-
Notifications
You must be signed in to change notification settings - Fork 23
/
attestation_task_bundle.rego
143 lines (135 loc) · 4.6 KB
/
attestation_task_bundle.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#
# METADATA
# title: Task bundle checks
# description: >-
# To be able to reproduce and audit builds accurately it's important
# to know exactly what happened during the build. To do this
# Enterprise Contract requires that all tasks are defined in a set of
# known and trusted task bundles. This package includes rules to
# confirm that the tasks that built the image were defined in task
# bundles, and that the task bundles used are from the list of known
# and trusted bundles.
#
package policy.release.attestation_task_bundle
import rego.v1
import data.lib
import data.lib.bundles
import data.lib.tkn
# METADATA
# title: Tasks defined using bundle references
# description: >-
# Check for the existence of a task bundle. This rule will
# fail if the task is not called from a bundle.
# custom:
# short_name: tasks_defined_in_bundle
# failure_msg: Pipeline task '%s' does not contain a bundle reference
# collections:
# - minimal
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
deny contains result if {
some task in bundles.disallowed_task_reference(lib.tasks_from_pipelinerun)
result := lib.result_helper(rego.metadata.chain(), [tkn.pipeline_task_name(task)])
}
# METADATA
# title: Task bundle references not empty
# description: >-
# Check that a valid task bundle reference is being used.
# custom:
# short_name: task_ref_bundles_not_empty
# failure_msg: Pipeline task '%s' uses an empty bundle image reference
# solution: >-
# Specify a task bundle with a reference as the full digest.
# collections:
# - minimal
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
deny contains result if {
some task in bundles.empty_task_bundle_reference(lib.tasks_from_pipelinerun)
result := lib.result_helper(rego.metadata.chain(), [tkn.pipeline_task_name(task)])
}
# METADATA
# title: Task bundle references pinned to digest
# description: >-
# Check if the Tekton Bundle used for the Tasks in the Pipeline definition
# is pinned to a digest.
# custom:
# short_name: task_ref_bundles_pinned
# failure_msg: Pipeline task '%s' uses an unpinned task bundle reference '%s'
# solution: >-
# Specify the task bundle reference with a full digest rather than a tag.
# collections:
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
warn contains result if {
some task in bundles.unpinned_task_bundle(lib.tasks_from_pipelinerun)
result := lib.result_helper(rego.metadata.chain(), [tkn.pipeline_task_name(task), bundles.bundle(task)])
}
# METADATA
# title: Task bundles are latest versions
# description: >-
# For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is
# the most recent.
# custom:
# short_name: task_ref_bundles_current
# failure_msg: Pipeline task '%s' uses an out of date task bundle '%s'
# solution: >-
# A task bundle used is not the most recent. The most recent task bundles are defined
# in the data source of your policy config.
# collections:
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
warn contains result if {
some task in tkn.out_of_date_task_refs(lib.tasks_from_pipelinerun)
bundle := bundles.bundle(task)
bundle != ""
result := lib.result_helper(rego.metadata.chain(), [tkn.pipeline_task_name(task), bundle])
}
# METADATA
# title: Task bundles are in trusted tasks list
# description: >-
# For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is
# a trusted task.
# custom:
# short_name: task_ref_bundles_trusted
# failure_msg: Pipeline task '%s' uses an untrusted task bundle '%s'
# solution: >-
# For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is
# a trusted task.
# collections:
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
deny contains result if {
some task in tkn.untrusted_task_refs(lib.tasks_from_pipelinerun)
bundle := bundles.bundle(task)
bundle != ""
result := lib.result_helper(rego.metadata.chain(), [tkn.pipeline_task_name(task), bundle])
}
# METADATA
# title: A trusted Tekton bundles list was provided
# description: >-
# Confirm the `trusted_tasks` rule data was provided, since it's
# required by the policy rules in this package.
# custom:
# short_name: trusted_bundles_provided
# failure_msg: Missing required trusted_tasks data
# solution: >-
# Create a lsit of trusted tasks. This is a list of task bundles with a top-level key
# of 'trusted_tasks'.
# collections:
# - redhat
#
deny contains result if {
tkn.missing_trusted_tasks_data
result := lib.result_helper(rego.metadata.chain(), [])
}