Conforma

FOSDEM 2026: From Passive Data to Active Defense with Conforma

Wed, 11 Mar 2026 10:00:00 +0100

We’re excited to share that Conforma was featured at FOSDEM 2026 in Brussels, one of Europe’s premier open-source software conferences. The talk introduced Conforma and demonstrated how to transform supply chain security data into actionable policy enforcement.

Validating arbitrary data

Mon, 16 Feb 2026 10:51:25 -0500

In this tutorial we’ll introduce some basic Conforma concepts and look at examples where Conforma is used to apply policy checks against arbitrary input data. We often use the ec validate image command, which fetches and verifies an image’s SLSA provenance attestations, then applies policy checks against them. But Conforma can work just as well with any kind of input using the ec validate input command, and in fact that is a useful way to demonstrate some Conforma ideas and techniques.

Introducing Our Comprehensive Resources Page

Wed, 23 Jul 2025 13:00:41 +0200

Whether you’re just getting started with supply chain security or looking to deepen your understanding of policy enforcement in container workflows, we’ve curated a comprehensive collection of resources to help you on your journey.

We’ve organized all our educational content, like conference presentations, demos, and expert talks, into our new Resources page for easy access and reference.

Presenting "Conforma"

Wed, 22 Jan 2025 12:24:00 -0500

To make a long story short, this project has a new name. “Enterprise Contract” is now “Conforma”. Read on for some background information about the name and why we decided to change it.

Gating Image Promotion on GitLab

Wed, 12 Jun 2024 18:54:00 +0000

Once you have a container image ready for promotion, it is important to first verify the image meets a certain criteria before it is made available to consumers. In this blog post, we look at how to achieve this in a GitLab pipeline.

Policies Polyglot: Evaluating Custom Predicates

Wed, 20 Mar 2024 15:02:00 -0400

Attestations are a wonderful way to attach metadata to container images in a secure manner. One of the most popular formats is SLSA Provenance which is used to provide information on how the image was created. Our Hitchhiker’s Guide demonstrates how to write policies to assert the contents of the SLSA Provenance. Here, we expand on that approach to assert the contents of any attestation format, even completely made up ones.

Introducing Action Validate for GitHub

Tue, 24 Oct 2023 13:02:00 -0400

You may already be familiar with using the EC Validate command for local container image validation. Now, you can seamlessly integrate this functionality directly into your build processes or any other automated workflow in GitHub.

A Taste of Policies

Tue, 15 Aug 2023 12:34:56 -0400

In a previous blog post, we introduced the basic concepts of the Enterprise Contract. This time, we explore it further to showcase the usage of policies.

Introducing the Enterprise Contract

Mon, 24 Apr 2023 12:56:35 -0400

You may have heard of sigstore and its container image verification tool, cosign. This blog post introduces a policy-driven workflow, Enterprise Contract, built on those technologies.

Mon, 01 Jan 0001 00:00:00 +0000