# Konflux Documentation > Konflux is an open-source platform for building, testing, and releasing applications with enterprise-grade software supply chain security. It automates CI/CD pipelines using Tekton, provides SLSA Build Level 3 provenance, integrates policy-based compliance checks with Conforma, and manages releases across environments — all on Kubernetes. - Documentation site: https://konflux-ci.dev/docs/ - Source code: https://github.com/konflux-ci/docs - Operator and installation docs: https://konflux-ci.dev/konflux-ci/docs/ ## Docs - [Why Konflux?](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/ROOT/pages/index.adoc): Konflux's value proposition and key platform capabilities. - [Getting started](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/ROOT/pages/getting-started.adoc): Key concepts: namespaces, pipelines, and tenant workflows on Konflux. - [Share Tenant with Community](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/ROOT/pages/share-with-community.adoc): Granting all authenticated Konflux users read-only access to your tenant namespace. - [Trust and security model](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/ROOT/pages/trust-model.adoc): How Konflux secures the software supply chain through build isolation, namespace separation, and policy-gated releases. ## Building - [Building](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/index.adoc): How build pipelines work with attestations and where to customize build setup. - [Creating applications and components](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/creating.adoc): How to create applications and components through the UI or kubectl. - [Onboarding a component from GitHub](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/creating-github.adoc): Onboarding a component from a GitHub repository using the GitHub App. - [Onboarding a component from GitLab](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/creating-gitlab.adoc): Onboarding a component from a GitLab repository using access tokens and secrets. - [Onboarding a component from Forgejo](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/creating-forgejo.adoc): Onboarding a component from a Forgejo repository using access tokens and secrets. - [Deleting applications and components](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/deleting.adoc): Removing applications or components and the consequences for images and snapshots. - [Running build pipelines](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/running.adoc): Triggering pre-merge and post-merge builds through Pipelines as Code. - [Customizing the build pipeline](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/customizing-the-build.adoc): Customizing PipelineRun parameters, timeouts, and tasks under .tekton. - [Configuration as code](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/configuration-as-code.adoc): Modeling applications and components with Kustomize for repeatable configuration. - [Reconfiguring the build pipeline](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/reconfiguring-build-pipeline.adoc): Resetting or switching a component's build pipeline to a newer definition. - [Customizing ImageRepository](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/imagerepository.adoc): Adjusting ImageRepository visibility, credentials rotation, and Quay settings. - [Using labels and annotations](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/labels-and-annotations.adoc): Adding dynamic OCI labels and annotations to images from pipeline parameters. - [Passing buildah arguments](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/build-with-args.adoc): Supplying build arguments to buildah via BUILD_ARGS_FILE in PipelineRuns. - [Creating secrets for your builds](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/index.adoc): Overview of secret types for SCM, registry pulls, tasks, container mounts, and vaults. - [Creating task input secrets](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/creating-task-input-secrets.adoc): Creating key/value secrets consumed by pipeline tasks that require them. - [Creating registry pull secrets](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/creating-registry-pull-secrets.adoc): Registering pull secrets for private base images such as registry.redhat.io. - [Creating source control management secrets](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/creating-scm-secrets.adoc): Storing SCM tokens for Pipeline-as-Code when not using the GitHub App. - [Referencing Secrets in a Containerfile](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/referencing-secrets-in-containerfile.adoc): Mounting Kubernetes secrets into container builds with ADDITIONAL_SECRET. - [Secrets from external vaults](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/secrets/secrets-from-external-vaults.adoc): Syncing secrets from external vaults using External Secrets Operator. - [Enabling hermetic builds](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/hermetic-builds.adoc): Configuring network-isolated builds and tying them to dependency prefetching. - [Enabling caching proxy](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/caching-proxy.adoc): Enabling Squid-backed HTTP proxy caching for faster container layer pulls. - [Prefetching package manager dependencies](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/prefetching-dependencies.adoc): Prefetching package manager dependencies with Hermeto for reproducible hermetic builds. - [Using trusted artifacts](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/using-trusted-artifacts.adoc): Using Trusted Artifacts to securely share data between pipeline tasks. - [Preventing redundant rebuilds](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/redundant-rebuilds.adoc): Tuning PaC on-cel-expression so PRs rebuild only affected components. - [Overriding compute resources](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/overriding-compute-resources.adoc): Overriding Tekton CPU and memory limits per task in PipelineRun specs. - [Accessing private image repositories](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/accessing-private-images.adoc): RBAC and proxy URLs for pulling private tenant component images. - [Using custom tags](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/custom-tags.adoc): Configuring extra image tags through labels, parameters, or dynamic metadata. - [Building binaries](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/build-binaries.adoc): Containerfile patterns for compiling binaries as Konflux-managed artifacts. - [Getting access to Pulp storage](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/pulp-access.adoc): Requesting Pulp domains and secrets for non-OCI artifact storage. - [Accessing Pulp content](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/accessing-pulp-content.adoc): Accessing uploaded artifacts through the Pulp API and credentials. - [Defining component relationships](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/component-nudges.adoc): Cross-component relationships so digest updates open automatic PRs. - [Scheduled builds with