verify artifacts, enforce policies
Securely verify supply chain artifacts, and enforce policies about how they were built and tested, in a manageable, scalable, and declarative way.
Built with Sigstore and Open Policy Agent
Conforma builds on the industry standard open source solutions for artifact provenance verification and policy validation, backed by the Open Source Security Foundation and the Cloud Native Computing Foundation.
Verify provenance & apply policies in a single step
Produce human readable output for provenance or policy violations. Verify SLSA compliance with extensible policies. Verify single or multiple images with collated output. Access configuration, data and policy rules from multiple sources.
Fits into your existing CI/CD pipelines
Conforma is platform agnostic. With its multi-format output, it can easily fit into your CI/CD workflow. Use it as post-build CI, as a gate for releases, as a deploy-time verifier, or anywhere in between.
Red Hat Trusted Application Pipeline Integration
Adopted by Red Hat for their own next generation cloud build systems. Integrated with RHTAP & Konflux CI.
Note that Conforma was originally known as "Enterprise Contract". You might find it still refered to as "Enterprise Contract", or "EC" in some of the older content on this website.
Conforma's Vision: A world where every
software supply chain includes robust policy enforcement and secure artifact
verification by default.
Conforma's Mission: To create user-friendly,
standards-based tooling to empower software, release, and security engineers to
consistently deliver artifacts that verifiably and transparently meet business,
quality, and security policies.
Recently Published
Whether you’re just getting started with supply chain security or looking to deepen your understanding of policy enforcement in container workflows, we’ve curated a comprehensive collection of resources to help you on your journey.
We’ve organized all our educational content, like conference presentations, demos, and expert talks, into our new Resources page for easy access and reference.
Posted on January 22, 2025
To make a long story short, this project has a new name. “Enterprise Contract”
is now “Conforma”. Read on for some background information about the name and
why we decided to change it.