The policies and the data used by the policies are available as OCI artifacts
compatible with the conftest pull
command.
The latest versions of the bundles can be found in the following repos:
quay.io/enterprise-contract/ec-release-policy
-
Used for validating attestations created by Tekton Chains. Contains the contents of
policy/release
andpolicy/lib
in this repo. quay.io/enterprise-contract/ec-pipeline-policy
-
Used for validating Tekton Pipeline definitions. Contains the contents of
policy/pipeline
andpolicy/lib
.
The bundles mentioned above are also listed in Artifact Hub.
The bundles are designed to be used with the ec-cli, but you
can also use them with conftest directly. The input should include a top level key called attestations
which contains a list of
attestations for the image being validated. For example:
cosign download attestation quay.io/konflux-ci/ec-golden-image:latest | jq --slurp '{"attestations":[.[].payload|@base64d|fromjson]}' > input.json
conftest pull -p . quay.io/enterprise-contract/ec-release-policy quay.io/enterprise-contract/ec-policy-data
conftest test input.json -d data -p policy --all-namespaces -o json | yq -P