From 1540dd44f9ec7fc13cb81c979c6df831e2ab9f86 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Fri, 8 Aug 2025 12:30:14 +0200 Subject: [PATCH 1/4] fix yaml comments removal on format Signed-off-by: Sylwester Piskozub --- app/cli/internal/policydevel/lint.go | 81 ++++++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 5 deletions(-) diff --git a/app/cli/internal/policydevel/lint.go b/app/cli/internal/policydevel/lint.go index e59585933..d5d8b41de 100644 --- a/app/cli/internal/policydevel/lint.go +++ b/app/cli/internal/policydevel/lint.go @@ -25,14 +25,13 @@ import ( "strconv" "strings" - "github.com/bufbuild/protoyaml-go" v1 "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1" "github.com/chainloop-dev/chainloop/app/controlplane/pkg/unmarshal" "github.com/open-policy-agent/opa/v1/format" "github.com/styrainc/regal/pkg/config" "github.com/styrainc/regal/pkg/linter" "github.com/styrainc/regal/pkg/rules" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" ) //go:embed .regal.yaml @@ -189,11 +188,25 @@ func (p *PolicyToLint) validateYAMLFile(file *File) { // Update policy file with formatted content if p.Format { - outYAML, err := protoyaml.Marshal(&policy) + var root yaml.Node + if err := yaml.Unmarshal(file.Content, &root); err != nil { + p.AddError(file.Path, fmt.Sprintf("failed to parse YAML: %v", err), 0) + return + } + + if err := p.updateEmbeddedRegoInYAML(file, &root); err != nil { + p.AddError(file.Path, fmt.Sprintf("failed to update embedded Rego: %v", err), 0) + return + } + + outYAML, err := yaml.Marshal(&root) if err != nil { p.AddError(file.Path, fmt.Sprintf("failed to marshal updated YAML: %v", err), 0) - } else if err := os.WriteFile(file.Path, outYAML, 0600); err != nil { - p.AddError(file.Path, fmt.Sprintf("failed to save updated file: %v", err), 0) + return + } + + if err := os.WriteFile(file.Path, outYAML, 0600); err != nil { + p.AddError(file.Path, fmt.Sprintf("failed to write updated file: %v", err), 0) } else { file.Content = outYAML } @@ -389,3 +402,61 @@ func (p *PolicyToLint) processRegalViolation(rawErr error, path string) { p.AddError(path, line, 0) } } + +// Updates the embedded rego policies in a YAML file +// Manual update required due to yaml.marshal limitations +func (p *PolicyToLint) updateEmbeddedRegoInYAML(file *File, rootNode *yaml.Node) error { + if rootNode.Kind != yaml.DocumentNode || len(rootNode.Content) == 0 { + return fmt.Errorf("unexpected YAML root structure") + } + + doc := rootNode.Content[0] + if doc.Kind != yaml.MappingNode { + return fmt.Errorf("expected mapping node at document root") + } + + // Locate spec policy node + var specNode *yaml.Node + for i := 0; i < len(doc.Content)-1; i += 2 { + if doc.Content[i].Value == "spec" && doc.Content[i+1].Kind == yaml.MappingNode { + specNode = doc.Content[i+1] + break + } + } + if specNode == nil { + return fmt.Errorf("spec node not found") + } + + // Locate policies node within spec + var policiesNode *yaml.Node + for i := 0; i < len(specNode.Content)-1; i += 2 { + if specNode.Content[i].Value == "policies" && specNode.Content[i+1].Kind == yaml.SequenceNode { + policiesNode = specNode.Content[i+1] + break + } + } + if policiesNode == nil { + return fmt.Errorf("spec.policies node not found") + } + + // Iterate over and update each rego policy + for _, policy := range policiesNode.Content { + if policy.Kind != yaml.MappingNode { + continue + } + + for i := 0; i < len(policy.Content)-1; i += 2 { + key := policy.Content[i] + val := policy.Content[i+1] + + if key.Value == "embedded" && val.Kind == yaml.ScalarNode { + formatted := p.validateAndFormatRego(val.Value, file.Path) + if formatted != val.Value { + val.Value = formatted + } + } + } + } + + return nil +} From b7e488420e38c57270c08155e97f0f440060b146 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Fri, 8 Aug 2025 12:37:20 +0200 Subject: [PATCH 2/4] fix indentation Signed-off-by: Sylwester Piskozub --- app/cli/internal/policydevel/lint.