CronJobs](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/scheduled-builds.adoc): Scheduling default-branch push pipelines with Kubernetes CronJobs. - [Using Red Hat subscription content](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/activation-keys-subscription.adoc): Using Red Hat activation-key secrets for entitled RPM builds. - [Applying task migrations](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/building/pages/apply-task-migrations.adoc): Running the pipeline migration tool when automatic task migrations are needed. ## Testing - [Testing](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/index.adoc): Overview of build-time, custom, and integration testing on Konflux. - [Build-time tests](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/build/index.adoc): Default build-time security and quality Tekton tasks that run automatically. - [Enabling Snyk](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/build/snyk.adoc): Enabling Snyk SAST by wiring a token secret into the build pipeline. - [Integration tests](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/index.adoc): How integration tests, snapshots, and the Global Candidate List work together. - [Adding an integration test](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/adding.adoc): Registering an integration test scenario pointing at a Git pipeline definition. - [Creating a custom integration test](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/creating.adoc): Authoring a custom Tekton integration pipeline and publishing it from Git. - [Editing integration tests](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/editing.adoc): Updating integration test Git refs, paths, parameters, and release settings. - [Debugging an integration test](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/debugging.adoc): Finding failed integration PipelineRuns via activity views and logs. - [Rerunning an integration test](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/rerunning.adoc): Re-triggering integration tests by labeling snapshots with run selectors. - [Canceling an integration test](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/canceling.adoc): Manual cancellation and automatic supersession when snapshots refresh. - [Choosing when to run certain Integration Tests](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/choosing-contexts.adoc): Selecting IntegrationTestScenario contexts for PRs, pushes, overrides, and groups. - [Disabling Integration Test Comments](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/disable-integration-comment.adoc): Suppressing GitLab MR comments via component annotations. - [Accessing Private Repositories](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/accessing-private-repositories.adoc): Linking registry and Git secrets for private integration pipelines. - [Triggering Periodic Integration Tests](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/periodic-integration-tests.adoc): Running integration tests on a schedule via CronJobs and snapshot labeling. - [Standardized outputs](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/standardized-outputs.adoc): TEST_OUTPUT, SCAN_OUTPUT, and other structured Tekton result formats. - [Export Pipeline Logs to Quay](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/logs-to-quay.adoc): Archiving full PipelineRun logs to the image registry with export-pipeline-logs. - [Snapshots](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/snapshots/index.adoc): Snapshots as immutable component image sets for testing and releasing. - [Working with Snapshots](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/snapshots/working-with-snapshots.adoc): Creating and verifying kubectl-defined manual snapshots. - [Creating an override snapshot](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/snapshots/override-snapshots.adoc): Resetting Global Candidate Lists with labeled override snapshots. - [Creating a group snapshot](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/snapshots/group-snapshots.adoc): Coordinating linked PR branches into group snapshots across components. - [Testing with Jenkins](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/third-parties/jenkins.adoc): Triggering external Jenkins jobs from a Konflux integration test. - [Testing with Testing Farm](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/third-parties/testing-farm.adoc): Running integration tests using Testing Farm's Tekton integration. - [Testing with RapiDAST](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/third-parties/rapidast.adoc): Running dynamic application security testing (DAST) with RapiDAST. - [Testing with Openshift CI](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/testing/pages/integration/third-parties/openshift-ci.adoc): Integrating with OpenShift CI through ProwJobs or ephemeral-cluster tasks. ## Inspecting provenance and attestations - [Inspecting provenance and attestations](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/metadata/pages/index.adoc): SLSA L3 supply-chain transparency and how to inspect build metadata. - [Discovering the associated metadata](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/metadata/pages/discover.adoc): Using cosign and jq to list OCI referrers and metadata for built images. - [Inspecting SBOMs](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/metadata/pages/sboms.adoc): Build-time and release-time SBOMs: how they are generated and how to retrieve them. - [Inspecting artifact attestations](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/metadata/pages/attestations.adoc): Downloading and inspecting Tekton Chains SLSA provenance attestations with cosign. - [Inspecting artifact scan results](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/metadata/pages/scan-results.adoc): Fetching SARIF scan artifacts attached to images via the OCI referrers API. ## Compliance - [Compliance](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/compliance/pages/index.adoc): Conforma integration tests and attestation-based policy enforcement. - [Customizing Policy](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/compliance/pages/customizing-policy.adoc): Waiving or adjusting Conforma policies when builds cannot satisfy default rules. - [Policy Evaluations](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/compliance/pages/policy-evaluations.adoc): Locating which policies are bound to integration tests and release admissions. ## Releasing - [Releasing](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/index.adoc): Development versus managed-environment roles in Konflux release workflows. - [Creating a release plan](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/create-release-plan.adoc): Defining ReleasePlan CRs for snapshot promotion and optional automation. - [Creating a release plan admission](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/create-release-plan-admission.adoc): Defining ReleasePlanAdmission CRs with pipelines and policy in managed namespaces. - [Creating a release](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/create-release.adoc): Creating a Release CR to promote a snapshot through an approved ReleasePlan. - [Re-trigger