Create result summary for task validation

The assert step in the validate vsa task reads
the output from a task result which has to be
under 4k.
This step determines whether the task fails or not.
This is similar to the appstudio output for validate image.

example
{"result": "FAILURE"}

Author: joejstuart

cmd/validate/vsa.go

@@ -216,7 +216,7 @@ func addVSAFlags(cmd *cobra.Command, data *validateVSAData) {
 	cmd.Flags().BoolVar(&data.noFallback, "no-fallback", false, "Disable fallback to image validation when VSA validation fails (fallback is enabled by default)")
 	cmd.Flags().StringVar(&data.fallbackPublicKey, "fallback-public-key", "", "Public key to use for fallback image validation (different from VSA verification key)")
 	// Output options
-	validOutputFormats := []string{"json", "yaml", "text"}
+	validOutputFormats := []string{"json", "yaml", "text", "status"}
 	cmd.Flags().StringSliceVar(&data.output, "output", []string{}, hd.Doc(`
 		write output to a file in a specific format. Use empty string path for stdout.
 		May be used multiple times. Possible formats are:
@@ -1206,8 +1206,21 @@ func (d ComponentResultsDisplay) toFormat(format string) ([]byte, error) {
 		return data, nil
 	case "text":
 		return d.toText(), nil
+	case "status":
+		// Status format: simple JSON with overall result as SUCCESS or FAILURE
+		// Determine result from Overall field (contains "PASSED" or "FAILED")
+		resultStr := "FAILURE"
+		if strings.Contains(d.Result.Overall, "PASSED") {
+			resultStr = "SUCCESS"
+		}
+		statusReport := map[string]string{"result": resultStr}
+		data, err := json.Marshal(statusReport)
+		if err != nil {
+			return nil, err
+		}
+		return data, nil
 	default:
-		return nil, fmt.Errorf("unsupported format: %s (supported: json, yaml, text)", format)
+		return nil, fmt.Errorf("unsupported format: %s (supported: json, yaml, text, status)", format)
 	}
 }
 
@@ -1313,8 +1326,25 @@ func writeVSAReport(report VSAReport, display ComponentResultsDisplay, outputFor
 				b.WriteString(fallbackBuf.String())
 			}
 			data = []byte(b.String())
+		case "status":
+			// Status format: simple JSON with overall result as SUCCESS or FAILURE
+			// If fallback was used, use fallback result; otherwise use VSA result
+			resultStr := "FAILURE"
+			if report.Fallback != nil {
+				// Fallback was used, use its success status as the overall result
+				if report.Fallback.Success {
+					resultStr = "SUCCESS"
+				}
+			} else if strings.Contains(display.Result.Overall, "PASSED") {
+				resultStr = "SUCCESS"
+			}
+			statusReport := map[string]string{"result": resultStr}
+			data, err = json.Marshal(statusReport)
+			if err != nil {
+				return fmt.Errorf("failed to marshal status report: %w", err)
+			}
 		default:
-			return fmt.Errorf("unsupported format: %s (supported: json, yaml, text)", formatName)
+			return fmt.Errorf("unsupported format: %s (supported: json, yaml, text, status)", formatName)
 		}
 
 		// Use shared file writing logic
@@ -1381,34 +1411,37 @@ func displayComponentResults(allResults []vsa.ComponentResult, data *validateVSA
 	// Filter output formats to only json, yaml, text (exclude other formats like appstudio, etc.)
 	vsaOutputFormats := filterVSAOutputFormats(data.output)
 
-	// Check if we need combined output (file output specified AND fallback will be used)
+	// Check if file output is specified
 	hasFileOutput := hasFileOutputInFormats(vsaOutputFormats)
 
-	// If file output is specified and fallback will be used, combine them
-	if hasFileOutput && allData.FallbackUsed {
-		// Create fallback report without writing
-		fallbackReport, err := createFallbackReport(allData, data)
-		if err != nil {
-			return fmt.Errorf("failed to create fallback report: %w", err)
-		}
-
-		// Build combined VSAReport (call toVSASectionsReport once and reuse)
+	// If file output is specified, write to file (with or without fallback)
+	if hasFileOutput {
+		// Build VSAReport (call toVSASectionsReport once and reuse)
 		vsaSections := display.toVSASectionsReport()
 		vsaReport := VSAReport{
 			Header:     vsaSections.Header,
 			Result:     vsaSections.Result,
 			VSASummary: vsaSections.VSASummary,
 			PolicyDiff: vsaSections.PolicyDiff,
-			Fallback:   fallbackReport,
+			Fallback:   nil, // Will be set if fallback is used
+		}
+
+		// Add fallback report if fallback was used
+		if allData.FallbackUsed {
+			fallbackReport, err := createFallbackReport(allData, data)
+			if err != nil {
+				return fmt.Errorf("failed to create fallback report: %w", err)
+			}
+			vsaReport.Fallback = fallbackReport
 		}
 
