Managing compliance with the Enterprise Contract

The Enterprise Contract (EC) is an artifact verifier and customizable policy checker. By default, Konflux adds the Enterprise Contract as an integration test to each new application. The Enterprise Contract then keeps your software supply chain secure and ensures container images comply with your organization’s policies. It does this by verifying the security and provenance of builds created through Konflux.

Konflux’s build process uses Tekton Chains to produce a signed in-toto provenance attestation of the build pipeline. The Enterprise Contract then uses this attestation to verify the build’s integrity and compliance with a set of policies. These policies include best practices and any organization-specific requirements.

If you ever need to restore the default EC integration test to an application, or if you want to use a different configuration of the EC as an integration test, see our Adding an intergration test guide.

Additional resources

To produce a signed in-toto attestation of the build pipeline, go to Tekton Chains.
For information on the source code for the Tekton pipelines defined in the bundle, see the build-definitions and ec-cli repositories.
To use a specific version of the pipeline bundle instead of the devel tag, you can select one of the pinned tags.
For information on components in Enterprise Contract, see the Components.
For information on the Enterprise Contract policies designed for Konflux, see the Enterprise Contract Policies.