diff --git a/README.md b/README.md index 5001c96f9..afc4414ef 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,11 @@ -# `ec` a command line client for evaluating the Enterprise Contract +# `ec` a command line client for verifying artifacts and evaluating policies -The `ec` tool is used to evaluate Enterprise Contract policies for Software +The `ec` tool is used to evaluate Conforma policies for Software Supply Chain. Various sub-commands can be used to assert facts about an artifact such as: * Validating container image signature * Validating container image provenance - * Evaluating Enterprise Contract [policies][pol] over the container image provenance + * Evaluating [policies][pol] over the container image provenance * Fetching artifact authorization Consult the [documentation][docs] for available sub-commands, descriptions and diff --git a/cmd/fetch/fetch_policy.go b/cmd/fetch/fetch_policy.go index 9b8bd6a2c..39f494f54 100644 --- a/cmd/fetch/fetch_policy.go +++ b/cmd/fetch/fetch_policy.go @@ -52,9 +52,8 @@ func fetchPolicyCmd() *cobra.Command { documentation for more usage examples and for details on the different types of supported source URLs. - Note that this command is not typically required to verify the Enterprise - Contract. It has been made available for troubleshooting and debugging - purposes. + Note that this command is not typically required to evaluate policies. + It has been made available for troubleshooting and debugging purposes. `), Example: hd.Doc(` diff --git a/cmd/inspect/inspect_policy.go b/cmd/inspect/inspect_policy.go index 70b53bb2c..8e34096ce 100644 --- a/cmd/inspect/inspect_policy.go +++ b/cmd/inspect/inspect_policy.go @@ -63,16 +63,16 @@ func inspectPolicyCmd() *cobra.Command { including the rule annotations which include the rule's title and description and custom fields used by ec to filter the results produced by conftest. - Note that this command is not typically required to verify the Enterprise - Contract. It has been made available for troubleshooting and debugging purposes. + Note that this command is not typically required to evaluate policies. + It has been made available for troubleshooting and debugging purposes. `), Example: hd.Doc(` - Print a list of rules and their descriptions from the latest Enterprise Contract release policy: + Print a list of rules and their descriptions from the latest release policy: ec inspect policy --source quay.io/enterprise-contract/ec-release-policy - Display details about the latest Enterprise Contract release policy in json format: + Display details about the latest release policy in json format: ec inspect policy --source quay.io/enterprise-contract/ec-release-policy -o json | jq `), diff --git a/cmd/inspect/inspect_policy_data.go b/cmd/inspect/inspect_policy_data.go index f51df593d..8e3077489 100644 --- a/cmd/inspect/inspect_policy_data.go +++ b/cmd/inspect/inspect_policy_data.go @@ -56,8 +56,8 @@ func inspectPolicyDataCmd() *cobra.Command { the policy is fetched it reads json and yaml files inside the policy source and displays the data. - Note that this command is not typically required to verify the Enterprise - Contract. It has been made available for troubleshooting and debugging purposes. + Note that this command is not typically required to evaluate policies. + It has been made available for troubleshooting and debugging purposes. `), Example: hd.Doc(` diff --git a/cmd/root/root_cmd.go b/cmd/root/root_cmd.go index 82bb02974..27f7908d7 100644 --- a/cmd/root/root_cmd.go +++ b/cmd/root/root_cmd.go @@ -34,6 +34,7 @@ import ( "github.com/enterprise-contract/ec-cli/internal/kubernetes" "github.com/enterprise-contract/ec-cli/internal/logging" "github.com/enterprise-contract/ec-cli/internal/tracing" + "github.com/enterprise-contract/ec-cli/internal/version" ) var ( @@ -57,12 +58,12 @@ func (customDeadlineExceededError) Temporary() bool { return true } func NewRootCmd() *cobra.Command { rootCmd := &cobra.Command{ Use: "ec", - Short: "Enterprise Contract CLI", + Short: version.CliName() + " CLI", Long: hd.Doc(` - Enterprise Contract CLI + ` + version.CliName() + ` CLI - Set of commands to help validate resources with the Enterprise Contract. + Set of commands to help validate resources with the provided policies. `), SilenceUsage: true, diff --git a/cmd/validate/image.go b/cmd/validate/image.go index 0653e0309..13de2065c 