This repo contains a set of policy.yaml
files which can be used by the Enterprise Contract
Command Line Interface with a variety of
environments.
When using Red Hat's Konflux CI environment, there is a predefined Integration Test pipeline definition for each of the configs in this section. They can be used when creating an Integration Test in Konflux as per the documentation here.
The policy configuration files are:
Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new Konflux applications.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//default
- Source: default/policy.yaml
- Collections: @slsa3
Includes the full set of rules and policies required internally by Red Hat when building Red Hat products.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//redhat
- Source: redhat/policy.yaml
- Collections: @redhat
Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//redhat-no-hermetic
- Source: redhat-no-hermetic/policy.yaml
- Collections: @redhat
Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all Konflux builds.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//slsa3
- Source: slsa3/policy.yaml
- Collections: @minimal, @slsa3
The main branch of the enterprise-contract/ec-policies is always tested with the latest build of ec-cli. If your environment uses a specific version of ec-cli, such as the official Red Hat build, then you can use one of these instead of the main branch default.
They are similar to the Konflux CI "default" configuration except they use a specific branch of the policies repo for stability and compatiblity with specific verisons of ec. These configurations are suggested for use in Red Hat Trusted Application Pipeline templates.
The policy configuration files are:
Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.1-alpha.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//default-v0.1-alpha
- Source: default-v0.1-alpha/policy.yaml
- Collections: @slsa3
Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.2.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//default-v0.2
- Source: default-v0.2/policy.yaml
- Collections: @slsa3
Includes rules for levels 1, 2 & 3 of SLSA v0.1. For use with ec version v0.4
- URL for Enterprise Contract:
github.com/enterprise-contract/config//default-v0.4
- Source: default-v0.4/policy.yaml
- Collections: @slsa3
Includes rules suitable for use with the attestations created by RHTAP GitHub build pipelines.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//rhtap-github
- Source: rhtap-github/policy.yaml
- Collections: @rhtap-github
Includes rules suitable for use with the attestations created by RHTAP GitLab build pipelines.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//rhtap-gitlab
- Source: rhtap-gitlab/policy.yaml
- Collections: @rhtap-gitlab
Includes rules suitable for use with the attestations created by RHTAP Jenkins build pipelines.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//rhtap-jenkins
- Source: rhtap-jenkins/policy.yaml
- Collections: @rhtap-jenkins
These are policy rules used to verify Tekton Task definitions meet the Red Hat guidelines for being considered trusted.
The policy configuration files are:
Rules used to verify Tekton Task definitions comply to Red Hat's standards.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//redhat-trusted-tasks
- Source: redhat-trusted-tasks/policy.yaml
Container images built via GitHub Actions can be verified with the following policy configurations.
Rules for container images built via GitHub Workflows.
- URL for Enterprise Contract:
github.com/enterprise-contract/config//github-default
- Source: github-default/policy.yaml
- Collections: @github