Enterprise Contract


The Enterprise Contract’s purpose is to ensure container images produced by AppStudio meet certain clearly defined requirements before they are considered releasable. Should a container image not meet the requirements the Enterprise Contract will produce a list of the reasons why so they can be addressed as required to produce a releasable build.

Enterprise Contract requirements fall broadly into two categories, “built-in requirements”1 and “rule-based requirements”.

Built-in requirements

The built-in requirements are as follows:

Rule-based requirements

The rule-based requirements are based on the content of the pipeline run attestation and are defined using Rego, the Open Policy Agent query language.

Some examples of rule-based requirements are:

The technique of checking for a specific task result from a specific known and trusted task definition is a useful way to create a robust policy rule. The rego language is flexible and expressive so it’s easy to create arbitrary policy rules based on anything exposed in pipeline run attestation.



The ec-cli is a command line utility written in Go. Its primary purpose is to perform the EC policy validation, which it does as follows:

The ec-cli also supports other related functions. For more information on ec-cli refer to the documentation and the code.

EC Task Definition

The EC Task Definition defines how the ec-cli command should be run in a Tekton task. It handles the task inputs and outputs and calls the ec-cli as needed to perform the EC validation.

The task is defined here.

EC Policy CRD

The ECP CRD defines a Kubernetes CR which is used to hold the configuration needed for running a specific instance of the Enterprise Contract. This includes the public key required to verify signatures, the list of policy and data sources, and any other required configuration.

You can view the source code for the ECP CRD here and see its documentation here. See also the related API Reference

EC Policies

The reference set of policy rules for AppStudio is defined here and documented here. It includes rules for a range of different policies that are considered useful for AppStudio.

There are Conftest bundles containing the latest version of these policies available in quay.io here.

Tekton Chains

Tekton Chains is a dependency for EC since EC works by examining attestations created by Tekton Chains when AppStudio build pipelines are running.

For more information on Tekton Chains refer to the documentation, and the GitOps configuration here.

The Release Pipeline

The AppStudio Release Pipeline contains an instance of the EC Task which is used to gate the release. If the EC task fails the release should be blocked. This functionality is handled by the Release Pipeline.

For more information, see AppStudio Release Service Bundles.

EC and Renovate Bot

To verify that tasks used in the build pipeline are from known and trusted Tekton bundles, EC requires a list of those bundles.

AppStudio users can leverage the Renovate Bot service to keep such Tekton bundle lists up to date. The service can be configured to run periodically, and provide pull requests with updated references. Alternatively, users can run their own instance of Renovate either as a service or on-demand.

Additional Resources

  1. Not sure about the terminology here. Do we have a better term for requirements enforced by ec-cli that are not defined by rego rules? 

  2. The list of images in a release is defined in a Snapshot CRD. The input to EC is a JSON formatted representation of this image list, but a single image is also supported. 

  3. Not sure about this terminology either. Conceptually the “source group” consists of one or more policy sources and zero or more data sources.