100644 --- a/cmd/validate/image.go +++ b/cmd/validate/image.go @@ -82,13 +82,13 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command { cmd := &cobra.Command{ Use: "image", - Short: "Validate conformance of container images with the Enterprise Contract", + Short: "Validate conformance of container images with the provided policies", Long: hd.Doc(` - Validate conformance of container images with the Enterprise Contract + Validate conformance of container images with the provided policies For each image, validation is performed in stages to determine if the image - conforms to the Enterprise Contract. + conforms to the provided policies. The first validation stage determines if an image has been signed, and the signature matches the provided public key. This is akin to the "cosign verify" diff --git a/cmd/validate/input.go b/cmd/validate/input.go index b5ed2fa40..1a966a672 100644 --- a/cmd/validate/input.go +++ b/cmd/validate/input.go @@ -57,9 +57,9 @@ func validateInputCmd(validate InputValidationFunc) *cobra.Command { } cmd := &cobra.Command{ Use: "input", - Short: "Validate arbitrary JSON or yaml file input conformance with the Enterprise Contract", + Short: "Validate arbitrary JSON or yaml file input conformance with the provided policies", Long: hd.Doc(` - Validate conformance of arbitrary JSON or yaml file input with the Enterprise Contract + Validate conformance of arbitrary JSON or yaml file input with the provided policies For each file, validation is performed to determine if the file conforms to rego policies defined in the EnterpriseContractPolicy. diff --git a/cmd/validate/validate.go b/cmd/validate/validate.go index 28f2cdd2c..e9f9b1222 100644 --- a/cmd/validate/validate.go +++ b/cmd/validate/validate.go @@ -40,7 +40,7 @@ func init() { func NewValidateCmd() *cobra.Command { validateCmd := &cobra.Command{ Use: "validate", - Short: "Validate conformance with the Enterprise Contract", + Short: "Validate conformance with the provided policies", } validateCmd.PersistentFlags().Bool("show-successes", false, "") return validateCmd diff --git a/docs/antora.yml b/docs/antora.yml index 67bca0208..d314b6cf0 100644 --- a/docs/antora.yml +++ b/docs/antora.yml @@ -16,7 +16,7 @@ --- name: ec-cli -title: Enterprise Contract CLI +title: Conforma CLI (formerly Enterprise Contract CLI) version: ~ nav: - modules/ROOT/nav.adoc diff --git a/docs/modules/ROOT/pages/configuration.adoc b/docs/modules/ROOT/pages/configuration.adoc index df19eefc1..dbf52adb8 100644 --- a/docs/modules/ROOT/pages/configuration.adoc +++ b/docs/modules/ROOT/pages/configuration.adoc @@ -397,8 +397,8 @@ JSON:: === Specifying that certain tests should be non-blocking -This example shows how to specify that the Enterprise Contract is allowed to -pass even if certain tests failed or didn't complete. +This example shows how to specify that Conforma should produce a passing +result even if certain tests failed or didn't complete. [tabs] ==== @@ -485,7 +485,7 @@ JSON:: == Data Sources -Some of the Enterprise Contract policy rules, defined in the ec-policies git +Some of the Conforma policy rules, defined in the ec-policies git repository, rely on certain data values when evaluated. For example, a policy rule exists to ensure all the parent container images used during the build process have been retrieved from an acceptable registry. The list of acceptable diff --git a/docs/modules/ROOT/pages/ec.adoc b/docs/modules/ROOT/pages/ec.adoc index 3dc1fa1b5..0d3eef96d 100644 --- a/docs/modules/ROOT/pages/ec.adoc +++ b/docs/modules/ROOT/pages/ec.adoc @@ -1,12 +1,12 @@ = ec -Enterprise Contract CLI +Conforma CLI == Synopsis -Enterprise Contract CLI +Conforma CLI -Set of commands to help validate resources with the Enterprise Contract. +Set of commands to help validate resources with the provided policies. [source,shell] ---- diff --git a/docs/modules/ROOT/pages/ec_fetch.adoc b/docs/modules/ROOT/pages/ec_fetch.adoc index 676dc6a0d..2361290b8 100644 --- a/docs/modules/ROOT/pages/ec_fetch.adoc +++ b/docs/modules/ROOT/pages/ec_fetch.adoc @@ -18,4 +18,4 @@ Fetch remote resources == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_fetch_policy.adoc b/docs/modules/ROOT/pages/ec_fetch_policy.adoc index 95ceaef35..7925adaf1 100644 --- a/docs/modules/ROOT/pages/ec_fetch_policy.adoc +++ b/docs/modules/ROOT/pages/ec_fetch_policy.adoc @@ -16,9 +16,8 @@ This command