The project lacks a document explaining the value proposition of using Conforma (EC) versus using cosign directly for verification. While ec validate image docs mention that certain stages are "akin to cosign verify" and "cosign verify-attestation", there is no high-level explanation of what Conforma adds on top of cosign.
A new documentation page (e.g., "Why Conforma?" or similar) should cover:
- Policy-as-code evaluation -- Conforma layers Rego/OPA policy evaluation over signature and attestation verification, enabling organizational compliance rules that cosign alone cannot express
- Batch and snapshot validation -- validating multiple images from an ApplicationSnapshot in a single invocation
- Structured output and reporting -- multiple output formats (JSON, YAML, JUnit, summary, VSA) for CI/CD integration and audit trails
- EnterpriseContractPolicy CRD integration -- declarative policy configuration via Kubernetes custom resources
- Tekton task integration -- ready-made pipeline tasks for CI/CD workflows
- Built-in rule library -- curated policy rules for SLSA provenance, build tasks, and release readiness
This page should be linked from the main navigation and the index page.
The project lacks a document explaining the value proposition of using Conforma (EC) versus using cosign directly for verification. While
ec validate imagedocs mention that certain stages are "akin to cosign verify" and "cosign verify-attestation", there is no high-level explanation of what Conforma adds on top of cosign.A new documentation page (e.g., "Why Conforma?" or similar) should cover:
This page should be linked from the main navigation and the index page.