diff --git a/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml b/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml
new file mode 100644
index 0000000000..7da3bf9bf2
--- /dev/null
+++ b/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml
@@ -0,0 +1,76 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: gitops-pull-request
+spec:
+  params:
+    - description: Gitops repo url
+      name: git-url
+      type: string
+    - description: Gitops repo revision
+      name: revision
+      type: string
+      default: ""
+    - description: Enterprise Contract policy to validate against
+      name: ec-policy-configuration
+      type: string
+      default: github.com/enterprise-contract/config//default
+    - description: Should EC violations cause the pipeline to fail?
+      name: ec-strict
+      type: string
+      default: "true"
+    - description: The public key that EC should use to verify signatures
+      name: ec-public-key
+      type: string
+      default: "k8s://$(context.pipelineRun.namespace)/cosign-pub"
+    - description: The Rekor host that EC should use to look up transparency logs
+      name: ec-rekor-host
+      type: string
+      default: http://rekor-server.rhtap.svc
+    - description: The TUF mirror that EC should use
+      name: ec-tuf-mirror
+      type: string
+      default: http://tuf.rhtap.svc
+  tasks:
+    - name: clone-repository
+      params:
+        - name: url
+          value: $(params.git-url)
+        - name: revision
+          value: $(params.revision)
+      taskRef:
+        name: git-clone
+        version: "0.1"
+      workspaces:
+        - name: output
+          workspace: workspace
+        - name: basic-auth
+          workspace: git-auth
+    - name: gather-deploy-images
+      runAfter:
+        - clone-repository
+      taskRef:
+        name: gather-deploy-images
+        version: "0.1"
+      workspaces:
+        - name: source
+          workspace: workspace
+    - name: verify-enteprise-contract
+      params:
+        - name: IMAGES
+          value: $(tasks.gather-deploy-images.results.IMAGES_TO_VERIFY)
+        - name: STRICT
+          value: $(params.ec-strict)
+        - name: POLICY_CONFIGURATION
+          value: $(params.ec-policy-configuration)
+        - name: PUBLIC_KEY
+          value: $(params.ec-public-key)
+        - name: REKOR_HOST
+          value: $(params.ec-rekor-host)
+        - name: TUF_MIRROR
+          value: $(params.ec-tuf-mirror)
+      runAfter:
+        - gather-deploy-images
+      taskRef:
+        name: verify-enterprise-contract
+        version: "0.1"
diff --git a/pipelines/gitops-pull-request-rhtap/kustomization.yaml b/pipelines/gitops-pull-request-rhtap/kustomization.yaml
new file mode 100644
index 0000000000..22d8228636
--- /dev/null
+++ b/pipelines/gitops-pull-request-rhtap/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gitops-pull-request.yaml
diff --git a/pipelines/rhtap/kustomization.yaml b/pipelines/rhtap/kustomization.yaml
index ded2777a44..72e54ad8bd 100644
--- a/pipelines/rhtap/kustomization.yaml
+++ b/pipelines/rhtap/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../docker-build-rhtap
+- ../gitops-pull-request-rhtap
diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
index d9d776686f..231cb93462 100644
--- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml
+++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
@@ -97,7 +97,7 @@ spec:
     workingDir: $(workspaces.source.path)
 
   - name: generate-sboms
-    image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
+    image: registry.redhat.io/rh-syft-tech-preview/syft-rhel9:1.0.1@sha256:27c268d678103a27b6964c2cd5169040941b7304d0078f9727789ffb8ffba370
     # Respect Syft configuration if the user has it in the root of their repository
     # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
     workingDir: $(workspaces.source.path)/source
@@ -179,7 +179,8 @@ spec:
     workingDir: /tmp/files
 
   - name: upload-sbom
-    image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+    image: registry.redhat.io/rhtas-tech-preview/cosign-rhel9:0.0.2@sha256:151f4a1e721b644bafe47bf5bfb8844ff27b95ca098cc37f3f6cbedcda79a897
+    command: [cosign]
     args:
       - attach
       - sbom
diff --git a/task/gather-deploy-images/0.1/README.md b/task/gather-deploy-images/0.1/README.md
new file mode 100644
index 0000000000..f13ccccfa2
--- /dev/null
+++ b/task/gather-deploy-images/0.1/README.md
@@ -0,0 +1,13 @@
+# gather-deploy-images task
+
+Extract images from deployment YAML to pass to EC for validation
+
+## Results
+|name|description|
+|---|---|
+|IMAGES_TO_VERIFY|The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1|
+
+## Workspaces
+|name|description|optional|
+|---|---|---|
+|source|Should contain a cloned gitops repo at the ./source subpath|false|
diff --git a/task/gather-deploy-images/0.1/gather-deploy-images.yaml b/task/gather-deploy-images/0.1/gather-deploy-images.yaml
new file mode 100644
index 0000000000..bbe6fa0f38
--- /dev/null
+++ b/task/gather-deploy-images/0.1/gather-deploy-images.yaml
@@ -0,0 +1,39 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: gather-deploy-images
+spec:
+  description: Extract images from deployment YAML to pass to EC for validation
+  workspaces:
+    - description: Should contain a cloned gitops repo at the ./source subpath
+      name: source
+  results:
+    - name: IMAGES_TO_VERIFY
+      description: The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1
+  steps:
+  - name: get-images-per-env
+    image: quay.io/redhat-appstudio/appstudio-utils:5bd7d6cb0b17f9f2eab043a8ad16ba3d90551bc2@sha256:8c7fcf86af40c71aeb58e4279625c8308af5144e2f6b8e28b0ec7e795260e5f7
+    workingDir: $(workspaces.source.path)/source
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      component_name=$(yq .metadata.name application.yaml)
+
+      for env in development stage prod; do
+        yq '.spec.template.spec.containers[0].image' "components/${component_name}/overlays/${env}/deployment-patch.yaml"
+      done | sort -u > /tmp/all-images.txt
+
+      # TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}}
+      #       will that be too large for Tekton results?
+
+      jq --compact-output --raw-input --slurp < /tmp/all-images.txt '
+        # split input file
+        split("\n") |
+        # drop empty lines
+        map(select(length > 0)) |
+        # convert into EC-compatible format
+        {
+          "components": map({"containerImage": .})
+        }
+      ' | tee $(results.IMAGES_TO_VERIFY.path)