tasks.required_tasks_found:sast-unicode-check-oci-ta" to the `exclude`
  section of the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] tasks.required_tasks_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: One of "source-build", "source-build-oci-ta" tasks is missing
  Terms: source-build, source-build-oci-ta
  Title: All required tasks were included in the pipeline
  Description: Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or
  more of "tasks.required_tasks_found:source-build", "tasks.required_tasks_found:source-build-oci-ta" to the `exclude` section of
  the policy configuration.
  Solution: Make sure all required tasks are in the build pipeline. The required task list is contained as
  https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "build-image-index" (Task "build-image-index") was included in build
  chain comprised of: build-image-index
  Term: build-image-index
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:build-image-index" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "build-images" (Task "buildah-remote-oci-ta") was included in build
  chain comprised of: build-images, clone-repository, prefetch-dependencies
  Term: buildah-remote-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:buildah-remote-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "clair-scan" (Task "clair-scan") was included in build chain comprised
  of: clair-scan
  Term: clair-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:clair-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "clamav-scan" (Task "clamav-scan") was included in build chain comprised
  of: clamav-scan
  Term: clamav-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:clamav-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "deprecated-base-image-check" (Task "deprecated-image-check") was
  included in build chain comprised of: deprecated-base-image-check
  Term: deprecated-image-check
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:deprecated-image-check" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "ecosystem-cert-preflight-checks" (Task
  "ecosystem-cert-preflight-checks") was included in build chain comprised of: ecosystem-cert-preflight-checks
  Term: ecosystem-cert-preflight-checks
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:ecosystem-cert-preflight-checks" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "clone-repository" (Task "git-clone-oci-ta") was included in build chain
  comprised of: build-images, clone-repository, prefetch-dependencies
  Term: git-clone-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:git-clone-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "clone-repository" (Task "git-clone-oci-ta") was included in build chain
  comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: git-clone-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:git-clone-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "prefetch-dependencies" (Task "prefetch-dependencies-oci-ta") was
  included in build chain comprised of: build-images, clone-repository, prefetch-dependencies
  Term: prefetch-dependencies-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:prefetch-dependencies-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "prefetch-dependencies" (Task "prefetch-dependencies-oci-ta") was
  included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: prefetch-dependencies-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:prefetch-dependencies-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "rpms-signature-scan" (Task "rpms-signature-scan") was included in build
  chain comprised of: rpms-signature-scan
  Term: rpms-signature-scan
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:rpms-signature-scan" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

✕ [Violation] trusted_task.trusted
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Code tampering detected, untrusted PipelineTask "sast-snyk-check" (Task "sast-snyk-check-oci-ta") was included in build
  chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check
  Term: sast-snyk-check-oci-ta
  Title: Tasks are trusted
  Description: Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The
  first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in
  creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a
  fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude
  this rule add "trusted_task.trusted:sast-snyk-check-oci-ta" to the `exclude` section of the policy configuration.
  Solution: If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is
  trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks
  when newer versions are made available.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "clair-scan" is required and present but not from a trusted task
  Term: clair-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "clamav-scan" is required and present but not from a trusted task
  Term: clamav-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "deprecated-image-check" is required and present but not from a trusted task
  Term: deprecated-image-check
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "init" is required and present but not from a trusted task
  Term: init
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: Required task "rpms-signature-scan" is required and present but not from a trusted task
  Term: rpms-signature-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] test.no_failed_informative_tests
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a failed informative test
  Term: ecosystem-cert-preflight-checks
  Title: No informative tests failed
  Description: Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by
  the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule
  data.
  Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not
  fail. More information about the test should be available in the logs for the build Pipeline.

› [Warning] test.no_test_warnings
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431
  Reason: The Task "deprecated-image-check" from the build Pipeline reports a test contains warnings
  Term: deprecated-image-check
  Title: No tests produced warnings
  Description: Produce a warning if any tests have their result set to "WARNING". The result type is configurable by the
  "warned_tests_results" key in the rule data.
  Solution: There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in
  'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs
  for the build Pipeline.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "clair-scan" is required and present but not from a trusted task
  Term: clair-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "clamav-scan" is required and present but not from a trusted task
  Term: clamav-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "deprecated-image-check" is required and present but not from a trusted task
  Term: deprecated-image-check
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "init" is required and present but not from a trusted task
  Term: init
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] tasks.required_untrusted_task_found
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: Required task "rpms-signature-scan" is required and present but not from a trusted task
  Term: rpms-signature-scan
  Title: All required tasks are from trusted tasks
  Description: Ensure that the all required tasks are resolved from trusted tasks.
  Solution: Make sure all required tasks in the build pipeline are resolved from trusted tasks.

› [Warning] test.no_failed_informative_tests
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The Task "ecosystem-cert-preflight-checks" from the build Pipeline reports a failed informative test
  Term: ecosystem-cert-preflight-checks
  Title: No informative tests failed
  Description: Produce a warning if any informative tests have their result set to "FAILED". The result type is configurable by
  the "failed_tests_results" key, and the list of informative tests is configurable by the "informative_tests" key in the rule
  data.
  Solution: There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not
  fail. More information about the test should be available in the logs for the build Pipeline.

› [Warning] test.no_test_warnings
  ImageRef: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27
  Reason: The Task "deprecated-image-check" from the build Pipeline reports a test contains warnings
  Term: deprecated-image-check
  Title: No tests produced warnings
  Description: Produce a warning if any tests have their result set to "WARNING". The result type is configurable by the
  "warned_tests_results" key in the rule data.
  Solution: There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in
  'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs
  for the build Pipeline.



STEP-REPORT-JSON

{"success":false,"components":[{"name":"cluster-permission-acm-213-sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431-amd64","containerImage":"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431","source":{"git":{"url":"https://github.com/stolostron/cluster-permission","revision":"5f2384d385548a83c13420c157ba3281613cc2a9"}},"violations":[{"msg":"Build task was not invoked with the hermetic parameter set","metadata":{"code":"hermetic_build_task.build_task_hermetic","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build process hermetic. To exclude this rule add \"hermetic_build_task.build_task_hermetic\" to the `exclude` section of the policy configuration.","solution":"Make sure the task that builds the image has a parameter named 'HERMETIC' and it's set to 'true'.","title":"Build task called with hermetic param set"}},{"msg":"The \"com.redhat.component\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:com.redhat.component\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"com.redhat.component","title":"Disallowed inherited labels"}},{"msg":"The \"description\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:description\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"description","title":"Disallowed inherited labels"}},{"msg":"The \"io.k8s.description\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.k8s.description\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.k8s.description","title":"Disallowed inherited labels"}},{"msg":"The \"io.k8s.display-name\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.k8s.display-name\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.k8s.display-name","title":"Disallowed inherited labels"}},{"msg":"The \"io.openshift.tags\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.openshift.tags\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.openshift.tags","title":"Disallowed inherited labels"}},{"msg":"The \"name\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:name\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"name","title":"Disallowed inherited labels"}},{"msg":"The \"summary\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:summary\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"summary","title":"Disallowed inherited labels"}},{"msg":"Image \"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:ec7d52e04a88c6af5427109df26b34e35850e0bc21f15549cf1764367e7f1431\" not built by a trusted task: Build Task(s) \"build-image-index,buildah-remote-oci-ta\" are not trusted","metadata":{"code":"slsa_build_scripted_build.image_built_by_trusted_task","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude this rule add \"slsa_build_scripted_build.image_built_by_trusted_task\" to the `exclude` section of the policy configuration.","solution":"Make sure the build Pipeline definition uses a trusted Task to build images.","title":"Image built by