is based on 'conftest pull' so you can refer to the conftest pull documentation for more usage examples and for details on the different types of supported source URLs. -Note that this command is not typically required to verify the Enterprise -Contract. It has been made available for troubleshooting and debugging -purposes. +Note that this command is not typically required to evaluate policies. +It has been made available for troubleshooting and debugging purposes. [source,shell] ---- diff --git a/docs/modules/ROOT/pages/ec_init.adoc b/docs/modules/ROOT/pages/ec_init.adoc index ecdf04c85..87f68d410 100644 --- a/docs/modules/ROOT/pages/ec_init.adoc +++ b/docs/modules/ROOT/pages/ec_init.adoc @@ -18,4 +18,4 @@ Initialize a directory for use == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_inspect.adoc b/docs/modules/ROOT/pages/ec_inspect.adoc index 53a16b642..52e71fb9b 100644 --- a/docs/modules/ROOT/pages/ec_inspect.adoc +++ b/docs/modules/ROOT/pages/ec_inspect.adoc @@ -18,4 +18,4 @@ Inspect policy rules == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_inspect_policy-data.adoc b/docs/modules/ROOT/pages/ec_inspect_policy-data.adoc index 6d56a3257..075a46f7f 100644 --- a/docs/modules/ROOT/pages/ec_inspect_policy-data.adoc +++ b/docs/modules/ROOT/pages/ec_inspect_policy-data.adoc @@ -10,8 +10,8 @@ This fetches policy sources similar to the 'ec fetch policy' command, but once the policy is fetched it reads json and yaml files inside the policy source and displays the data. -Note that this command is not typically required to verify the Enterprise -Contract. It has been made available for troubleshooting and debugging purposes. +Note that this command is not typically required to evaluate policies. +It has been made available for troubleshooting and debugging purposes. [source,shell] ---- diff --git a/docs/modules/ROOT/pages/ec_inspect_policy.adoc b/docs/modules/ROOT/pages/ec_inspect_policy.adoc index 103f7ac4a..fa09d88ba 100644 --- a/docs/modules/ROOT/pages/ec_inspect_policy.adoc +++ b/docs/modules/ROOT/pages/ec_inspect_policy.adoc @@ -14,8 +14,8 @@ This can be used to extract information about each rule in the policy source, including the rule annotations which include the rule's title and description and custom fields used by ec to filter the results produced by conftest. -Note that this command is not typically required to verify the Enterprise -Contract. It has been made available for troubleshooting and debugging purposes. +Note that this command is not typically required to evaluate policies. +It has been made available for troubleshooting and debugging purposes. [source,shell] ---- @@ -23,11 +23,11 @@ ec inspect policy --source [flags] ---- == Examples -Print a list of rules and their descriptions from the latest Enterprise Contract release policy: +Print a list of rules and their descriptions from the latest release policy: ec inspect policy --source quay.io/enterprise-contract/ec-release-policy -Display details about the latest Enterprise Contract release policy in json format: +Display details about the latest release policy in json format: ec inspect policy --source quay.io/enterprise-contract/ec-release-policy -o json | jq diff --git a/docs/modules/ROOT/pages/ec_opa.adoc b/docs/modules/ROOT/pages/ec_opa.adoc index 0a3a21df9..4c995c27c 100644 --- a/docs/modules/ROOT/pages/ec_opa.adoc +++ b/docs/modules/ROOT/pages/ec_opa.adoc @@ -25,4 +25,4 @@ ec opa [flags] == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_sigstore.adoc b/docs/modules/ROOT/pages/ec_sigstore.adoc index 0e4eb1df3..170f76ca0 100644 --- a/docs/modules/ROOT/pages/ec_sigstore.adoc +++ b/docs/modules/ROOT/pages/ec_sigstore.adoc @@ -18,4 +18,4 @@ Perform certain sigstore operations == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_test.adoc b/docs/modules/ROOT/pages/ec_test.adoc index a263f49bb..2b8e8a5d5 100644 --- a/docs/modules/ROOT/pages/ec_test.adoc +++ b/docs/modules/ROOT/pages/ec_test.adoc @@ -105,4 +105,4 @@ the output will include a detailed trace of how the policy was evaluated, e.g. == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_track.adoc b/docs/modules/ROOT/pages/ec_track.adoc index 32fc16ebf..7a99d571b 100644 --- a/docs/modules/ROOT/pages/ec_track.adoc +++ b/docs/modules/ROOT/pages/ec_track.adoc @@ -18,4 +18,4 @@ Record resource references for tracking purposes == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_validate.adoc b/docs/modules/ROOT/pages/ec_validate.adoc index 28dcad010..7b16d091f 100644 --- a/docs/modules/ROOT/pages/ec_validate.adoc +++ b/docs/modules/ROOT/pages/ec_validate.adoc @@ -1,6 +1,6 @@ = ec validate -Validate conformance with the Enterprise Contract +Validate conformance with the provided policies == Options @@ -19,4 +19,4 @@ Validate conformance with the Enterprise Contract == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/ec_validate_image.adoc b/docs/modules/ROOT/pages/ec_validate_image.adoc index a31a52f9a..fa94460b0 100644 --- a/docs/modules/ROOT/pages/ec_validate_image.adoc +++ b/docs/modules/ROOT/pages/ec_validate_image.adoc @@ -1,13 +1,13 @@ = ec validate image -Validate conformance of container images with the Enterprise Contract +Validate conformance of container images with the provided policies == Synopsis -Validate conformance of container images with the Enterprise Contract +Validate conformance of container images with the provided policies For each image, validation is performed in stages to determine if the image -conforms to the Enterprise Contract. +conforms to the provided policies. The first validation stage determines if an image has been signed, and the signature matches the provided public key. This is akin to the "cosign verify" @@ -167,4 +167,4 @@ JSON of the "spec" or a reference to a Kubernetes object [/] == See also - * xref:ec_validate.adoc[ec validate - Validate conformance with the Enterprise Contract] + * xref:ec_validate.adoc[ec validate - Validate conformance with the provided policies] diff --git a/docs/modules/ROOT/pages/ec_validate_input.adoc b/docs/modules/ROOT/pages/ec_validate_input.adoc index 6e27ebd35..a25bf3edc 100644 --- a/docs/modules/ROOT/pages/ec_validate_input.adoc +++ b/docs/modules/ROOT/pages/ec_validate_input.adoc @@ -1,10 +1,10 @@ = ec validate input -Validate arbitrary JSON or yaml file input conformance with the Enterprise Contract +Validate arbitrary JSON or yaml file input conformance with the provided policies == Synopsis -Validate conformance of arbitrary JSON or yaml file input with the Enterprise Contract +Validate conformance of arbitrary JSON or yaml file input with the provided policies For each file, validation is performed to determine if the file conforms to rego policies defined in the EnterpriseContractPolicy. @@ -73,4 +73,4 @@ mark (?) sign, for example: --output text=output.txt?show-successes=false == See also - * xref:ec_validate.adoc[ec validate - Validate conformance with the Enterprise Contract] + * xref:ec_validate.adoc[ec validate - Validate conformance with the provided policies] diff --git a/docs/modules/ROOT/pages/ec_validate_policy.adoc b/docs/modules/ROOT/pages/ec_validate_policy.adoc index 83e6f726c..4f2d2282c 100644 --- a/docs/modules/ROOT/pages/ec_validate_policy.adoc +++ b/docs/modules/ROOT/pages/ec_validate_policy.adoc @@ -39,4 +39,4 @@ ec validate policy --policy-configuration github.com/org/repo/policy.yaml == See also - * xref:ec_validate.adoc[ec validate - Validate conformance with the Enterprise Contract] + * xref:ec_validate.adoc[ec validate - Validate conformance with the provided policies] diff --git a/docs/modules/ROOT/pages/ec_version.adoc b/docs/modules/ROOT/pages/ec_version.adoc index b1215e9d6..3cd48ec5c 100644 --- a/docs/modules/ROOT/pages/ec_version.adoc +++ b/docs/modules/ROOT/pages/ec_version.adoc @@ -20,4 +20,4 @@ Print version information == See also - * xref:ec.adoc[ec - Enterprise Contract CLI] + * xref:ec.adoc[ec - Conforma CLI] diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index fde07ad3b..7c31679dc 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,15 +1,16 @@ :pol: https://github.com/enterprise-contract/ec-policies/ -= Enterprise Contract CLI += Conforma CLI -The EC CLI is used to evaluate Enterprise Contract policies for Software Supply Chain. -Various sub-commands can be used to assert facts about an artifact such as: +The Conforma CLI is used to verify signatures and evaluate policies for +Software Supply Chain artifacts. Various sub-commands can be used to assert +facts about an artifact such as: * Validating container image signature * Validating container image provenance -* Evaluating Enterprise Contract {pol}[policies] over the container image provenance +* Evaluating {pol}[policies] over the container image provenance -This