Inspecting provenance and attestations

We are committed to providing exceptional security with Konflux. We harden the build platform, we provide transparency into the build process, and we expose the composition of artifacts.

To harden the build platform, we enable multiple builds to run on a shared platform while preventing those builds from tampering with each other. This defends against threats to the build process. To provide transparency, we enable you to evaluate policies and conduct audits on the build process. This defends against threats to the package selection.

Our commitment to security means that Konflux conforms to the SLSA v1.0 Build Level 3 requirements.

Don’t take our word for it --you can download and inspect these artifacts yourself!

Don’t take our word on the transparency — you can download and inspect these artifacts yourself! Konflux generates and pushes build metadata as OCI artifacts to the container registry alongside your software’s build using the referrers API.

Discovering the associated metadata

Prerequisites
  • Install the Cosign CLI tool.

  • Install the jq CLI tool.

  • Login to Konflux.

Procedure

In the CLI, complete the following steps to discover the associated metadata for a component:

  1. Find the image for a recently completed build pipeline and export the value to the IMAGE environment variable

    Example:

    IMAGE=quay.io/redhat-user-workloads/workspace-tenant/application/component@sha256:<output omitted>
  2. Print a high-level overview of the artifact’s metadata that Konflux has created for a component:

    cosign tree $IMAGE

    Example output:

    📦 Supply Chain Security Related artifacts for an image: quay.io/redhat-user-workload/workspace-tenant/application/component@sha256:<sha-digest>
    └── 📦 SBOMs for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.sbom
       └── 🍒 sha256:<sbom-sha-digest>
    └── 💾 Attestations for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.att
       └── 🍒 sha256:<attestation-sha-digest>
    └── 🔐 Signatures for an image tag: quay.io/redhat-user-workload/workspace-tenant/application/component:sha256-<sha-digest>.sig
       └── 🍒 sha256:<signature-sha-digest>

The cosign tree command will show all metadata associated to the artifact via the referrers API. The SBOM artifact contains the Software Bill of Materials. We have provided further procedures for you to view and inspect the attestations and SBOMs by Konflux.

Additional resources