trusted Task"}},{"msg":"No source image references found","metadata":{"code":"source_image.exists","collections":["redhat"],"description":"Verify the source container image exists. To exclude this rule add \"source_image.exists\" to the `exclude` section of the policy configuration.","title":"Exists"}},{"msg":"One of \"buildah\", \"buildah-10gb\", \"buildah-6gb\", \"buildah-8gb\", \"buildah-remote\", \"buildah-oci-ta\", \"buildah-remote-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:buildah\", \"tasks.required_tasks_found:buildah-10gb\", \"tasks.required_tasks_found:buildah-6gb\", \"tasks.required_tasks_found:buildah-8gb\", \"tasks.required_tasks_found:buildah-remote\", \"tasks.required_tasks_found:buildah-oci-ta\", \"tasks.required_tasks_found:buildah-remote-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["buildah","buildah-10gb","buildah-6gb","buildah-8gb","buildah-remote","buildah-oci-ta","buildah-remote-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"clair-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:clair-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"clair-scan","title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"clamav-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:clamav-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"clamav-scan","title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"deprecated-image-check\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"deprecated-image-check","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"git-clone\", \"git-clone-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:git-clone\", \"tasks.required_tasks_found:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["git-clone","git-clone-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"init\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:init\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"init","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"prefetch-dependencies\", \"prefetch-dependencies-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:prefetch-dependencies\", \"tasks.required_tasks_found:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["prefetch-dependencies","prefetch-dependencies-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"rpms-signature-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:rpms-signature-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"rpms-signature-scan","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-shell-check\", \"sast-shell-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-shell-check\", \"tasks.required_tasks_found:sast-shell-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-shell-check","sast-shell-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-snyk-check\", \"sast-snyk-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-snyk-check\", \"tasks.required_tasks_found:sast-snyk-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-snyk-check","sast-snyk-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-unicode-check\", \"sast-unicode-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-unicode-check\", \"tasks.required_tasks_found:sast-unicode-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-unicode-check","sast-unicode-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"source-build\", \"source-build-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:source-build\", \"tasks.required_tasks_found:source-build-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["source-build","source-build-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Code tampering detected, untrusted PipelineTask \"build-image-index\" (Task \"build-image-index\") was included in build chain comprised of: build-image-index","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:build-image-index\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"build-image-index","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"build-images\" (Task \"buildah-remote-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:buildah-remote-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"buildah-remote-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clair-scan\" (Task \"clair-scan\") was included in build chain comprised of: clair-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clair-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"clair-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clamav-scan\" (Task \"clamav-scan\") was included in build chain comprised of: clamav-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clamav-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"clamav-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"deprecated-base-image-check\" (Task \"deprecated-image-check\") was included in build chain comprised of: deprecated-base-image-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"deprecated-image-check","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"ecosystem-cert-preflight-checks\" (Task \"ecosystem-cert-preflight-checks\") was included in build chain comprised of: ecosystem-cert-preflight-checks","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:ecosystem-cert-preflight-checks\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"ecosystem-cert-preflight-checks","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clone-repository\" (Task \"git-clone-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"git-clone-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clone-repository\" (Task \"git-clone-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"git-clone-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"prefetch-dependencies\" (Task \"prefetch-dependencies-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"prefetch-dependencies-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"prefetch-dependencies\" (Task \"prefetch-dependencies-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"prefetch-dependencies-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"rpms-signature-scan\" (Task \"rpms-signature-scan\") was included in build chain comprised of: rpms-signature-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:rpms-signature-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"rpms-signature-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"sast-snyk-check\" (Task \"sast-snyk-check-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sast-snyk-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"sast-snyk-check-oci-ta","title":"Tasks are trusted"}}],"warnings":[{"msg":"Required task \"clair-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"clair-scan","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"clamav-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"clamav-scan","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"deprecated-image-check\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"deprecated-image-check","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"init\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"init","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"rpms-signature-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"rpms-signature-scan","title":"All required tasks are from trusted tasks"}},{"msg":"The Task \"ecosystem-cert-preflight-checks\" from the build Pipeline reports a failed informative test","metadata":{"code":"test.no_failed_informative_tests","collections":["redhat"],"depends_on":["test.test_data_found"],"description":"Produce a warning if any informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","solution":"There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.","term":"ecosystem-cert-preflight-checks","title":"No informative tests failed"}},{"msg":"The Task \"deprecated-image-check\" from the build Pipeline reports a test contains warnings","metadata":{"code":"test.no_test_warnings","collections":["redhat"],"depends_on":["test.test_data_found"],"description":"Produce a warning if any tests have their result set to \"WARNING\". The result type is configurable by the \"warned_tests_results\" key in the rule data.","solution":"There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in 'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.","term":"deprecated-image-check","title":"No tests produced warnings"}}],"successes":[{"msg":"Pass","metadata":{"code":"attestation_type.deprecated_policy_attestation_format","collections":["minimal","redhat","redhat_rpms"],"description":"The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.","effective_on":"2023-08-31T00:00:00Z","title":"Deprecated policy attestation format"}},{"msg":"Pass","metadata":{"code":"attestation_type.known_attestation_type","collections":["minimal","redhat","redhat_rpms"],"depends_on":["attestation_type.pipelinerun_attestation_found"],"description":"Confirm the attestation found for the image has a known attestation type.","title":"Known attestation type found"}},{"msg":"Pass","metadata":{"code":"attestation_type.known_attestation_types_provided","collections":["minimal","redhat","redhat_rpms","policy_data"],"description":"Confirm the `known_attestation_types` rule data was provided.","title":"Known attestation types provided"}},{"msg":"Pass","metadata":{"code":"attestation_type.pipelinerun_attestation_found","collections":["minimal","redhat","redhat_rpms"],"description":"Confirm at least one PipelineRun attestation is present.","title":"PipelineRun attestation found"}},{"msg":"Pass","metadata":{"code":"base_image_registries.allowed_registries_provided","collections":["minimal","redhat","policy_data"],"description":"Confirm the `allowed_registry_prefixes` rule data was provided, since it's required by the policy rules in this package.","title":"Allowed base image registry prefixes list was provided"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_info_found","collections":["minimal","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the expected information was provided about which base images were used during the build process. The list of base images comes from any associated CycloneDX or SPDX SBOMs.","title":"Base images provided"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_permitted","collections":["minimal","redhat"],"depends_on":["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description":"Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title":"Base image comes from permitted registry"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_permitted","collections":["minimal","redhat"],"depends_on":["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description":"Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title":"Base image comes from permitted registry"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.add_capabilities_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.","effective_on":"2024-08-31T00:00:00Z","title":"ADD_CAPABILITIES parameter"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.buildah_uses_local_dockerfile","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the Dockerfile used in the buildah task was not fetched from an external source.","title":"Buildah task uses a local Dockerfile"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.disallowed_platform_patterns_pattern","collections":["redhat","policy_data"],"description":"Confirm the `disallowed_platform_patterns` rule data, if provided matches the expected format.","title":"disallowed_platform_patterns format"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.platform_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are allowed.","effective_on":"2024-09-01T00:00:00Z","title":"PLATFORM parameter"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.privileged_nested_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`.","title":"PRIVILEGED_NESTED