Inspecting provenance and attestations

We are committed to providing exceptional security with Konflux. We harden the build platform, we provide transparency into the build process, and we expose the composition of artifacts.

To harden the build platform, we enable multiple builds to run on a shared platform while preventing those builds from tampering with each other. This defends against threats to the build process. To provide transparency, we enable you to evaluate policies and conduct audits on the build process. This defends against threats to the package selection.

Our commitment to security means that Konflux conforms to the SLSA v1.0 Build Level 3 requirements.

Don’t take our word for it --you can download and inspect these artifacts yourself!

Don’t take our word on the transparency — you can download and inspect these artifacts yourself! Konflux generates and pushes build metadata as OCI artifacts to the container registry alongside your software’s build using the referrers API.

Discovering the associated metadata

Prerequisites

Install the Cosign CLI tool.
Install the jq CLI tool.
Login to Konflux.

Procedure

In the CLI, complete the following steps to discover the associated metadata for a component:

Find the image for a recently completed build pipeline and export the value to the IMAGE environment variable

Example:
```
IMAGE=quay.io/redhat-user-workloads/workspace-tenant/application/component@sha256:<output omitted>
```

Print a high-level overview of the artifact’s metadata that Konflux has created for a component:

cosign tree $IMAGE

Example output:

📦 Supply Chain Security Related artifacts for an image: quay.io/redhat-user-workload/workspace-tenant/application/component@sha256:<sha-digest>
└── 📦 SBOMs for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.sbom
   └── 🍒 sha256:<sbom-sha-digest>
└── 💾 Attestations for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.att
   └── 🍒 sha256:<attestation-sha-digest>
└── 🔐 Signatures for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.sig
   └── 🍒 sha256:<signature-sha-digest>

The cosign tree command will show all metadata associated to the artifact via the referrers API. The SBOM artifact contains the Software Bill of Materials. We have provided further procedures for you to view and inspect the attestations and SBOMs by Konflux.

Additional resources

Learn about the SLSA framework and how Konflux meets the requirements of SLSA Build Level 3.
Red Hat’s Enterprise Contract (EC) is a powerful tool that you can also use to verify your SLSA provenance; visit this page to learn how to use the EC CLI tool to verify your provenance. You will need the public key used by Tekton Chains, which you can find by following these instructions.