conforma · robnester-rh · Jan 28, 2026 · Jan 28, 2026
diff --git a/features/ta_task_validate_image.feature b/features/ta_task_validate_image.feature
@@ -50,3 +50,25 @@ Feature: Verify Conforma Trusted Artifact Tekton Task
      And the task results should match the snapshot
      And the task logs for step "show-config" should match the snapshot
 
+  Scenario: Policy configuration passed as JSON string
+    Given a working namespace
+    Given a snapshot artifact with content:
+      ```
+      {
+        "components": [
+          {
+            "containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d"
+          }
+        ]
+      }
+      ```
+    When version 0.1 of the task named "verify-conforma-konflux-ta" is run with parameters:
+      | SNAPSHOT_FILENAME       | snapshotartifact                                                                                    |
+      | SOURCE_DATA_ARTIFACT    | oci:${REGISTRY}/acceptance/snapshotartifact@${BUILD_SNAPSHOT_DIGEST} |
+      | POLICY_CONFIGURATION    | {"publicKey":"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\\n-----END PUBLIC KEY-----","sources":[{"policy":["git::github.com/conforma/policy//policy/release?ref=d34eab36b23d43748e451004177ca144296bf323","git::github.com/conforma/policy//policy/lib?ref=d34eab36b23d43748e451004177ca144296bf323"],"config":{"include":["slsa_provenance_available"]}}]} |
+      | STRICT                  | true                                                                                                     |
+      | IGNORE_REKOR            | true                                                                                                     |
+      | TRUSTED_ARTIFACTS_DEBUG | "true"                                                                                                   |
+      | ORAS_OPTIONS            | --plain-http                                                                                             |
+    Then the task should succeed
+     And the task logs for step "show-config" should contain "slsa_provenance_available"
diff --git a/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml b/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
@@ -295,12 +295,13 @@ spec:
         #!/bin/bash
         set -euo pipefail
 
-        # Build EC arguments
+        # Build EC arguments array
+        # POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings
         EC_ARGS=(
           validate
           image
           --images /tekton/home/snapshot.json
-          --policy "$(params.POLICY_CONFIGURATION)"
+          --policy "${POLICY_CONFIGURATION}"
           --public-key "$(params.PUBLIC_KEY)"
           --rekor-url "$(params.REKOR_HOST)"
           --ignore-rekor=$(params.IGNORE_REKOR)
@@ -311,6 +312,9 @@ spec:
           --show-successes
           --effective-time=$(params.EFFECTIVE_TIME)
           --extra-rule-data=$(params.EXTRA_RULE_DATA)
+        )
+
+        EC_ARGS+=(
           --retry-max-wait "$(params.RETRY_MAX_WAIT)"
           --retry-max-retry "$(params.RETRY_MAX_RETRY)"
           --retry-duration "$(params.RETRY_DURATION)"
@@ -327,7 +331,7 @@ spec:
 
           if [[ "$(params.ATTESTATION_FORMAT)" == "dsse" ]]; then
             if [[ -z "$(params.VSA_SIGNING_KEY)" ]]; then
-              echo "ERROR: VSA_SIGNING_KEY required for format=dsse"
+              echo "ERROR: VSA_SIGNING_KEY required for format=dsse" >&2
               exit 1
             fi
             EC_ARGS+=(--vsa-signing-key "$(params.VSA_SIGNING_KEY)")
@@ -342,6 +346,10 @@ spec:
         # Execute EC with constructed arguments
         ec "${EC_ARGS[@]}"
       env:
+        # POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings
+        # This avoids shell quoting issues when Tekton substitutes parameter values directly in scripts
+        - name: POLICY_CONFIGURATION
+          value: "$(params.POLICY_CONFIGURATION)"
         - name: SSL_CERT_DIR
           # The Tekton Operator automatically sets the SSL_CERT_DIR env to the value below but,
           # of course, without the $(param.SSL_CERT_DIR) bit. When a Task Step sets it to a