-		// Write combined report to file(s)
+		// Write report to file(s)
 		fs := utils.FS(cmd.Context())
 		if err := writeVSAReport(vsaReport, display, vsaOutputFormats, fs, cmd); err != nil {
-			return fmt.Errorf("failed to write combined VSA report: %w", err)
+			return fmt.Errorf("failed to write VSA report: %w", err)
 		}
 	} else {
-		// Use separate output (current behavior)
+		// Use separate output to stdout (current behavior)
 		if len(vsaOutputFormats) > 0 {
 			// Use format system for structured output (json/yaml/text)
 			fs := utils.FS(cmd.Context())
@@ -1445,14 +1478,13 @@ func displayComponentResults(allResults []vsa.ComponentResult, data *validateVSA
 	return nil
 }
 
-// filterVSAOutputFormats filters output formats to only include json, yaml, and text
-// Other formats (like appstudio, summary, etc.) are handled by handleSnapshotOutput
+// filterVSAOutputFormats filters output formats to only include json, yaml, text, and status
 func filterVSAOutputFormats(outputFormats []string) []string {
 	var filtered []string
 	for _, format := range outputFormats {
 		parts := strings.SplitN(format, "=", 2)
 		formatName := parts[0]
-		if formatName == "json" || formatName == "yaml" || formatName == "text" {
+		if formatName == "json" || formatName == "yaml" || formatName == "text" || formatName == "status" {
 			filtered = append(filtered, format)
 		}
 	}

docs/modules/ROOT/pages/ec_validate_vsa.adoc

@@ -35,7 +35,12 @@ ec validate vsa <vsa-identifier> [flags]
 --images:: Application snapshot file
 --no-color:: Disable color when using text output even when the current terminal supports it (Default: false)
 --no-fallback:: Disable fallback to image validation when VSA validation fails (fallback is enabled by default) (Default: false)
---output:: Output formats (e.g., json, yaml, text) (Default: [])
+--output:: write output to a file in a specific format. Use empty string path for stdout.
+May be used multiple times. Possible formats are:
+json, yaml, text, status. In following format and file path
+additional options can be provided in key=value form following the question
+mark (?) sign, for example: --output text=output.txt?show-successes=false
+ (Default: [])
 -p, --policy:: Policy configuration
 --strict:: Exit with non-zero code if validation fails (Default: true)
 -v, --vsa:: VSA identifier (image digest, file path)

