Release Policy Rule Collections github minimal policy_data redhat redhat_maven redhat_rpms rhtap-multi-ci slsa3 Release Rules All maven artifacts have known repository URLs Known Repository URLs Policy data validation Attestation type Deprecated policy attestation format Known attestation type found Known attestation types provided PipelineRun attestation found Base image checks Allowed base image registry prefixes list was provided Base image comes from permitted registry Base images provided Buildah build task ADD_CAPABILITIES parameter Buildah task uses a local Dockerfile PLATFORM parameter PRIVILEGED_NESTED parameter disallowed_platform_patterns format CVE checks Blocking CVE check Blocking unpatched CVE check CVE scan results found Non-blocking CVE check Non-blocking unpatched CVE check Rule data provided External parameters Pipeline run params PipelineRun params provided Restrict shared volumes Git branch checks Builds have a trusted target branch GitHub Certificate Checks GitHub Workflow Certificate Extensions GitHub Workflow Name GitHub Workflow Repository GitHub Workflow Repository GitHub Workflow Trigger Rule data provided Hermetic task Hermetic build task has Sonatype proxy enabled Task called with hermetic param set proxy_enabled_purl_types format Labels Deprecated labels Disallowed inherited labels Inaccessible image config Inaccessible image manifest Inaccessible parent image config Inaccessible parent image manifest Optional labels Required labels Rule data provided OLM ClusterServiceVersion semver format Feature annotations have expected value Images referenced by OLM bundle are from allowed registries OLM bundle image manifests contain only allowed resource kinds OLM bundle images are not multi-arch Related images references are from allowed registries Required OLM feature annotations list provided Subscription annotation has expected value Unable to access related images for a component Unmapped images in OLM bundle Unpinned images in OLM bundle Unpinned images in input snapshot Unpinned related images for a component Pre-build-script task checks Script runner image comes from allowed registry Script runner image is a valid image reference Script runner image is included in the sbom Script runner image is listed in the task results Prefetch Dependencies Task Prefetch dependencies mode parameter check Provenance Materials Git clone source matches materials provenance Git clone task found Quay expiration Expires label RHTAP Multi-CI SLSA Provenance Attestation Format SLSA Provenance Attestation Found RPM Build Dependencies Builds have valid download locations RPM Packages Unique Version RPM Pipeline Task version invalid_pipeline RPM Repos All rpms have known repo ids Known repo id list provided RPM Signature Allowed RPM signature key Result format Rule data provided SBOM Disallowed packages list is provided Found SBOM CycloneDX Allowed Allowed package external references Allowed package sources Disallowed package attributes Disallowed package external references Supported Version Valid 1.4 Valid 1.5 Valid 1.6 SLSA - Build - Build Service Allowed builder IDs provided SLSA Builder ID found SLSA Builder ID is known and accepted SLSA - Build - Scripted Build Build task contains steps Build task set image digest and url task results Image built by trusted Task Provenance subject matches build task image result SLSA - Provenance - Available Allowed predicate types provided Expected attestation predicate type found SLSA - Source - Version Controlled Material uri is a git repo Materials have uri and digest Materials include git commit shas SLSA - Verification model - Source Expected source code reference Rule data provided Source code reference provided Source reference SPDX SBOM Allowed Allowed package external references Allowed package sources Contains files Contains packages Disallowed package attributes Disallowed package external references Matches image Valid Schedule related checks Date Restriction Rule data provided Weekday Restriction Source image Exists Signed Tasks All required tasks are from trusted tasks All required tasks were included in the pipeline Data provided Future required tasks were found Pinned Task references Pipeline run includes at least one task Required tasks list for pipeline was provided Required tasks list was provided Successful pipeline tasks Task version unsupported Test Image digest is present in IMAGES_PROCESSED result No informative tests failed No tests erred No tests failed No tests produced warnings No tests were skipped No unsupported test result values found Rule data provided Test data found in task results Test data includes results key Trusted Task checks Data format Future deny rule will apply Task references are pinned Task references are tagged Task tracking data was provided Tasks are trusted Tasks using the latest versions Trusted Artifact produced in pipeline Trusted parameters Volatile Configuration Warnings Volatile rule expiring soon Volatile rule has expired Volatile rule has invalid configuration Volatile rule has no expiration Volatile rule pending activation rpm-ostree Task Builder image parameter Rule data