The ec tool is used to evaluate Enterprise Contract policies for Software
Supply Chain. Various sub-commands can be used to assert facts about an artifact
such as:
- Validating container image signature
- Validating container image provenance
- Evaluating Enterprise Contract policies over the container image provenance
- Fetching artifact authorization
Consult the documentation for available sub-commands, descriptions and examples of use.
Run make build from the root directory and use the dist/ec executable, or
run make dist to build for all supported architectures.
Run make test to run the unit tests, and make acceptance to run the
acceptance tests.
Run make lint to check for linting issues, and make lint-fix to fix linting
issues (formatting, import order, ...).
Run hack/demo.sh to evaluate the policy against images that have been
built ahead of time.
To regenerate those images, say in case of change in the attestation data, run
hack/rebuild.sh.
The --debug parameter enables debug logging. Setting EC_DEBUG environment
variable can be set to prevent deletion of temporary ec-work-* directories so
that the attestations, policy and data files can be examined.
When running acceptance tests you may experience issues with starting enough Docker containers to successfullyl complete testing. These issues may appear as repeated failures, such as seen below, and a failed acceptance test run:
time="2024-03-08T09:10:50-05:00" level=warning msg="Failed, retrying in 1s ... (3/3). Error: trying to reuse blob sha256:b5976a979c30628edfeee0a1f1797362b0c84cf6cb4760776aa64ec8e3e4c2b3 at destination: pinging container registry localhost:37837: Get \"http://localhost:37837/v2/\": read tcp 127.0.0.1:34090->127.0.0.1:37837: read: connection reset by peer"
This issue may be resolved by increasing the total number of fs.inotify.max_user_watches by executing the following on: Red Hat / Fedora systems (other systems may need modifications to this)
$ echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p