Hermetic task Package

This package verifies that all the tasks in the attestation that are required to be hermetic were invoked with the proper parameters to perform a hermetic execution, including enabling the Sonatype proxy when required.

Package Name

  • hermetic_task

Rules Included

Hermetic build task has Sonatype proxy enabled

Verify that hermetic build tasks have the enable-hermeto-proxy parameter set to true. This ensures that hermetic builds use the Sonatype proxy for dependency resolution.

Solution: Make sure the task has the input parameter 'enable-hermeto-proxy' set to 'true'.

  • Rule type: FAILURE

  • FAILURE message: Task '%s' is hermetic but does not have the enable-hermeto-proxy parameter set to true

  • Code: hermetic_task.hermeto_proxy_enabled

  • Effective from: 2026-06-01T00:00:00Z

  • Source

Task called with hermetic param set

Verify the task in the PipelineRun attestation was invoked with the proper parameters to make the task execution hermetic.

Solution: Make sure the task has the input parameter 'HERMETIC' set to 'true'.

  • Rule type: FAILURE

  • FAILURE message: Task '%s' was not invoked with the hermetic parameter set

  • Code: hermetic_task.hermetic

  • Source

proxy_enabled_purl_types format

Confirm the proxy_enabled_purl_types and allowed_proxy_url_patterns rule data match the expected format.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: hermetic_task.proxy_rule_data_format

  • Source