documentation includes xref:ec.adoc[EC Command Line reference +This documentation includes xref:ec.adoc[Conforma Command Line reference documentation], and documentation on the xref:verify-enterprise-contract.adoc[Verify Enterprise Contract Task] -used to run the EC in a Tekton pipeline. +used to run Conforma in a Tekton pipeline. diff --git a/docs/modules/ROOT/pages/policy_input.adoc b/docs/modules/ROOT/pages/policy_input.adoc index d4fbee2d0..9c595667f 100644 --- a/docs/modules/ROOT/pages/policy_input.adoc +++ b/docs/modules/ROOT/pages/policy_input.adoc @@ -1,7 +1,7 @@ = Policy Input The policy input refers the variable `input` in rego. This page describes the structure of the input -available for policy evaluation when using the Enterprise Contract CLI. The input is different for +available for policy evaluation when using the Conforma CLI. The input is different for each subcommand as each subcommand has a different specialty. == Validate Image @@ -112,7 +112,7 @@ only version control system supported is `git`. This information originates from ApplicationSnapshot provided to the `ec validate image` command. It is empty if the source information is not given to the command. -The SourceDescriptor contains the single `git` attribute which hold an object with information +The SourceDescriptor contains the single `git` attribute which holds an object with information about a git repository. `.revision` is a string holding a git reference. This could be a commit ID, branch, etc. `url` is the URL of the git repository. diff --git a/docs/modules/ROOT/pages/signing.adoc b/docs/modules/ROOT/pages/signing.adoc index f4c15d0f1..d9c85e9e3 100644 --- a/docs/modules/ROOT/pages/signing.adoc +++ b/docs/modules/ROOT/pages/signing.adoc @@ -1,12 +1,12 @@ = Signing -The Enterprise Contract relies on https://www.sigstore.dev/[Sigstore] signatures to verify the +Conforma relies on https://www.sigstore.dev/[Sigstore] signatures to verify the authenticity of content being verified. Currently, this is integrated with the `ec validate image` command. == Image Verification -When the Enterprise Contract validates an image, there are certain +When Conforma validates an image, there are certain https://enterprisecontract.dev/docs/ec-policies/release_policy.html#builtin_attestation_package[builtin] policy rules that are always applied and cannot be skipped. Most of these rely on https://github.com/sigstore/cosign[cosign] to fetch and verify image signatures and attestations. @@ -18,8 +18,8 @@ fulfill the validation of another image. == Sigstore Levels There are different levels of Sigstore adoption. These can be done -https://www.linuxfoundation.org/blog/blog/adopting-sigstore-incrementally[incrementally]. The -Enterprise Contract can be used to validate artifacts regardless of the level. +https://www.linuxfoundation.org/blog/blog/adopting-sigstore-incrementally[incrementally]. +Conforma can be used to validate artifacts regardless of the level. === Long-Lived Keys diff --git a/docs/modules/ROOT/pages/tasks.adoc b/docs/modules/ROOT/pages/tasks.adoc index 74011392c..14f8cf021 100644 --- a/docs/modules/ROOT/pages/tasks.adoc +++ b/docs/modules/ROOT/pages/tasks.adoc @@ -1,4 +1,8 @@ -= Enterprise Contract Tekton Tasks += Conforma Tekton Tasks Use the navigation bar to view the help documentation for each Tekton task. +NOTE: Conforma was previously known as "Enterprise Contract". You can consider +"Conforma" and "Enterprise Contract" to be synonynous. See +link:https://conforma.dev/posts/whats-in-a-name/[this article] for more details about the name +change. diff --git a/tasks/verify-enterprise-contract/0.1/README.md b/tasks/verify-enterprise-contract/0.1/README.md index 28fdb20dc..0e8365ca2 100644 --- a/tasks/verify-enterprise-contract/0.1/README.md +++ b/tasks/verify-enterprise-contract/0.1/README.md @@ -1,5 +1,10 @@ # Verify Enterprise Contract Task +NOTE: Conforma was previously known as "Enterprise Contract". You can consider +"Conforma" and "Enterprise Contract" to be synonynous. Note that the Tekton task defined here is still +referencing the older name. See [this article](https://conforma.dev/posts/whats-in-a-name/) for more details +about the name change. + This task verifies a signature and attestation for an image and then runs a policy against the image's attestation using the ```ec validate image``` command. ## Install the task