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/app/cli/internal/policydevel/lint.go b/app/cli/internal/policydevel/lint.go index d5d8b41de..8f4606dec 100644 --- a/app/cli/internal/policydevel/lint.go +++ b/app/cli/internal/policydevel/lint.go @@ -16,6 +16,7 @@ package policydevel import ( + "bytes" "context" "embed" "fmt" @@ -199,12 +200,17 @@ func (p *PolicyToLint) validateYAMLFile(file *File) { return } - outYAML, err := yaml.Marshal(&root) - if err != nil { - p.AddError(file.Path, fmt.Sprintf("failed to marshal updated YAML: %v", err), 0) + var buf bytes.Buffer + enc := yaml.NewEncoder(&buf) + enc.SetIndent(2) + defer enc.Close() + + if err := enc.Encode(&root); err != nil { + p.AddError(file.Path, fmt.Sprintf("failed to encode YAML: %v", err), 0) return } + outYAML := buf.Bytes() if err := os.WriteFile(file.Path, outYAML, 0600); err != nil { p.AddError(file.Path, fmt.Sprintf("failed to write updated file: %v", err), 0) } else { From 64694fa052146edf7987ea208cb54637ab2656a3 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Fri, 8 Aug 2025 12:45:41 +0200 Subject: [PATCH 3/4] update and fix policies in docs Signed-off-by: Sylwester Piskozub --- docs/examples/policies/chainloop-commit.yaml | 43 ++++--- docs/examples/policies/chainloop-qa.yaml | 44 ++++---- .../policies/quickstart/cdx-fresh.yaml | 106 +++++++++--------- docs/examples/policies/sarif-errors.yaml | 42 +++---- .../sbom/cyclonedx-banned-licenses.yaml | 36 +++--- .../sbom/cyclonedx-banned-packages.yaml | 60 +++++----- .../policies/sbom/cyclonedx-freshness.yaml | 52 ++++----- .../policies/sbom/cyclonedx-licenses.yaml | 79 +++++++------ .../sbom/cyclonedx-required-packages.yaml | 48 ++++---- docs/examples/policies/sbom/sbom-present.yaml | 50 ++++----- .../policies/sbom/spdx-sbom-syft.yaml | 88 +++++++-------- docs/examples/policies/trivy-vulns.yaml | 46 ++++---- 12 files changed, 346 insertions(+), 348 deletions(-) diff --git a/docs/examples/policies/chainloop-commit.yaml b/docs/examples/policies/chainloop-commit.yaml index 5db355f22..f4a35bda4 100644 --- a/docs/examples/policies/chainloop-commit.yaml +++ b/docs/examples/policies/chainloop-commit.yaml @@ -21,45 +21,44 @@ spec: - kind: ATTESTATION embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + violations contains msg if { - not has_commit - msg := "missing commit in attestation material" + not has_commit + msg := "missing commit in attestation material" } - + has_commit if { - some sub in input.subject - sub.name == "git.head" - sub.digest.sha1 + some sub in input.subject + sub.name == "git.head" + sub.digest.sha1 } - diff --git a/docs/examples/policies/chainloop-qa.yaml b/docs/examples/policies/chainloop-qa.yaml index 618a2b5f7..2eba9188b 100644 --- a/docs/examples/policies/chainloop-qa.yaml +++ b/docs/examples/policies/chainloop-qa.yaml @@ -24,45 +24,45 @@ spec: - kind: ATTESTATION embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + violations contains msg if { - not is_approved - - msg:= "Container image is not approved" + not is_approved + + msg := "Container image is not approved" } - + is_approved if { - input.predicate.annotations.approval == "true" - some material in input.predicate.materials - material.annotations["chainloop.material.type"] == "CONTAINER_IMAGE" + input.predicate.annotations.approval == "true" + some material in input.predicate.materials + material.annotations["chainloop.material.type"] == "CONTAINER_IMAGE" } diff --git a/docs/examples/policies/quickstart/cdx-fresh.yaml b/docs/examples/policies/quickstart/cdx-fresh.yaml index 6f9448795..40ef20183 100644 --- a/docs/examples/policies/quickstart/cdx-fresh.yaml +++ b/docs/examples/policies/quickstart/cdx-fresh.yaml @@ -1,57 +1,57 @@ apiVersion: workflowcontract.chainloop.dev/v1 kind: Policy metadata: - name: cdx-fresh - description: Checks that SBOM is maximum of 30 days old - annotations: - category: quickstart + name: cdx-fresh + description: Checks that SBOM is maximum of 30 days old + annotations: + category: quickstart spec: - policies: - - embedded: | - package main - - import rego.v1 - - ################################ - # Common section do NOT change # - ################################ - - result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, - "ignore": ignore, - } - - default skip_reason := "" - - skip_reason := m if { - not valid_input - m := "invalid input" - } - - default skipped := true - - skipped := false if valid_input - - default ignore := false - - ######################################## - # EO Common section, custom code below # - ######################################## - # Validates if the input is valid and can be understood by this policy - valid_input := true - - limit := 30 - nanosecs_per_second := (1000 * 1000) * 1000 - nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second - maximum_age := limit * nanosecs_per_day - - # If the input is valid, check for any policy violation here - violations contains msg if { - sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) - exceeding = time.now_ns() - (sbom_ns + maximum_age) - exceeding > 0 - msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) - } - kind: SBOM_CYCLONEDX_JSON + policies: + - embedded: | + package main + + import rego.v1 + + ################################ + # Common section do NOT change # + ################################ + + result := { + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, + "ignore": ignore, + } + + default skip_reason := "" + + skip_reason := m if { + not valid_input + m := "invalid input" + } + + default skipped := true + + skipped := false if valid_input + + default ignore := false + + ######################################## + # EO Common section, custom code below # + ######################################## + # Validates if the input is valid and can be understood by this policy + valid_input := true + + limit := 30 + nanosecs_per_second := (1000 * 1000) * 1000 + nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second + maximum_age := limit * nanosecs_per_day + + # If the input is valid, check for any policy violation here + violations contains msg if { + sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) + exceeding = time.now_ns() - (sbom_ns + maximum_age) + exceeding > 0 + msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) + } + kind: SBOM_CYCLONEDX_JSON diff --git a/docs/examples/policies/sarif-errors.yaml b/docs/examples/policies/sarif-errors.yaml index 275ff4ab7..56f7401bf 100644 --- a/docs/examples/policies/sarif-errors.yaml +++ b/docs/examples/policies/sarif-errors.yaml @@ -22,44 +22,44 @@ spec: - kind: SARIF embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + violations contains msg if { - has_errors - msg := "There are errors in the SARIF report" + has_errors + msg := "There are errors in the SARIF report" } - + has_errors if { - some run in input.runs - some result in run.results - result.level == "error" + some run in input.runs + some result in run.results + result.level == "error" } diff --git a/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml index 30dcc868c..38ea0d5a4 100644 --- a/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml +++ b/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml @@ -24,42 +24,42 @@ spec: - kind: SBOM_CYCLONEDX_JSON embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true banned_licenses := ["GPL-2.0", "GPL-3.0"] violations contains ref if { - some comp in input.components - some lic in comp.licenses - lic.license.name in banned_licenses - ref := sprintf("Forbidden license %v for %v (%v)", [license.name, comp.name, comp["bom-ref"]]) + some comp in input.components + some lic in comp.licenses + lic.license.name in banned_licenses + ref := sprintf("Forbidden license %v for %v (%v)", [license.name, comp.name, comp["bom-ref"]]) } diff --git a/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml b/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml index 1c1690bd4..23c38f184 100644 --- a/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml +++ b/docs/examples/policies/sbom/cyclonedx-banned-packages.yaml @@ -24,57 +24,57 @@ spec: - kind: SBOM_CYCLONEDX_JSON embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + # It supports packages with version. When specified, requires it to be semver, and would also fail when version is lower banned_packages := ["log4j@2.14.1"] - + # all versions violations contains ref if { - some comp in input.components - some banned in banned_packages - nv := split(banned, "@") - not nv[1] - comp.name == nv[0] - ref := sprintf("Banned package: %v", [comp.name]) + some comp in input.components + some banned in banned_packages + nv := split(banned, "@") + not nv[1] + comp.name == nv[0] + ref := sprintf("Banned package: %v", [comp.name]) } - + # specific versions violations contains ref if { - some comp in input.components - some banned banned_packages - nv := split(banned, "@") - comp.name == nv[0] - result := semver.compare(comp.version, nv[1]) - result <= 0 - ref := sprintf("Banned package: %v %v", [comp.name, comp.version]) + some comp in input.components + some banned in banned_packages + nv := split(banned, "@") + comp.name == nv[0] + result := semver.compare(comp.version, nv[1]) + result <= 0 + ref := sprintf("Banned package: %v %v", [comp.name, comp.version]) } diff --git a/docs/examples/policies/sbom/cyclonedx-freshness.yaml b/docs/examples/policies/sbom/cyclonedx-freshness.yaml index e800559ac..bedba90e7 100644 --- a/docs/examples/policies/sbom/cyclonedx-freshness.yaml +++ b/docs/examples/policies/sbom/cyclonedx-freshness.yaml @@ -24,48 +24,48 @@ spec: - kind: SBOM_CYCLONEDX_JSON embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + limit := 30 - - nanosecs_per_second = (1000 * 1000) * 1000 - - nanosecs_per_day = ((24 * 60) * 60) * nanosecs_per_second - - maximum_age = limit * nanosecs_per_day - + + nanosecs_per_second := (1000 * 1000) * 1000 + + nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second + + maximum_age := limit * nanosecs_per_day + violations contains msg if { - sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) - exceeding = time.now_ns() - (sbom_ns + maximum_age) - exceeding > 0 - msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) + sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp) + exceeding = time.now_ns() - (sbom_ns + maximum_age) + exceeding > 0 + msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit]) } diff --git a/docs/examples/policies/sbom/cyclonedx-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-licenses.yaml index cce5efb23..e222182b9 100644 --- a/docs/examples/policies/sbom/cyclonedx-licenses.yaml +++ b/docs/examples/policies/sbom/cyclonedx-licenses.yaml @@ -7,44 +7,43 @@ metadata: category: sbom spec: policies: - - kind: SBOM_CYCLONEDX_JSON - embedded: | - package main - - import rego.v1 - - # Global result object - result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, - } - - default skip_reason := "" - - skip_reason := m if { - not valid_input - m := "the file content is not recognized" - } - - default skipped := true - - skipped := false if valid_input - - valid_input if { - # expect at least 1 component in the SBOM - count(input.components) > 0 - } - - violations contains msg if { - count(without_license) > 0 - msg := sprintf("Missing licenses for %s", [components_str]) - } - - components_str := concat(", ", [comp.purl | some comp in without_license]) - - without_license contains comp if { - some comp in input.components - not comp.licenses - } + - kind: SBOM_CYCLONEDX_JSON + embedded: | + package main + import rego.v1 + + # Global result object + result := { + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, + } + + default skip_reason := "" + + skip_reason := m if { + not valid_input + m := "the file content is not recognized" + } + + default skipped := true + + skipped := false if valid_input + + valid_input if { + # expect at least 1 component in the SBOM + count(input.components) > 0 + } + + violations contains msg if { + count(without_license) > 0 + msg := sprintf("Missing licenses for %s", [components_str]) + } + + components_str := concat(", ", [comp.purl | some comp in without_license]) + + without_license contains comp if { + some comp in input.components + not comp.licenses + } diff --git a/docs/examples/policies/sbom/cyclonedx-required-packages.yaml b/docs/examples/policies/sbom/cyclonedx-required-packages.yaml index 6310f588f..c24bc3c85 100644 --- a/docs/examples/policies/sbom/cyclonedx-required-packages.yaml +++ b/docs/examples/policies/sbom/cyclonedx-required-packages.yaml @@ -24,48 +24,48 @@ spec: - kind: SBOM_CYCLONEDX_JSON embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + required_packages := {"glibc", "libcrypto3"} - + violations contains msg if { - count(all_matches) != count(required_packages) - missing := required_packages - all_matches - some i - msg := sprintf("missing package: %v", [missing[i]]) + count(all_matches) != count(required_packages) + missing := required_packages - all_matches + some i + msg := sprintf("missing package: %v", [missing[i]]) } - + all_matches contains name if { - some comp in input.components - comp.name in required_packages - name := comp.name + some comp in input.components + comp.name in required_packages + name := comp.name } diff --git a/docs/examples/policies/sbom/sbom-present.yaml b/docs/examples/policies/sbom/sbom-present.yaml index de5c6cea9..71b123797 100644 --- a/docs/examples/policies/sbom/sbom-present.yaml +++ b/docs/examples/policies/sbom/sbom-present.yaml @@ -24,52 +24,52 @@ spec: - kind: ATTESTATION embedded: | package main - + # Verifies there is a SBOM material, even if not enforced by contract - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + violations contains msg if { - not has_sbom - msg := "missing SBOM material" + not has_sbom + msg := "missing SBOM material" } - + # Collect all material types kinds contains kind if { - some material in input.predicate.materials - kind := material.annotations["chainloop.material.type"] + some material in input.predicate.materials + kind := material.annotations["chainloop.material.type"] } - + has_sbom if { - values := ["SBOM_SPDX_JSON","SBOM_CYCLONEDX_JSON"] - some kind in kinds - kind in values + values := ["SBOM_SPDX_JSON", "SBOM_CYCLONEDX_JSON"] + some kind in kinds + kind in values } diff --git a/docs/examples/policies/sbom/spdx-sbom-syft.yaml b/docs/examples/policies/sbom/spdx-sbom-syft.yaml index 772a54597..527715202 100644 --- a/docs/examples/policies/sbom/spdx-sbom-syft.yaml +++ b/docs/examples/policies/sbom/spdx-sbom-syft.yaml @@ -21,47 +21,47 @@ metadata: category: sbom spec: policies: - - kind: SBOM_SPDX_JSON - embedded: | - package main - - import rego.v1 - - ################################ - # Common section do NOT change # - ################################ - - result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, - } - - default skip_reason := "" - - skip_reason := m if { - not valid_input - m := "the file content is not recognized" - } - - default skipped := true - - skipped := false if valid_input - - ######################################## - # EO Common section, custom code below # - ######################################## - - # TODO: update to validate if the file is expected, i.e checking the tool that generates it - valid_input := true - - violations contains msg if { - not made_with_syft - - msg := "Not made with syft" - } - - made_with_syft if { - some creator in input.creationInfo.creators - contains(creator, "syft") - } + - kind: SBOM_SPDX_JSON + embedded: | + package main + + import rego.v1 + + ################################ + # Common section do NOT change # + ################################ + + result := { + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, + } + + default skip_reason := "" + + skip_reason := m if { + not valid_input + m := "the file content is not recognized" + } + + default skipped := true + + skipped := false if valid_input + + ######################################## + # EO Common section, custom code below # + ######################################## + + # TODO: update to validate if the file is expected, i.e checking the tool that generates it + valid_input := true + + violations contains msg if { + not made_with_syft + + msg := "Not made with syft" + } + + made_with_syft if { + some creator in input.creationInfo.creators + contains(creator, "syft") + } diff --git a/docs/examples/policies/trivy-vulns.yaml b/docs/examples/policies/trivy-vulns.yaml index 6a2d2298b..a88baef50 100644 --- a/docs/examples/policies/trivy-vulns.yaml +++ b/docs/examples/policies/trivy-vulns.yaml @@ -21,47 +21,47 @@ spec: policies: - embedded: | package main - + import rego.v1 - + ################################ # Common section do NOT change # ################################ - + result := { - "skipped": skipped, - "violations": violations, - "skip_reason": skip_reason, + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, } - + default skip_reason := "" - + skip_reason := m if { - not valid_input - m := "the file content is not recognized" + not valid_input + m := "the file content is not recognized" } - + default skipped := true - + skipped := false if valid_input - + ######################################## # EO Common section, custom code below # ######################################## - + # TODO: update to validate if the file is expected, i.e checking the tool that generates it valid_input := true - + # Verifies there is a SBOM material, even if not enforced by contract - + violations contains msg if { - has_vulnerabilities - msg := "CVE report has vulnerabilities with severity MEDIUM or HIGH" + has_vulnerabilities + msg := "CVE report has vulnerabilities with severity MEDIUM or HIGH" } - + has_vulnerabilities if { - severities := ["HIGH", "MEDIUM"] - some result in input.Results - some vuln in result.Vulnerabilities - vuln.Severity in severities + severities := ["HIGH", "MEDIUM"] + some result in input.Results + some vuln in result.Vulnerabilities + vuln.Severity in severities } From 8c486ff28ac835220fae007b0fe908a26489d4a9 Mon Sep 17 00:00:00 2001 From: Sylwester Piskozub Date: Fri, 8 Aug 2025 12:50:42 +0200 Subject: [PATCH 4/4] fix go mod Signed-off-by: Sylwester Piskozub --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 24e46ccaa..13d2484ff 100644 --- a/go.mod +++ b/go.mod @@ -382,7 +382,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 - gopkg.in/yaml.v3 v3.0.1 // indirect + gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.28.6 // indirect k8s.io/apimachinery v0.28.6 k8s.io/client-go v0.28.6 // indirect