Rego policies related to the Conforma.
The Makefile contains a lot of useful scripts and commands. Run make by itself to see the help.
Go is required for development. Tools like conftest and opa are executed with the Go binary - they do not need to be installed in your system. See the top of the go.mod file for the minimum version of Go required.
Most of the maintainers use asdf to seamlessly use the right version of Go.
Some, optional, make targets may require additional tooling. For example, make live-test requires entr to be installed.
The rego files should be formatted using the standard format. To apply the standard format run this before committing:
make fmt The documentation is built using Antora.
Those docs are published here.
When making changes to policy rules, the docs will likely need to be re-generated. To do so run:
make generate-docs Commit all of the modified files.
From the top level directory you can run all tests and formatting checks, as well as check that the docs are up to date, like this:
make ci You can run a single test like this:
ec opa test ./policy -r <test_name_matcher> or
go run github.com/conforma/cli opa test ./policy -r <test_name_matcher> The <test_name_matcher> is a regex, so you can use it to run more than one test.
See Makefile for other ways to run the tests.
Policies must have unit tests validating them. All test files must adhere to the naming convention:
file.rego file_test.rego Refer to the policy testing docs for more information.
The CI also enforces that there is 100% test coverage. If you're not at 100% you can use this to show what lines of code are not covered:
make coverage Fetch an image attestation from a registry:
make fetch-att more input/input.json # to look at it or:
make fetch-att IMAGE=<some-image-with-an-attestation-ref> Create a dummy policy config file:
make dummy-config cat data/config.json # to look at it Then to verify the build using the defined policies:
make check-release For example to fetch a pipeline definition from your local cluster:
make fetch-pipeline make fetch-pipeline PIPELINE=<some-pipeline-name> more input/input.json # to look at it For a realistic Konflux pipeline definition that doesn't require cluster access, if you have the build-definitions repo checked out nearby you can do something like this:
( cd ../build-definitions && kustomize build pipelines/hacbs | yq 'select(document_index == 2)' -o json ) > input/input.json Then to verify the pipeline definition using the defined policies:
make check-pipeline Running policies against local ec build
Build a local version of ec in your local cli repo:
make build Create a policy.yaml file in your local cli repo with something like:
--- sources: - policy: - <path-to>/policy/policy/lib - <path-to>/policy/policy/release data: - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest - github.com/release-engineering/rhtap-ec-policy//data Run the locally built ec command
dist/ec_<arch> validate image --verbose --images '{"components": [{"containerImage": "<container-image>", "name":"my-image", "source":{"git":{"url":"<repository-url>","revision":"<commit-id>"}}}]}' --policy 'policy.yaml' --public-key <public-key-to-verify-the-image> --strict false --ignore-rekor --verbose --output=text The policies defined here are bundled and pushed as OCI artifacts using conftest. There are three bundles, one for each of the release and pipeline policies, and one for the data which is used by both.
The push-bundles automates creating and pushing these bundles to quay.io, and generating a related PR in the infra-deployments repo so the latest bundles are used.
See also the policy bundle documentation.
See the Policy Authoring documentation for guidance on contributing to the definition of policy rules.