parameter"}},{"msg":"Pass","metadata":{"code":"builtin.attestation.signature_check","description":"The attestation signature matches available signing materials.","title":"Attestation signature check passed"}},{"msg":"Pass","metadata":{"code":"builtin.attestation.syntax_check","description":"The attestation has correct syntax.","title":"Attestation syntax check passed"}},{"msg":"Pass","metadata":{"code":"builtin.image.signature_check","description":"The image signature matches available signing materials.","title":"Image signature check passed"}},{"msg":"Pass","metadata":{"code":"cve.cve_results_found","collections":["minimal","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline.","title":"CVE scan results found"}},{"msg":"Pass","metadata":{"code":"cve.cve_warnings","collections":["minimal","redhat","redhat_rpms"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title":"Non-blocking CVE check"}},{"msg":"Pass","metadata":{"code":"cve.rule_data_provided","collections":["minimal","redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `restrict_cve_security_levels`,\t`warn_cve_security_levels`, `restrict_unpatched_cve_security_levels`, and `warn_unpatched_cve_security_levels`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"cve.unpatched_cve_blockers","collections":["minimal","redhat","redhat_rpms"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title":"Blocking unpatched CVE check"}},{"msg":"Pass","metadata":{"code":"cve.unpatched_cve_warnings","collections":["minimal","redhat"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title":"Non-blocking unpatched CVE check"}},{"msg":"Pass","metadata":{"code":"labels.deprecated_labels","collections":["redhat"],"description":"Check the image for the presence of labels that have been deprecated. Use the rule data key `deprecated_labels` to set the list of labels to check.","title":"Deprecated labels"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_config","collections":["redhat"],"description":"The image config is not accessible.","title":"Inaccessible image config"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_manifest","collections":["redhat"],"description":"The image manifest is not accessible.","title":"Inaccessible image manifest"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_parent_config","collections":["redhat"],"description":"The parent image config is not accessible.","title":"Inaccessible parent image config"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_parent_manifest","collections":["redhat"],"description":"The parent image manifest is not accessible.","title":"Inaccessible parent image manifest"}},{"msg":"Pass","metadata":{"code":"labels.optional_labels","collections":["redhat"],"description":"Check the image for the presence of labels that are recommended, but not required. Use the rule data `optional_labels` key to set the list of labels to check, or the `fbc_optional_labels` key for fbc images.","title":"Optional labels"}},{"msg":"Pass","metadata":{"code":"labels.required_labels","collections":["redhat"],"description":"Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the list of labels to check, or the `fbc_required_labels` key for fbc images.","title":"Required labels"}},{"msg":"Pass","metadata":{"code":"labels.rule_data_provided","collections":["redhat","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `required_labels`,\t`fbc_required_labels`, `optional_labels`, `fbc_optional_labels`, `disallowed_inherited_labels`, `fbc_disallowed_inherited_labels`, and `deprecated_labels`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"olm.allowed_registries","collections":["redhat"],"description":"Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key `allowed_registry_prefixes` in your policy configuration.","effective_on":"2024-09-01T00:00:00Z","title":"Images referenced by OLM bundle are from allowed registries"}},{"msg":"Pass","metadata":{"code":"olm.allowed_registries_related","collections":["redhat"],"description":"Each image indicated as a related image should match an entry in the list of prefixes defined by the rule data key `allowed_registry_prefixes` in your policy configuration.","effective_on":"2025-04-15T00:00:00Z","title":"Related images references are from allowed registries"}},{"msg":"Pass","metadata":{"code":"olm.csv_semver_format","collections":["redhat"],"description":"Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.","title":"ClusterServiceVersion semver format"}},{"msg":"Pass","metadata":{"code":"olm.feature_annotations_format","collections":["redhat"],"description":"Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string `\"true\"` or the string `\"false\"`. The list of feature annotations can be customize via the `required_olm_features_annotations` rule data.","title":"Feature annotations have expected value"}},{"msg":"Pass","metadata":{"code":"olm.inaccessible_related_images","collections":["redhat"],"description":"Check the input image for the presence of related images. Ensure that all images are accessible.","effective_on":"2025-03-10T00:00:00Z","title":"Unable to access related images for a component"}},{"msg":"Pass","metadata":{"code":"olm.inaccessible_snapshot_references","collections":["redhat"],"description":"Check the input snapshot and make sure all the images are accessible.","effective_on":"2024-08-15T00:00:00Z","title":"Unable to access images in the input snapshot"}},{"msg":"Pass","metadata":{"code":"olm.olm_bundle_multi_arch","collections":["redhat"],"description":"OLM bundle images should be multi-arch. It should not be an OCI image index nor should it be a Docker v2s2 manifest list.","effective_on":"2025-05-01T00:00:00Z","title":"OLM bundle images are not multi-arch"}},{"msg":"Pass","metadata":{"code":"olm.required_olm_features_annotations_provided","collections":["redhat","policy_data"],"description":"Confirm the `required_olm_features_annotations` rule data was provided, since it's required by the policy rules in this package.","title":"Required OLM feature annotations list provided"}},{"msg":"Pass","metadata":{"code":"olm.subscriptions_annotation_format","collections":["redhat"],"description":"Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.","effective_on":"2024-04-18T00:00:00Z","title":"Subscription annotation has expected value"}},{"msg":"Pass","metadata":{"code":"olm.unmapped_references","collections":["redhat"],"description":"Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that are either not in the RPA about to be released or not accessible already.","effective_on":"2024-08-15T00:00:00Z","title":"Unmapped images in OLM bundle"}},{"msg":"Pass","metadata":{"code":"olm.unpinned_references","collections":["redhat"],"description":"Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that do not contain a digest -- uniquely identifying the version of the image being pulled.","title":"Unpinned images in OLM bundle"}},{"msg":"Pass","metadata":{"code":"olm.unpinned_snapshot_references","collections":["redhat"],"description":"Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest -- uniquely identifying the version of the image being pulled.","effective_on":"2024-08-15T00:00:00Z","title":"Unpinned images in input snapshot"}},{"msg":"Pass","metadata":{"code":"provenance_materials.git_clone_source_matches_provenance","collections":["minimal","redhat","redhat_rpms"],"depends_on":["provenance_materials.git_clone_task_found"],"description":"Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.","title":"Git clone source matches materials provenance"}},{"msg":"Pass","metadata":{"code":"provenance_materials.git_clone_task_found","collections":["minimal","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that the attestation contains a git-clone task with `commit` and `url` task results.","title":"Git clone task found"}},{"msg":"Pass","metadata":{"code":"quay_expiration.expires_label","collections":["redhat"],"description":"Check the image metadata for the presence of a \"quay.expires-after\" label. If it's present then produce a violation. This check is enforced only for a \"release\", \"production\", or \"staging\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Expires label"}},{"msg":"Pass","metadata":{"code":"rpm_ostree_task.builder_image_param","collections":["redhat"],"description":"Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the `allowed_rpm_ostree_builder_image_prefixes` rule data.","effective_on":"2024-03-20T00:00:00Z","title":"Builder image parameter"}},{"msg":"Pass","metadata":{"code":"rpm_ostree_task.rule_data","collections":["redhat"],"description":"Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_prefixes`, is in the expected format.","title":"Rule data"}},{"msg":"Pass","metadata":{"code":"rpm_packages.unique_version","collections":["redhat"],"description":"Check if there is more than one version of the same RPM installed across different architectures. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.","effective_on":"2025-06-28T00:00:00Z","title":"Unique Version"}},{"msg":"Pass","metadata":{"code":"rpm_repos.ids_known","collections":["redhat","redhat_rpms"],"description":"Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.","effective_on":"2024-11-10T00:00:00Z","title":"All rpms have known repo ids"}},{"msg":"Pass","metadata":{"code":"rpm_repos.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"A list of known and permitted repository ids should be available in the rule data.","title":"Known repo id list provided"}},{"msg":"Pass","metadata":{"code":"rpm_signature.allowed","collections":["redhat","redhat_rpms"],"description":"The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the `allowed_rpm_signature_keys` rule data. Use the special value \"unsigned\" to allow unsigned RPMs.","effective_on":"2024-10-05T00:00:00Z","title":"Allowed RPM signature key"}},{"msg":"Pass","metadata":{"code":"rpm_signature.result_format","collections":["redhat","redhat_rpms"],"description":"Confirm the format of the RPMS_DATA result is in the expected format.","effective_on":"2024-10-05T00:00:00Z","title":"Result format"}},{"msg":"Pass","metadata":{"code":"rpm_signature.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected `allowed_rpm_signature_keys` rule data key has been provided in the expected format.","effective_on":"2024-10-05T00:00:00Z","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"sbom.disallowed_packages_provided","collections":["redhat","policy_data","redhat_rpms"],"description":"Confirm the `disallowed_packages` and `disallowed_attributes` rule data were provided, since they are required by the policy rules in this package.","title":"Disallowed packages list is provided"}},{"msg":"Pass","metadata":{"code":"sbom.found","collections":["minimal","redhat"],"description":"Confirm an SBOM attestation exists.","title":"Found"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed","collections":["redhat","redhat_rpms"],"description":"Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title":"Allowed"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title":"Allowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed_package_sources","collections":["redhat","redhat_rpms","policy_data"],"description":"For each of the components fetched by Cachi2 which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on":"2024-12-15T00:00:00Z","title":"Allowed package sources"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.disallowed_package_attributes","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package attributes"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.disallowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.valid","collections":["minimal","redhat","redhat_rpms"],"description":"Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.","title":"Valid"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed","collections":["redhat","redhat_rpms"],"description":"Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title":"Allowed"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title":"Allowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed_package_sources","collections":["redhat","redhat_rpms","policy_data"],"description":"For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on":"2025-02-17T00:00:00Z","title":"Allowed package sources"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.disallowed_package_attributes","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.","effective_on":"2025-02-04T00:00:00Z","title":"Disallowed package attributes"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.disallowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.valid","collections":["minimal","redhat","redhat_rpms"],"description":"Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.","title":"Valid"}},{"msg":"Pass","metadata":{"code":"schedule.date_restriction","collections":["redhat","redhat_rpms"],"description":"Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Date Restriction"}},{"msg":"Pass","metadata":{"code":"schedule.