Enterprise Contract Configuration Files
This repo contains a set of policy.yaml files which can be used by the Conforma
Command Line Interface with a variety of
environments.
Konflux CI
When using Red Hat's Konflux CI environment, there is a predefined Integration Test pipeline definition for each of the configs in this section. They can be used when creating an Integration Test in Konflux as per the documentation here.
The policy configuration files are:
Default
Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications.
- URL for Enterprise Contract:
github.com/conforma/config//default - Source: default/policy.yaml
- Collections: @slsa3
Red Hat
Includes the full set of rules and policies required internally by Red Hat when building Red Hat products.
- URL for Enterprise Contract:
github.com/conforma/config//redhat - Source: redhat/policy.yaml
- Collections: @redhat
Red Hat (non hermetic)
Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.
- URL for Enterprise Contract:
github.com/conforma/config//redhat-no-hermetic - Source: redhat-no-hermetic/policy.yaml
- Collections: @redhat
Red Hat RPMs
For Red Hat RPM builds in Red Hat Konflux.
- URL for Enterprise Contract:
github.com/conforma/config//redhat-rpms - Source: redhat-rpms/policy.yaml
- Collections: @redhat_rpms
SLSA3
Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all Konflux builds.
- URL for Enterprise Contract:
github.com/conforma/config//slsa3 - Source: slsa3/policy.yaml
- Collections: @minimal, @slsa3
Stable (versioned policies)
The main branch of the conforma/policy is always tested with the latest build of ec. If your environment uses a specific version of ec, such as the official Red Hat build, then you can use one of these instead of the main branch default.
They are similar to the Konflux CI "default" configuration except they use a specific branch of the policies repo for stability and compatiblity with specific verisons of ec. These configurations are suggested for use in Red Hat Trusted Application Pipeline templates.
The policy configuration files are:
RHTAP (v0.6)
Includes rules suitable for use with the attestations created by RHTAP. For use with ec version v0.6.
- URL for Enterprise Contract:
github.com/conforma/config//rhtap-v0.6 - Source: rhtap-v0.6/policy.yaml
- Collections: @rhtap-multi-ci
RHTAP (v0.7)
Includes rules suitable for use with the attestations created by RHTAP. For use with ec version v0.7.
- URL for Enterprise Contract:
github.com/conforma/config//rhtap-v0.7 - Source: rhtap-v0.7/policy.yaml
- Collections: @rhtap-multi-ci
Tekton SLSA3 (v0.6)
Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.6
- URL for Enterprise Contract:
github.com/conforma/config//tekton-slsa3-v0.6 - Source: tekton-slsa3-v0.6/policy.yaml
- Collections: @slsa3
Tekton SLSA3 (v0.7)
Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.7
- URL for Enterprise Contract:
github.com/conforma/config//tekton-slsa3-v0.7 - Source: tekton-slsa3-v0.7/policy.yaml
- Collections: @slsa3
Konflux CI & Red Hat Trusted Application Pipeline (RHTAP) - Tasks
These are policy rules used to verify Tekton Task definitions meet the Red Hat guidelines for being considered trusted.
The policy configuration files are:
Red Hat Trusted Tasks
Rules used to verify Tekton Task definitions comply to Red Hat's standards.
- URL for Enterprise Contract:
github.com/conforma/config//redhat-trusted-tasks - Source: redhat-trusted-tasks/policy.yaml
Container images built via GitHub Actions can be verified with the following policy configurations.
GitHub Default
Rules for container images built via GitHub Workflows.
- URL for Enterprise Contract:
github.com/conforma/config//github-default - Source: github-default/policy.yaml
- Collections: @github