Managing compliance with Conforma
Conforma is an artifact verifier and customizable policy checker. By default, Konflux adds Conforma as an integration test to each new application. Conforma then keeps your software supply chain secure and ensures container images comply with your organization’s policies. It does this by verifying the security and provenance of builds created through Konflux.
Konflux’s build process uses Tekton Chains to produce a signed in-toto provenance attestation of the build pipeline. Conforma then uses this attestation to verify the build’s integrity and compliance with a set of policies. These policies include best practices and any organization-specific requirements.
If you ever need to restore the default EC integration test to an application, or if you want to use a different configuration of the EC as an integration test, see our Adding an integration test guide.
-
To produce a signed in-toto attestation of the build pipeline, go to Tekton Chains.
-
For information on the source code for the Tekton pipelines defined in the bundle, see the build-definitions and ec-cli repositories.
-
To use a specific version of the pipeline bundle instead of the devel tag, you can select one of the pinned tags.
-
For information on Conforma policies designed for Konflux, see the Conforma Policies.