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `disallowed_weekdays` and `disallowed_dates`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"schedule.weekday_restriction","collections":["redhat","redhat_rpms"],"description":"Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Weekday Restriction"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.allowed_builder_ids_provided","collections":["slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed builder IDs provided"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_accepted","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title":"SLSA Builder ID is known and accepted"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_found","collections":["slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set.","title":"SLSA Builder ID found"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_script_used","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title":"Build task contains steps"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_task_image_results_found","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title":"Build task set image digest and url task results"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.subject_build_task_matches","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title":"Provenance subject matches build task image result"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.allowed_predicate_types_provided","collections":["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed predicate types provided"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.attestation_predicate_type_accepted","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title":"Expected attestation predicate type found"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.attested_source_code_reference","collections":["minimal","slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Attestation contains source reference.","title":"Source reference"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.expected_source_code_reference","collections":["minimal","slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the provided source code reference is the one being attested.","title":"Expected source code reference"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.rule_data_provided","collections":["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.source_code_reference_provided","collections":["minimal","slsa3","redhat","redhat_rpms"],"description":"Check if the expected source code reference is provided.","title":"Source code reference provided"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_format_okay","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title":"Materials have uri and digest"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_include_git_sha","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title":"Materials include git commit shas"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_uri_is_git_repo","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title":"Material uri is a git repo"}},{"msg":"Pass","metadata":{"code":"tasks.data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected data keys have been provided in the expected format. The keys are `pipeline-required-tasks` and `required-tasks`.","title":"Data provided"}},{"msg":"Pass","metadata":{"code":"tasks.future_required_tasks_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.","title":"Future required tasks were found"}},{"msg":"Pass","metadata":{"code":"tasks.pinned_task_refs","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.","title":"Pinned Task references"}},{"msg":"Pass","metadata":{"code":"tasks.pipeline_has_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that at least one Task is present in the PipelineRun attestation.","title":"Pipeline run includes at least one task"}},{"msg":"Pass","metadata":{"code":"tasks.pipeline_required_tasks_list_provided","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Produce a warning if the required tasks list rule data was not provided.","title":"Required tasks list for pipeline was provided"}},{"msg":"Pass","metadata":{"code":"tasks.required_tasks_list_provided","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Confirm the `required-tasks` rule data was provided, since it's required by the policy rules in this package.","title":"Required tasks list was provided"}},{"msg":"Pass","metadata":{"code":"tasks.successful_pipeline_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title":"Successful pipeline tasks"}},{"msg":"Pass","metadata":{"code":"tasks.unsupported","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"The Tekton Task used is or will be unsupported. The Task is annotated with `build.appstudio.redhat.com/expires-on` annotation marking it as unsupported after a certain date.","title":"Task version unsupported"}},{"msg":"Pass","metadata":{"code":"test.no_erred_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any tests have their result set to \"ERROR\". The result type is configurable by the \"erred_tests_results\" key in the rule data.","title":"No tests erred"}},{"msg":"Pass","metadata":{"code":"test.no_failed_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any non-informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","title":"No tests failed"}},{"msg":"Pass","metadata":{"code":"test.no_skipped_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any tests have their result set to \"SKIPPED\". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the \"skipped_tests_results\" key in the rule data.","effective_on":"2023-12-08T00:00:00Z","title":"No tests were skipped"}},{"msg":"Pass","metadata":{"code":"test.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"test.test_all_images","collections":["redhat","redhat_rpms"],"description":"Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on":"2024-05-29T00:00:00Z","title":"Image digest is present in IMAGES_PROCESSED result"}},{"msg":"Pass","metadata":{"code":"test.test_data_found","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.","title":"Test data found in task results"}},{"msg":"Pass","metadata":{"code":"test.test_results_found","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Each test result is expected to have a `results` key. Verify that the `results` key is present in all of the TEST_OUTPUT task results.","title":"Test data includes results key"}},{"msg":"Pass","metadata":{"code":"test.test_results_known","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Ensure all test data result values are in the set of known/supported result values.","title":"No unsupported test result values found"}},{"msg":"Pass","metadata":{"code":"trusted_task.current","collections":["redhat","redhat_rpms"],"description":"Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","effective_on":"2024-05-07T00:00:00Z","title":"Tasks using the latest versions"}},{"msg":"Pass","metadata":{"code":"trusted_task.data","collections":["redhat","redhat_rpms"],"description":"Confirm the `trusted_tasks` rule data was provided, since it's required by the policy rules in this package.","effective_on":"2024-05-07T00:00:00Z","title":"Task tracking data was provided"}},{"msg":"Pass","metadata":{"code":"trusted_task.data_format","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected `trusted_tasks` data keys have been provided in the expected format.","title":"Data format"}},{"msg":"Pass","metadata":{"code":"trusted_task.pinned","collections":["redhat","redhat_rpms"],"description":"Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","effective_on":"2024-05-07T00:00:00Z","title":"Task references are pinned"}},{"msg":"Pass","metadata":{"code":"trusted_task.trusted_parameters","collections":["redhat"],"description":"Confirm certain parameters provided to each builder Task have come from trusted Tasks.","effective_on":"2021-07-04T00:00:00Z","title":"Trusted parameters"}},{"msg":"Pass","metadata":{"code":"trusted_task.valid_trusted_artifact_inputs","collections":["redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.","title":"Trusted Artifact produced in pipeline"}}],"success":false,"signatures":[{"keyid":"","sig":"MEQCIAmqL8aVr6yR9sb/Hp9kzrdukVUDobFas+3PIiJMdVaZAiBuDsAG72SCWcdE5dCNJuYspzVONknahY9cqRl4AVJXvg=="},{"keyid":"","sig":"MEQCIG2TGbm74jjRASA+7jC0SeBG8JBMqY2tEdpT3HT3VyHxAiANy6TgirXErPW7kDKSzh6PZ2vtx5LvDD7vJR6WN1gQ4w=="}],"attestations":[{"type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","predicateBuildType":"tekton.dev/v1beta1/PipelineRun","signatures":[{"keyid":"SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig":"MEQCIDqq+UIDlw8aSFmPf6tJdIMb6NlbsWwfBDnHZCF7oXceAiBqSD4OA97AeKXUOANFMuBRFWuWSc/BaMbQ3nAQo3wTPA=="}]}]},{"name":"cluster-permission-acm-213","containerImage":"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27","source":{"git":{"url":"https://github.com/stolostron/cluster-permission","revision":"5f2384d385548a83c13420c157ba3281613cc2a9"}},"violations":[{"msg":"Build task was not invoked with the hermetic parameter set","metadata":{"code":"hermetic_build_task.build_task_hermetic","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the build task in the PipelineRun attestation was invoked with the proper parameters to make the build process hermetic. To exclude this rule add \"hermetic_build_task.build_task_hermetic\" to the `exclude` section of the policy configuration.","solution":"Make sure the task that builds the image has a parameter named 'HERMETIC' and it's set to 'true'.","title":"Build task called with hermetic param set"}},{"msg":"The \"com.redhat.component\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:com.redhat.component\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"com.redhat.component","title":"Disallowed inherited labels"}},{"msg":"The \"description\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:description\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"description","title":"Disallowed inherited labels"}},{"msg":"The \"io.k8s.description\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.k8s.description\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.k8s.description","title":"Disallowed inherited labels"}},{"msg":"The \"io.k8s.display-name\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.k8s.display-name\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.k8s.display-name","title":"Disallowed inherited labels"}},{"msg":"The \"io.openshift.tags\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:io.openshift.tags\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"io.openshift.tags","title":"Disallowed inherited labels"}},{"msg":"The \"name\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:name\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"name","title":"Disallowed inherited labels"}},{"msg":"The \"summary\" label should not be inherited from the parent image","metadata":{"code":"labels.disallowed_inherited_labels","collections":["redhat"],"description":"Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data `disallowed_inherited_labels` key to set the list of labels to check, or the `fbc_disallowed_inherited_labels` key for fbc images. To exclude this rule add \"labels.disallowed_inherited_labels:summary\" to the `exclude` section of the policy configuration.","solution":"Update the image build process to overwrite the inherited labels.","term":"summary","title":"Disallowed inherited labels"}},{"msg":"Image \"quay.io/redhat-user-workloads/crt-redhat-acm-tenant/cluster-permission-acm-213@sha256:9db502289231e638c9343a758e1a4dae963b0457df9014d0d6d487531dfc2d27\" not built by a trusted task: Build Task(s) \"build-image-index\" are not trusted","metadata":{"code":"slsa_build_scripted_build.image_built_by_trusted_task","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the digest of the image being validated is reported by a trusted Task in its IMAGE_DIGEST result. To exclude this rule add \"slsa_build_scripted_build.image_built_by_trusted_task\" to the `exclude` section of the policy configuration.","solution":"Make sure the build Pipeline definition uses a trusted Task to build images.","title":"Image built by trusted Task"}},{"msg":"No source image references found","metadata":{"code":"source_image.exists","collections":["redhat"],"description":"Verify the source container image exists. To exclude this rule add \"source_image.exists\" to the `exclude` section of the policy configuration.","title":"Exists"}},{"msg":"One of \"buildah\", \"buildah-10gb\", \"buildah-6gb\", \"buildah-8gb\", \"buildah-remote\", \"buildah-oci-ta\", \"buildah-remote-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:buildah\", \"tasks.required_tasks_found:buildah-10gb\", \"tasks.required_tasks_found:buildah-6gb\", \"tasks.required_tasks_found:buildah-8gb\", \"tasks.required_tasks_found:buildah-remote\", \"tasks.required_tasks_found:buildah-oci-ta\", \"tasks.required_tasks_found:buildah-remote-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["buildah","buildah-10gb","buildah-6gb","buildah-8gb","buildah-remote","buildah-oci-ta","buildah-remote-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"clair-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:clair-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"clair-scan","title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"clamav-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:clamav-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"clamav-scan","title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"deprecated-image-check\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"deprecated-image-check","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"git-clone\", \"git-clone-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:git-clone\", \"tasks.required_tasks_found:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["git-clone","git-clone-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"init\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:init\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"init","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"prefetch-dependencies\", \"prefetch-dependencies-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:prefetch-dependencies\", \"tasks.required_tasks_found:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["prefetch-dependencies","prefetch-dependencies-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Required task \"rpms-signature-scan\" is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add \"tasks.required_tasks_found:rpms-signature-scan\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":"rpms-signature-scan","title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-shell-check\", \"sast-shell-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-shell-check\", \"tasks.required_tasks_found:sast-shell-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-shell-check","sast-shell-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-snyk-check\", \"sast-snyk-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-snyk-check\", \"tasks.required_tasks_found:sast-snyk-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-snyk-check","sast-snyk-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"sast-unicode-check\", \"sast-unicode-check-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:sast-unicode-check\", \"tasks.required_tasks_found:sast-unicode-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["sast-unicode-check","sast-unicode-check-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"One of \"source-build\", \"source-build-oci-ta\" tasks is missing","metadata":{"code":"tasks.required_tasks_found","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the set of required tasks are included in the PipelineRun attestation. To exclude this rule add one or more of \"tasks.required_tasks_found:source-build\", \"tasks.required_tasks_found:source-build-oci-ta\" to the `exclude` section of the policy configuration.","solution":"Make sure all required tasks are in the build pipeline. The required task list is contained as https://conforma.dev/docs/ec-cli/configuration.html#_data_sources under the key 'required-tasks'.","term":["source-build","source-build-oci-ta"],"title":"All required tasks were included in the pipeline"}},{"msg":"Code tampering detected, untrusted PipelineTask \"build-image-index\" (Task \"build-image-index\") was included in build chain comprised of: build-image-index","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:build-image-index\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"build-image-index","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"build-images\" (Task \"buildah-remote-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:buildah-remote-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"buildah-remote-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clair-scan\" (Task \"clair-scan\") was included in build chain comprised of: clair-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clair-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"clair-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clamav-scan\" (Task \"clamav-scan\") was included in build chain comprised of: clamav-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:clamav-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"clamav-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"deprecated-base-image-check\" (Task \"deprecated-image-check\") was included in build chain comprised of: deprecated-base-image-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:deprecated-image-check\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"deprecated-image-check","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"ecosystem-cert-preflight-checks\" (Task \"ecosystem-cert-preflight-checks\") was included in build chain comprised of: ecosystem-cert-preflight-checks","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:ecosystem-cert-preflight-checks\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"ecosystem-cert-preflight-checks","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clone-repository\" (Task \"git-clone-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"git-clone-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"clone-repository\" (Task \"git-clone-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:git-clone-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"git-clone-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"prefetch-dependencies\" (Task \"prefetch-dependencies-oci-ta\") was included in build chain comprised of: build-images, clone-repository, prefetch-dependencies","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"prefetch-dependencies-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"prefetch-dependencies\" (Task \"prefetch-dependencies-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:prefetch-dependencies-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"prefetch-dependencies-oci-ta","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"rpms-signature-scan\" (Task \"rpms-signature-scan\") was included in build chain comprised of: rpms-signature-scan","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:rpms-signature-scan\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"rpms-signature-scan","title":"Tasks are trusted"}},{"msg":"Code tampering detected, untrusted PipelineTask \"sast-snyk-check\" (Task \"sast-snyk-check-oci-ta\") was included in build chain comprised of: clone-repository, prefetch-dependencies, sast-snyk-check","metadata":{"code":"trusted_task.trusted","collections":["redhat"],"description":"Check the trust of the Tekton Tasks used in the build Pipeline. There are two modes in which trust is verified. The first mode is used if Trusted Artifacts are enabled. In this case, a chain of trust is established for all the Tasks involved in creating an artifact. If the chain contains an untrusted Task, then a violation is emitted. The second mode is used as a fallback when Trusted Artifacts are not enabled. In this case, **all** Tasks in the build Pipeline must be trusted. To exclude this rule add \"trusted_task.trusted:sast-snyk-check-oci-ta\" to the `exclude` section of the policy configuration.","solution":"If using Trusted Artifacts, be sure every Task in the build Pipeline responsible for producing a Trusted Artifact is trusted. Otherwise, ensure **all** Tasks in the build Pipeline are trusted. Note that trust is eventually revoked from Tasks when newer versions are made available.","term":"sast-snyk-check-oci-ta","title":"Tasks are trusted"}}],"warnings":[{"msg":"Required task \"clair-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"clair-scan","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"clamav-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"clamav-scan","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"deprecated-image-check\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"deprecated-image-check","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"init\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"init","title":"All required tasks are from trusted tasks"}},{"msg":"Required task \"rpms-signature-scan\" is required and present but not from a trusted task","metadata":{"code":"tasks.required_untrusted_task_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that the all required tasks are resolved from trusted tasks.","solution":"Make sure all required tasks in the build pipeline are resolved from trusted tasks.","term":"rpms-signature-scan","title":"All required tasks are from trusted tasks"}},{"msg":"The Task \"ecosystem-cert-preflight-checks\" from the build Pipeline reports a failed informative test","metadata":{"code":"test.no_failed_informative_tests","collections":["redhat"],"depends_on":["test.test_data_found"],"description":"Produce a warning if any informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","solution":"There is a test that failed. Make sure that any task in the build pipeline with a result named 'TEST_OUTPUT' does not fail. More information about the test should be available in the logs for the build Pipeline.","term":"ecosystem-cert-preflight-checks","title":"No