a release manually](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/retrigger-release.adoc): Re-triggering a release by creating a new Release CR with the same spec. - [Tenant Release Pipelines](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/tenant-release-pipelines.adoc): Running pre-release steps in the developer tenant namespace via tenantPipeline. - [Adjusting timeouts and resources](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/adjusting-timeouts-resources.adoc): Extending release PipelineRun timeouts and TaskRun compute resources. - [Using collectors](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/releasing/pages/using-collectors.adoc): Using collector scripts to fetch dynamic data into release status early. ## Dependency Management - [Dependency Management](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/mintmaker/pages/user.adoc): User guide to MintMaker/Renovate configuration, scheduling, and dependency managers. - [Security updates](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/mintmaker/pages/security-updates.adoc): CVE-titled security update PRs generated automatically by MintMaker. - [RPM lockfiles](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/mintmaker/pages/rpm-lockfile.adoc): Automating RPM lockfile refresh through MintMaker's RPM extension. - [Default configuration](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/mintmaker/pages/default-config.adoc): Backend default Renovate presets and branch policies applied by MintMaker. - [Support matrix](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/mintmaker/pages/support.adoc): Matrix of supported dependency managers, versions, and known limitations. ## How-to guides - [How-to guides](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/index.adoc): Index of advanced how-to guides for Konflux-integrated repositories. - [Building upstream project with git submodules](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/git-submodules.adoc): Syncing upstream code into downstream repos using Git submodules and automation. - [Running user scripts on the build pipeline](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/running-user-scripts-on-the-build-pipeline.adoc): Running custom scripts before the image build step in trusted-artifact pipelines. - [Evolving build pipeline management](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/managing-pipeline-changes.adoc): Evolving from embedded pipeline specs to shared local and remote Tekton pipelines. - [Centralizing Tekton pipeline definitions in your repository](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/centralize-pipeline-definitions.adoc): Extracting one Pipeline manifest referenced by multiple PipelineRuns in a repo. - [Remote pipeline definitions](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/keep-remote-pipelines-up-to-date.adoc): Hosting shared pipelines in Git and resolving them from component repos. - [Managing multiple software versions](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/managing-multiple-versions.adoc): Using Project CRDs to template parallel software version streams. - [Managing monorepo Applications](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/managing-monorepo-applications.adoc): Tuning monorepo triggers, submodules, tests, and releases on Konflux. - [Maintaining valid image references before a release](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/maintaining-references-before-release.adoc): Mapping release targets so nudges rewrite digests for post-release registries. - [Testing and releasing a single Component](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/testing-releasing-single-component.adoc): Isolating Conforma and release gating per component within an application. - [GitOps for Releases](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/gitops-for-manual-releases.adoc): Exporting snapshots to Git for reviewed, manual release promotion. - [Managing a security fix](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/managing-security-fix.adoc): Using private mirrors and tenants to develop and ship embargoed security fixes. - [GitHub merge queues](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/github-merge-queues.adoc): Configuring Konflux PR pipelines to work with GitHub merge queues. - [Slack Webhook Notifications](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/slack-notifications.adoc): Sending Slack webhook alerts from pipeline finally blocks. - [Maintaining parity between tags and labels](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/patterns/pages/mapping-tags-to-labels.adoc): Keeping OCI version labels and image tags in sync from shared Git parameters. ## End-to-end guides - [Building an OLM operator](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/end-to-end/pages/building-olm.adoc): Building OLM operators, bundles, and file-based catalogs end to end. - [Building Tekton tasks](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/end-to-end/pages/building-tekton-tasks.adoc): Onboarding Tekton task catalog repos to produce bundle images on Konflux. ## Installation - [Installing Konflux](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/installing/pages/index.adoc): Installation paths for UI-based and manifest-based onboarding to Konflux. - [Enabling build pipelines](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/installing/pages/enabling-builds.adoc): Enabling smee, GitHub App, image controller, and related build prerequisites. - [GitHub App](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/installing/pages/github-app.adoc): Why and how the Konflux GitHub App powers Pipelines as Code integration. ## Troubleshooting - [Builds](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/troubleshooting/pages/builds.adoc): Diagnosing and fixing common build failures such as disk, network, and workspace issues. - [Releases](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/troubleshooting/pages/releases.adoc): Diagnosing release signature failures and related pipeline problems. - [Registry Issues](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/troubleshooting/pages/registries.adoc): Debugging Tekton registry auth wiring and push or pull errors. - [Service Account Authentication](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/troubleshooting/pages/service-accounts.adoc): Resolving invalid or expired externally issued service-account tokens. ## Reference - [Reference](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/reference/pages/index.adoc): Pointers to sample repositories, Kubernetes APIs, and other reference material. - [Sample repositories](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/reference/pages/sample-repositories.adoc): Official example repositories illustrating various Konflux setups. - [LLM-friendly documentation (llms.txt)](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/reference/pages/llms-txt.adoc): The published llms.txt index and MCP tooling for AI coding assistants. - [Konflux Kubernetes APIs](https://raw.githubusercontent.com/konflux-ci/docs/main/modules/reference/pages/kube-apis/index.adoc): Index of Konflux custom resource API specifications.