docs/modules/ROOT/pages/verify-conforma-vsa-release-ta.adoc

@@ -0,0 +1,91 @@
+= verify-conforma-vsa-release-ta
+
+Version: 0.1
+
+== Synopsis
+
+Validates a Snapshot using Conforma in two phases: 1) `ec validate vsa` (CLI will fall back to `validate image` if VSA missing/expired) 2) `ec validate image` with release-time rules only (pipeline_intention=release)
+
+
+== Params
+[horizontal]
+
+*SNAPSHOT_FILENAME* (`string`):: The filename of the Snapshot located within the trusted artifact
+*SOURCE_DATA_ARTIFACT* (`string`):: Trusted Artifact to use to obtain the Snapshot to validate.
+*POLICY_CONFIGURATION* (`string`):: Name of the policy configuration (EnterpriseContractPolicy
+resource) to use. `namespace/name` or just `name`. Can also be a
+Git URL, e.g. `github.com/conforma/config//slsa3`.
+
++
+*Default*: `enterprise-contract-service/default`
+*PUBLIC_KEY* (`string`):: Public key used to verify signatures. Must be a valid k8s cosign reference (e.g. k8s://my-ns/my-secret) where the secret contains `cosign.pub`.
+
+*VSA_PUBLIC_KEY* (`string`):: Public key used to verify signatures. Must be a valid k8s cosign reference (e.g. k8s://my-ns/my-secret) where the secret contains `cosign.pub`.
+
+*REKOR_HOST* (`string`):: Rekor host for transparency log lookups
+*IGNORE_REKOR* (`string`):: Skip Rekor transparency log checks during validation.
++
+*Default*: `true`
+*TUF_MIRROR* (`string`):: TUF mirror URL. Provide a value when NOT using public sigstore deployment.
+*SSL_CERT_DIR* (`string`):: Extra certs path(s) for external services. Useful with local
+registries/Rekor. Multiple paths can be provided using `:`.
+
+*CA_TRUST_CONFIGMAP_NAME* (`string`):: Name of the ConfigMap to read CA bundle data from.
++
+*Default*: `trusted-ca`
+*CA_TRUST_CONFIG_MAP_KEY* (`string`):: Key in the ConfigMap that contains the CA bundle data.
++
+*Default*: `ca-bundle.crt`
+*INFO* (`string`):: Include rule titles/descriptions in output. Set to "false" to disable.
++
+*Default*: `true`
+*STRICT* (`string`):: Fail the task if policy fails. Set to "false" to disable.
++
+*Default*: `true`
+*HOMEDIR* (`string`):: Value for the HOME environment variable.
++
+*Default*: `/tekton/home`
+*EFFECTIVE_TIME* (`string`):: Run policy checks with the provided time.
++
+*Default*: `now`
+*EXTRA_RULE_DATA* (`string`):: Merge additional Rego variables into the policy data. Syntax: key=val,key2=val2
+
+*TIMEOUT* (`string`):: Deprecated; ignored by the task. EC is run without a timeout (use Tekton timeouts).
+
+*WORKERS* (`string`):: Number of parallel workers to use for policy evaluation.
++
+*Default*: `4`
+*SINGLE_COMPONENT* (`string`):: Reduce Snapshot to only the component whose build created the Snapshot
++
+*Default*: `false`
+*SINGLE_COMPONENT_CUSTOM_RESOURCE* (`string`):: Kind/name of the Kubernetes resource to query labels when single component mode is enabled, e.g. pr/somepipeline.
+
++
+*Default*: `unknown`
+*SINGLE_COMPONENT_CUSTOM_RESOURCE_NS* (`string`):: Namespace where SINGLE_COMPONENT_CUSTOM_RESOURCE is found (for single component mode).
+*ORAS_OPTIONS* (`string`):: ORAS options to pass to Trusted Artifacts calls
+*TRUSTED_ARTIFACTS_DEBUG* (`string`):: Enable debug logging in trusted artifacts when non-empty.
+*TRUSTED_ARTIFACTS_EXTRACT_DIR* (`string`):: Directory to extract the trusted artifact archive into.
++
+*Default*: `/var/workdir/conforma`
+*RETRY_DURATION* (`string`):: Base duration for exponential backoff (e.g., "1s", "500ms")
++
+*Default*: `1s`
+*RETRY_FACTOR* (`string`):: Exponential backoff multiplier (e.g., "2.0", "1.5")
++
+*Default*: `2.0`
+*RETRY_JITTER* (`string`):: Randomness factor for backoff (0.0-1.0, e.g., "0.1", "0.2")
++
+*Default*: `0.1`
+*RETRY_MAX_RETRY* (`string`):: Maximum number of retry attempts
++
+*Default*: `3`
+*RETRY_MAX_WAIT* (`string`):: Maximum wait time between retries (e.g., "3s", "10s")
++
+*Default*: `3s`
+
+== Results
+
+[horizontal]
+*VSA_TEST_OUTPUT*:: Short summary of the VSA validation result
+*IMAGE_RELEASE_TEST_OUTPUT*:: Short summary of the release-time image validation result

docs/modules/ROOT/partials/tasks_nav.adoc

@@ -1,3 +1,4 @@
 * xref:tasks.adoc[Tekton Tasks]
 ** xref:verify-conforma-konflux-ta.adoc[verify-conforma-konflux-ta]
+** xref:verify-conforma-vsa-release-ta.adoc[verify-conforma-vsa-release-ta]
 ** xref:verify-enterprise-contract.adoc[verify-enterprise-contract]

tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml

@@ -287,9 +287,12 @@ spec:
         - "--workers"
         - "$(params.WORKERS)"
         - "--strict=false"
-        - "--debug"
         - "--fallback-public-key"
         - "$(params.PUBLIC_KEY)"
+        - "--output"
+        - "status=$(results.VSA_TEST_OUTPUT.path)"
+        - "--output"
+        - "text"
       env:
         - name: SSL_CERT_DIR
           value: >-
@@ -356,8 +359,6 @@ spec:
         - "--output"
         - "text"
         - "--output"
-        - "text=$(params.HOMEDIR)/text-report.txt?show-successes=false"
-        - "--output"
         - "appstudio=$(results.IMAGE_RELEASE_TEST_OUTPUT.path)"
         - "--output"
         - "json=$(params.HOMEDIR)/report-json.json"
@@ -421,7 +422,7 @@ spec:
         - |
           set -euo pipefail
           strict='$(params.STRICT)'
-          vsa_ok=$(jq -r '.result=="SUCCESS" or .result=="WARNING"' \
+          vsa_ok=$(jq -r '.result=="SUCCESS"' \
             "$(results.VSA_TEST_OUTPUT.path)" || echo false)
           rel_ok=$(jq -r '.result=="SUCCESS" or .result=="WARNING"' \
             "$(results.IMAGE_RELEASE_TEST_OUTPUT.path)" || echo false)