informative tests failed"}},{"msg":"The Task \"deprecated-image-check\" from the build Pipeline reports a test contains warnings","metadata":{"code":"test.no_test_warnings","collections":["redhat"],"depends_on":["test.test_data_found"],"description":"Produce a warning if any tests have their result set to \"WARNING\". The result type is configurable by the \"warned_tests_results\" key in the rule data.","solution":"There is a task with result 'TEST_OUTPUT' that returned a result of 'WARNING'. You can find which test resulted in 'WARNING' by examining the 'result' key in the 'TEST_OUTPUT'. More information about the test should be available in the logs for the build Pipeline.","term":"deprecated-image-check","title":"No tests produced warnings"}}],"successes":[{"msg":"Pass","metadata":{"code":"attestation_type.deprecated_policy_attestation_format","collections":["minimal","redhat","redhat_rpms"],"description":"The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.","effective_on":"2023-08-31T00:00:00Z","title":"Deprecated policy attestation format"}},{"msg":"Pass","metadata":{"code":"attestation_type.known_attestation_type","collections":["minimal","redhat","redhat_rpms"],"depends_on":["attestation_type.pipelinerun_attestation_found"],"description":"Confirm the attestation found for the image has a known attestation type.","title":"Known attestation type found"}},{"msg":"Pass","metadata":{"code":"attestation_type.known_attestation_types_provided","collections":["minimal","redhat","redhat_rpms","policy_data"],"description":"Confirm the `known_attestation_types` rule data was provided.","title":"Known attestation types provided"}},{"msg":"Pass","metadata":{"code":"attestation_type.pipelinerun_attestation_found","collections":["minimal","redhat","redhat_rpms"],"description":"Confirm at least one PipelineRun attestation is present.","title":"PipelineRun attestation found"}},{"msg":"Pass","metadata":{"code":"base_image_registries.allowed_registries_provided","collections":["minimal","redhat","policy_data"],"description":"Confirm the `allowed_registry_prefixes` rule data was provided, since it's required by the policy rules in this package.","title":"Allowed base image registry prefixes list was provided"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_info_found","collections":["minimal","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the expected information was provided about which base images were used during the build process. The list of base images comes from any associated CycloneDX or SPDX SBOMs.","title":"Base images provided"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_permitted","collections":["minimal","redhat"],"depends_on":["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description":"Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title":"Base image comes from permitted registry"}},{"msg":"Pass","metadata":{"code":"base_image_registries.base_image_permitted","collections":["minimal","redhat"],"depends_on":["base_image_registries.base_image_info_found","base_image_registries.allowed_registries_provided"],"description":"Verify that the base images used when building a container image come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of permitted registries can be customized by setting the `allowed_registry_prefixes` list in the rule data. Base images that are found in the snapshot being validated are also allowed since EC will also validate those images individually.","title":"Base image comes from permitted registry"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.add_capabilities_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used.","effective_on":"2024-08-31T00:00:00Z","title":"ADD_CAPABILITIES parameter"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.buildah_uses_local_dockerfile","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the Dockerfile used in the buildah task was not fetched from an external source.","title":"Buildah task uses a local Dockerfile"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.disallowed_platform_patterns_pattern","collections":["redhat","policy_data"],"description":"Confirm the `disallowed_platform_patterns` rule data, if provided matches the expected format.","title":"disallowed_platform_patterns format"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.platform_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the value of the PLATFORM parameter of a builder Task is allowed by matching against a list of disallowed patterns. The list of patterns can be customized via the `disallowed_platform_patterns` rule data key. If empty, all values are allowed.","effective_on":"2024-09-01T00:00:00Z","title":"PLATFORM parameter"}},{"msg":"Pass","metadata":{"code":"buildah_build_task.privileged_nested_param","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`.","title":"PRIVILEGED_NESTED parameter"}},{"msg":"Pass","metadata":{"code":"builtin.attestation.signature_check","description":"The attestation signature matches available signing materials.","title":"Attestation signature check passed"}},{"msg":"Pass","metadata":{"code":"builtin.attestation.syntax_check","description":"The attestation has correct syntax.","title":"Attestation syntax check passed"}},{"msg":"Pass","metadata":{"code":"builtin.image.signature_check","description":"The image signature matches available signing materials.","title":"Image signature check passed"}},{"msg":"Pass","metadata":{"code":"cve.cve_results_found","collections":["minimal","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that clair-scan task results are present in the SLSA Provenance attestation of the build pipeline.","title":"CVE scan results found"}},{"msg":"Pass","metadata":{"code":"cve.cve_warnings","collections":["minimal","redhat","redhat_rpms"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, the list of CVE security levels used by this policy is empty. However, this is configurable by the rule data key `warn_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title":"Non-blocking CVE check"}},{"msg":"Pass","metadata":{"code":"cve.rule_data_provided","collections":["minimal","redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `restrict_cve_security_levels`,\t`warn_cve_security_levels`, `restrict_unpatched_cve_security_levels`, and `warn_unpatched_cve_security_levels`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"cve.unpatched_cve_blockers","collections":["minimal","redhat","redhat_rpms"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, the list of security levels used by this policy is empty. This is configurable by the rule data key `restrict_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level.","title":"Blocking unpatched CVE check"}},{"msg":"Pass","metadata":{"code":"cve.unpatched_cve_warnings","collections":["minimal","redhat"],"depends_on":["cve.cve_results_found"],"description":"The SLSA Provenance attestation for the image is inspected to ensure CVEs that do NOT have a known fix and meet a certain security level have not been detected. If detected, this policy rule will raise a warning. By default, only CVEs of critical and high security level cause a warning. This is configurable by the rule data key `warn_unpatched_cve_security_levels`. The available levels are critical, high, medium, low, and unknown.","title":"Non-blocking unpatched CVE check"}},{"msg":"Pass","metadata":{"code":"labels.deprecated_labels","collections":["redhat"],"description":"Check the image for the presence of labels that have been deprecated. Use the rule data key `deprecated_labels` to set the list of labels to check.","title":"Deprecated labels"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_config","collections":["redhat"],"description":"The image config is not accessible.","title":"Inaccessible image config"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_manifest","collections":["redhat"],"description":"The image manifest is not accessible.","title":"Inaccessible image manifest"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_parent_config","collections":["redhat"],"description":"The parent image config is not accessible.","title":"Inaccessible parent image config"}},{"msg":"Pass","metadata":{"code":"labels.inaccessible_parent_manifest","collections":["redhat"],"description":"The parent image manifest is not accessible.","title":"Inaccessible parent image manifest"}},{"msg":"Pass","metadata":{"code":"labels.optional_labels","collections":["redhat"],"description":"Check the image for the presence of labels that are recommended, but not required. Use the rule data `optional_labels` key to set the list of labels to check, or the `fbc_optional_labels` key for fbc images.","title":"Optional labels"}},{"msg":"Pass","metadata":{"code":"labels.required_labels","collections":["redhat"],"description":"Check the image for the presence of labels that are required. Use the rule data `required_labels` key to set the list of labels to check, or the `fbc_required_labels` key for fbc images.","title":"Required labels"}},{"msg":"Pass","metadata":{"code":"labels.rule_data_provided","collections":["redhat","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `required_labels`,\t`fbc_required_labels`, `optional_labels`, `fbc_optional_labels`, `disallowed_inherited_labels`, `fbc_disallowed_inherited_labels`, and `deprecated_labels`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"olm.allowed_registries","collections":["redhat"],"description":"Each image referenced by the OLM bundle should match an entry in the list of prefixes defined by the rule data key `allowed_registry_prefixes` in your policy configuration.","effective_on":"2024-09-01T00:00:00Z","title":"Images referenced by OLM bundle are from allowed registries"}},{"msg":"Pass","metadata":{"code":"olm.allowed_registries_related","collections":["redhat"],"description":"Each image indicated as a related image should match an entry in the list of prefixes defined by the rule data key `allowed_registry_prefixes` in your policy configuration.","effective_on":"2025-04-15T00:00:00Z","title":"Related images references are from allowed registries"}},{"msg":"Pass","metadata":{"code":"olm.csv_semver_format","collections":["redhat"],"description":"Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM bundle uses a properly formatted semver.","title":"ClusterServiceVersion semver format"}},{"msg":"Pass","metadata":{"code":"olm.feature_annotations_format","collections":["redhat"],"description":"Check the feature annotations in the ClusterServiceVersion manifest of the OLM bundle. All of required feature annotations must be present and set to either the string `\"true\"` or the string `\"false\"`. The list of feature annotations can be customize via the `required_olm_features_annotations` rule data.","title":"Feature annotations have expected value"}},{"msg":"Pass","metadata":{"code":"olm.inaccessible_related_images","collections":["redhat"],"description":"Check the input image for the presence of related images. Ensure that all images are accessible.","effective_on":"2025-03-10T00:00:00Z","title":"Unable to access related images for a component"}},{"msg":"Pass","metadata":{"code":"olm.inaccessible_snapshot_references","collections":["redhat"],"description":"Check the input snapshot and make sure all the images are accessible.","effective_on":"2024-08-15T00:00:00Z","title":"Unable to access images in the input snapshot"}},{"msg":"Pass","metadata":{"code":"olm.olm_bundle_multi_arch","collections":["redhat"],"description":"OLM bundle images should be multi-arch. It should not be an OCI image index nor should it be a Docker v2s2 manifest list.","effective_on":"2025-05-01T00:00:00Z","title":"OLM bundle images are not multi-arch"}},{"msg":"Pass","metadata":{"code":"olm.required_olm_features_annotations_provided","collections":["redhat","policy_data"],"description":"Confirm the `required_olm_features_annotations` rule data was provided, since it's required by the policy rules in this package.","title":"Required OLM feature annotations list provided"}},{"msg":"Pass","metadata":{"code":"olm.subscriptions_annotation_format","collections":["redhat"],"description":"Check the value of the operators.openshift.io/valid-subscription annotation from the ClusterServiceVersion manifest is in the expected format, i.e. JSON encoded non-empty array of strings.","effective_on":"2024-04-18T00:00:00Z","title":"Subscription annotation has expected value"}},{"msg":"Pass","metadata":{"code":"olm.unmapped_references","collections":["redhat"],"description":"Check the OLM bundle image for the presence of unmapped image references. Unmapped image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that are either not in the RPA about to be released or not accessible already.","effective_on":"2024-08-15T00:00:00Z","title":"Unmapped images in OLM bundle"}},{"msg":"Pass","metadata":{"code":"olm.unpinned_references","collections":["redhat"],"description":"Check the OLM bundle image for the presence of unpinned image references. Unpinned image pull references are references to images found in link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying locations] that do not contain a digest -- uniquely identifying the version of the image being pulled.","title":"Unpinned images in OLM bundle"}},{"msg":"Pass","metadata":{"code":"olm.unpinned_snapshot_references","collections":["redhat"],"description":"Check the input snapshot for the presence of unpinned image references. Unpinned image pull references are references to images that do not contain a digest -- uniquely identifying the version of the image being pulled.","effective_on":"2024-08-15T00:00:00Z","title":"Unpinned images in input snapshot"}},{"msg":"Pass","metadata":{"code":"provenance_materials.git_clone_source_matches_provenance","collections":["minimal","redhat","redhat_rpms"],"depends_on":["provenance_materials.git_clone_task_found"],"description":"Confirm that the result of the git-clone task is included in the materials section of the SLSA provenance attestation.","title":"Git clone source matches materials provenance"}},{"msg":"Pass","metadata":{"code":"provenance_materials.git_clone_task_found","collections":["minimal","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that the attestation contains a git-clone task with `commit` and `url` task results.","title":"Git clone task found"}},{"msg":"Pass","metadata":{"code":"quay_expiration.expires_label","collections":["redhat"],"description":"Check the image metadata for the presence of a \"quay.expires-after\" label. If it's present then produce a violation. This check is enforced only for a \"release\", \"production\", or \"staging\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Expires label"}},{"msg":"Pass","metadata":{"code":"rpm_ostree_task.builder_image_param","collections":["redhat"],"description":"Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the `allowed_rpm_ostree_builder_image_prefixes` rule data.","effective_on":"2024-03-20T00:00:00Z","title":"Builder image parameter"}},{"msg":"Pass","metadata":{"code":"rpm_ostree_task.rule_data","collections":["redhat"],"description":"Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_prefixes`, is in the expected format.","title":"Rule data"}},{"msg":"Pass","metadata":{"code":"rpm_packages.unique_version","collections":["redhat"],"description":"Check if there is more than one version of the same RPM installed across different architectures. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.","effective_on":"2025-06-28T00:00:00Z","title":"Unique Version"}},{"msg":"Pass","metadata":{"code":"rpm_repos.ids_known","collections":["redhat","redhat_rpms"],"description":"Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.","effective_on":"2024-11-10T00:00:00Z","title":"All rpms have known repo ids"}},{"msg":"Pass","metadata":{"code":"rpm_repos.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"A list of known and permitted repository ids should be available in the rule data.","title":"Known repo id list provided"}},{"msg":"Pass","metadata":{"code":"rpm_signature.allowed","collections":["redhat","redhat_rpms"],"description":"The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the `allowed_rpm_signature_keys` rule data. Use the special value \"unsigned\" to allow unsigned RPMs.","effective_on":"2024-10-05T00:00:00Z","title":"Allowed RPM signature key"}},{"msg":"Pass","metadata":{"code":"rpm_signature.result_format","collections":["redhat","redhat_rpms"],"description":"Confirm the format of the RPMS_DATA result is in the expected format.","effective_on":"2024-10-05T00:00:00Z","title":"Result format"}},{"msg":"Pass","metadata":{"code":"rpm_signature.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected `allowed_rpm_signature_keys` rule data key has been provided in the expected format.","effective_on":"2024-10-05T00:00:00Z","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"sbom.disallowed_packages_provided","collections":["redhat","policy_data","redhat_rpms"],"description":"Confirm the `disallowed_packages` and `disallowed_attributes` rule data were provided, since they are required by the policy rules in this package.","title":"Disallowed packages list is provided"}},{"msg":"Pass","metadata":{"code":"sbom.found","collections":["minimal","redhat"],"description":"Confirm an SBOM attestation exists.","title":"Found"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed","collections":["redhat","redhat_rpms"],"description":"Confirm the CycloneDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title":"Allowed"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title":"Allowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.allowed_package_sources","collections":["redhat","redhat_rpms","policy_data"],"description":"For each of the components fetched by Cachi2 which define externalReferences of type distribution, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on":"2024-12-15T00:00:00Z","title":"Allowed package sources"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.disallowed_package_attributes","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package attributes"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.disallowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the CycloneDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_cyclonedx.valid","collections":["minimal","redhat","redhat_rpms"],"description":"Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM matches the 1.5 version of the schema.","title":"Valid"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed","collections":["redhat","redhat_rpms"],"description":"Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the \"disallowed_packages\" rule data key to provide a list of disallowed packages.","title":"Allowed"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the \"allowed_external_references\" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.","title":"Allowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.allowed_package_sources","collections":["redhat","redhat_rpms","policy_data"],"description":"For each of the packages fetched by Cachi2 which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.","effective_on":"2025-02-17T00:00:00Z","title":"Allowed package sources"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.disallowed_package_attributes","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the \"disallowed_attributes\" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.","effective_on":"2025-02-04T00:00:00Z","title":"Disallowed package attributes"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.disallowed_package_external_references","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the \"disallowed_external_references\" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.","effective_on":"2024-07-31T00:00:00Z","title":"Disallowed package external references"}},{"msg":"Pass","metadata":{"code":"sbom_spdx.valid","collections":["minimal","redhat","redhat_rpms"],"description":"Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.","title":"Valid"}},{"msg":"Pass","metadata":{"code":"schedule.date_restriction","collections":["redhat","redhat_rpms"],"description":"Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Date Restriction"}},{"msg":"Pass","metadata":{"code":"schedule.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `disallowed_weekdays` and `disallowed_dates`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"schedule.weekday_restriction","collections":["redhat","redhat_rpms"],"description":"Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a \"release\" or \"production\" pipeline, as determined by the value of the `pipeline_intention` rule data.","title":"Weekday Restriction"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.allowed_builder_ids_provided","collections":["slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_builder_ids` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed builder IDs provided"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_accepted","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set to one of the values in the `allowed_builder_ids` rule data, e.g. \"https://tekton.dev/chains/v2\".","title":"SLSA Builder ID is known and accepted"}},{"msg":"Pass","metadata":{"code":"slsa_build_build_service.slsa_builder_id_found","collections":["slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the attestation attribute predicate.builder.id is set.","title":"SLSA Builder ID found"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_script_used","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicate.buildConfig.tasks.steps attribute for the task responsible for building and pushing the image is not empty.","title":"Build task contains steps"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.build_task_image_results_found","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_URL task results.","title":"Build task set image digest and url task results"}},{"msg":"Pass","metadata":{"code":"slsa_build_scripted_build.subject_build_task_matches","collections":["slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL values from the build task.","title":"Provenance subject matches build task image result"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.allowed_predicate_types_provided","collections":["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.","title":"Allowed predicate types provided"}},{"msg":"Pass","metadata":{"code":"slsa_provenance_available.attestation_predicate_type_accepted","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.","title":"Expected attestation predicate type found"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.attested_source_code_reference","collections":["minimal","slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Attestation contains source reference.","title":"Source reference"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.expected_source_code_reference","collections":["minimal","slsa3","redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Verify that the provided source code reference is the one being attested.","title":"Expected source code reference"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.rule_data_provided","collections":["minimal","slsa3","redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_vcs` and `supported_digests`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"slsa_source_correlated.source_code_reference_provided","collections":["minimal","slsa3","redhat","redhat_rpms"],"description":"Check if the expected source code reference is provided.","title":"Source code reference provided"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_format_okay","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.","title":"Materials have uri and digest"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_include_git_sha","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.","title":"Materials include git commit shas"}},{"msg":"Pass","metadata":{"code":"slsa_source_version_controlled.materials_uri_is_git_repo","collections":["minimal","slsa3","redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.","title":"Material uri is a git repo"}},{"msg":"Pass","metadata":{"code":"tasks.data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected data keys have been provided in the expected format. The keys are `pipeline-required-tasks` and `required-tasks`.","title":"Data provided"}},{"msg":"Pass","metadata":{"code":"tasks.future_required_tasks_found","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Produce a warning when a task that will be required in the future was not included in the PipelineRun attestation.","title":"Future required tasks were found"}},{"msg":"Pass","metadata":{"code":"tasks.pinned_task_refs","collections":["redhat"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that all Tasks in the SLSA Provenance attestation use an immuntable reference to the Task definition.","title":"Pinned Task references"}},{"msg":"Pass","metadata":{"code":"tasks.pipeline_has_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that at least one Task is present in the PipelineRun attestation.","title":"Pipeline run includes at least one task"}},{"msg":"Pass","metadata":{"code":"tasks.pipeline_required_tasks_list_provided","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Produce a warning if the required tasks list rule data was not provided.","title":"Required tasks list for pipeline was provided"}},{"msg":"Pass","metadata":{"code":"tasks.required_tasks_list_provided","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Confirm the `required-tasks` rule data was provided, since it's required by the policy rules in this package.","title":"Required tasks list was provided"}},{"msg":"Pass","metadata":{"code":"tasks.successful_pipeline_tasks","collections":["minimal","redhat","redhat_rpms","slsa3"],"depends_on":["tasks.pipeline_has_tasks"],"description":"Ensure that all of the Tasks in the Pipeline completed successfully. Note that skipped Tasks are not taken into account and do not influence the outcome.","title":"Successful pipeline tasks"}},{"msg":"Pass","metadata":{"code":"tasks.unsupported","collections":["redhat","redhat_rpms"],"depends_on":["tasks.pipeline_has_tasks"],"description":"The Tekton Task used is or will be unsupported. The Task is annotated with `build.appstudio.redhat.com/expires-on` annotation marking it as unsupported after a certain date.","title":"Task version unsupported"}},{"msg":"Pass","metadata":{"code":"test.no_erred_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any tests have their result set to \"ERROR\". The result type is configurable by the \"erred_tests_results\" key in the rule data.","title":"No tests erred"}},{"msg":"Pass","metadata":{"code":"test.no_failed_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any non-informative tests have their result set to \"FAILED\". The result type is configurable by the \"failed_tests_results\" key, and the list of informative tests is configurable by the \"informative_tests\" key in the rule data.","title":"No tests failed"}},{"msg":"Pass","metadata":{"code":"test.no_skipped_tests","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Produce a violation if any tests have their result set to \"SKIPPED\". A skipped result means a pre-requirement for executing the test was not met, e.g. a license key for executing a scanner was not provided. The result type is configurable by the \"skipped_tests_results\" key in the rule data.","effective_on":"2023-12-08T00:00:00Z","title":"No tests were skipped"}},{"msg":"Pass","metadata":{"code":"test.rule_data_provided","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected rule data keys have been provided in the expected format. The keys are `supported_tests_results`, `failed_tests_results`, `informative_tests`, `erred_tests_results`, `skipped_tests_results`, and `warned_tests_results`.","title":"Rule data provided"}},{"msg":"Pass","metadata":{"code":"test.test_all_images","collections":["redhat","redhat_rpms"],"description":"Ensure that task producing the IMAGES_PROCESSED result contains the digests of the built image.","effective_on":"2024-05-29T00:00:00Z","title":"Image digest is present in IMAGES_PROCESSED result"}},{"msg":"Pass","metadata":{"code":"test.test_data_found","collections":["redhat"],"depends_on":["attestation_type.known_attestation_type"],"description":"Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.","title":"Test data found in task results"}},{"msg":"Pass","metadata":{"code":"test.test_results_found","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Each test result is expected to have a `results` key. Verify that the `results` key is present in all of the TEST_OUTPUT task results.","title":"Test data includes results key"}},{"msg":"Pass","metadata":{"code":"test.test_results_known","collections":["redhat","redhat_rpms"],"depends_on":["test.test_data_found"],"description":"Ensure all test data result values are in the set of known/supported result values.","title":"No unsupported test result values found"}},{"msg":"Pass","metadata":{"code":"trusted_task.current","collections":["redhat","redhat_rpms"],"description":"Check if all Tekton Tasks use the latest known Task reference. When warnings will be reported can be configured using the `task_expiry_warning_days` rule data setting. It holds the number of days before the task is to expire within which the warnings will be reported.","effective_on":"2024-05-07T00:00:00Z","title":"Tasks using the latest versions"}},{"msg":"Pass","metadata":{"code":"trusted_task.data","collections":["redhat","redhat_rpms"],"description":"Confirm the `trusted_tasks` rule data was provided, since it's required by the policy rules in this package.","effective_on":"2024-05-07T00:00:00Z","title":"Task tracking data was provided"}},{"msg":"Pass","metadata":{"code":"trusted_task.data_format","collections":["redhat","redhat_rpms","policy_data"],"description":"Confirm the expected `trusted_tasks` data keys have been provided in the expected format.","title":"Data format"}},{"msg":"Pass","metadata":{"code":"trusted_task.pinned","collections":["redhat","redhat_rpms"],"description":"Check if all Tekton Tasks use a Task definition by a pinned reference. When using the git resolver, a commit ID is expected for the revision parameter. When using the bundles resolver, the bundle parameter is expected to include an image reference with a digest.","effective_on":"2024-05-07T00:00:00Z","title":"Task references are pinned"}},{"msg":"Pass","metadata":{"code":"trusted_task.trusted_parameters","collections":["redhat"],"description":"Confirm certain parameters provided to each builder Task have come from trusted Tasks.","effective_on":"2021-07-04T00:00:00Z","title":"Trusted parameters"}},{"msg":"Pass","metadata":{"code":"trusted_task.valid_trusted_artifact_inputs","collections":["redhat","redhat_rpms"],"depends_on":["attestation_type.known_attestation_type"],"description":"All input trusted artifacts must be produced on the pipeline. If they are not the artifact could have been injected by a rogue task.","title":"Trusted Artifact produced in pipeline"}}],"success":false,"signatures":[{"keyid":"","sig":"MEQCIEkWwQnDYjheS7ruXemcCltMu1PLjM9Pa+D6RIkhfuquAiBWqpd+qGcPX2jl7lfmliaNjZ6YKFW/CqH4XtaimMmIGA=="}],"attestations":[{"type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","predicateBuildType":"tekton.dev/v1beta1/PipelineRun","signatures":[{"keyid":"SHA256:IhiN7gY+Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY","sig":"MEQCIDqq+UIDlw8aSFmPf6tJdIMb6NlbsWwfBDnHZCF7oXceAiBqSD4OA97AeKXUOANFMuBRFWuWSc/BaMbQ3nAQo3wTPA=="}]}]}],"key":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA\nnaYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==\n-----END PUBLIC KEY-----\n","policy":{"description":"Rules for shipping content to registry.redhat.io","sources":[{"name":"Release Policies","policy":["oci::quay.io/enterprise-contract/ec-release-policy:konflux@sha256:032ada050ec513a62cceff38a779f43381c2698f783644587fcaccd76e217125"],"data":["git::github.com/release-engineering/rhtap-ec-policy//data?ref=65682bf58d1ee7d25d976337dcc84038ff1ed210","oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:6f898eb625d5d91c06729eb486c76077408101a8728a67fc6dbc7a0e0719f7e4"],"config":{"exclude":["cve.cve_blockers"],"include":["@redhat"]},"volatileConfig":{"exclude":[{"value":"test.no_skipped_tests:ecosystem-cert-preflight-checks","effectiveUntil":"2025-06-01T00:00:00Z"},{"value":"cve.cve_blockers","imageRef":"sha256:7d32502533684e29669051650f66742a59375ef90023103c528dd11407e29036"},{"value":"cve.cve_blockers","imageRef":"sha256:e81d8c9330d3b572702e19ca3e0dc4193a481640a9adc906a45a94ab771727bb"},{"value":"cve.cve_blockers","imageRef":"sha256:ff9646440724f389615c6a64670aa411e4a6dab074ab735cab3a8124ac84a99e"},{"value":"cve.cve_blockers","imageRef":"sha256:ea03d804ef36e82f7d4da8d717d722cbacd5de05c3d35c2e9946e60c43fc40b2"},{"value":"cve.cve_blockers","imageRef":"sha256:d9b473fd8a35deb5fa6481692b6b1ce5b4b3616b4cb5e11b4d38e5b8c4f4f6ed"},{"value":"cve.cve_blockers","imageRef":"sha256:2c1f3ee7e55b06fe4780e162d8164a6eb089455d8761c0d65a1c4391e429d8d1"},{"value":"cve.cve_blockers","imageRef":"sha256:db4c504dce70374ba5c8a38d8d6f95fe22d1a76840e68a6984e58371e160d286"},{"value":"cve.cve_blockers","imageRef":"sha256:5474b8ba436bc14ff049bc67fb24fb3d9dd28d9896f95aa5f84b4671e7188857"},{"value":"cve.cve_blockers","imageRef":"sha256:c60037ff8d0a138c8b238cfd25ed5bc47d75d2b41b10a0661f0e66e4b460cd1e"},{"value":"cve.cve_blockers","imageRef":"sha256:4ec2cca6fa70f819d08069db2b036dc816a2866634ce34284a0812ea09009e97"},{"value":"cve.cve_blockers","imageRef":"sha256:998514ea968b2e09dc44147ce9e6ad8502b35a4e728ac62e9a7e5db6e7b1a13f"},{"value":"cve.cve_blockers","imageRef":"sha256:21c22a0293cddf6f34d8d29292b40ae8729f28362385135eb446afc9c108f2ee"},{"value":"cve.cve_blockers","imageRef":"sha256:cd119fcc27c709fb3881d8466659579ec569e2948bae1f98692d1d16ab3c1dc4"},{"value":"cve.cve_blockers","imageRef":"sha256:23ced5b16bf48295ecbcdbac8d56bcf24f0a29c28889d273193c3043128690a9"},{"value":"cve.cve_blockers","imageRef":"sha256:3ff61ca7f725abb9bcb3e5152450e39a309faae6674c5e8094e7161345f1cf0e"},{"value":"cve.cve_blockers","imageRef":"sha256:d3d7dfd0282f2335bea8c8d0b28bb72a77a990539e0c7c94cd2f1e194810b9c9"},{"value":"cve.cve_blockers","imageRef":"sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c"},{"value":"cve.cve_blockers","imageRef":"sha256:edebd2837a2b272e5d6d5b14acd08970be8496de27f26a5b19f34d681cd5fbba"},{"value":"cve.cve_blockers","imageRef":"sha256:6d0c452c6676e99fecce079cab50520696d5c4336032c7a806c5f2da0bb936b7"},{"value":"cve.cve_blockers","imageRef":"sha256:29057e8455b7643bfab8870e79f38573ccad59056c6b9b0f73ce5fc571c8bfb4"},{"value":"cve.cve_blockers","imageRef":"sha256:1a45a954f0a91be994438dad8f61708abfe5855c3e56f6e15635770e0085da51"}]}}],"publicKey":"k8s://openshift-pipelines/public-key"},"ec-version":"v0.7.51","effective-time":"2025-05-05T18:11:57.508194709Z"}


STEP-SUMMARY

{
  "timestamp": "1746468734",
  "namespace": "",
  "successes": 212,
  "failures": 68,
  "warnings": 14,
  "result": "FAILURE"
}


STEP-INFO

STEP-VERSION

STEP-SHOW-CONFIG

STEP-DEBUG-LOG

STEP-ASSERT