-
Notifications
You must be signed in to change notification settings - Fork 23
/
attestation_type.rego
110 lines (102 loc) · 3.2 KB
/
attestation_type.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#
# METADATA
# title: Attestation type
# description: >-
# Sanity checks related to the format of the image build's attestation.
#
package policy.release.attestation_type
import rego.v1
import data.lib
# METADATA
# title: Known attestation type found
# description: >-
# Confirm the attestation found for the image has a known
# attestation type.
# custom:
# short_name: known_attestation_type
# failure_msg: Unknown attestation type '%s'
# solution: >-
# Make sure the "_type" field in the attestation is supported. Supported types are configured
# in xref:ec-cli:ROOT:configuration.adoc#_data_sources[data sources].
# collections:
# - minimal
# - redhat
# depends_on:
# - attestation_type.pipelinerun_attestation_found
#
deny contains result if {
some att in lib.pipelinerun_attestations
att_type := att.statement._type
not att_type in lib.rule_data(_rule_data_key)
result := lib.result_helper(rego.metadata.chain(), [att_type])
}
# METADATA
# title: Known attestation types provided
# description: Confirm the `known_attestation_types` rule data was provided.
# custom:
# short_name: known_attestation_types_provided
# failure_msg: '%s'
# solution: Provide a list of known attestation types.
# collections:
# - minimal
# - redhat
# - policy_data
#
deny contains result if {
some error in _rule_data_errors
result := lib.result_helper(rego.metadata.chain(), [error])
}
# METADATA
# title: PipelineRun attestation found
# description: >-
# Confirm at least one PipelineRun attestation is present.
# custom:
# short_name: pipelinerun_attestation_found
# failure_msg: Missing pipelinerun attestation
# solution: >-
# Make sure the attestation being verified was generated from a Tekton pipelineRun.
# collections:
# - minimal
# - redhat
#
deny contains result if {
count(lib.pipelinerun_attestations) == 0
result := lib.result_helper(rego.metadata.chain(), [])
}
# METADATA
# title: Deprecated policy attestation format
# description: >-
# The Enterprise Contract CLI now places the attestation data in a different location.
# This check fails if the expected new format is not found.
# custom:
# short_name: deprecated_policy_attestation_format
# failure_msg: Deprecated policy attestation format found
# solution: Use a newer version of the Enterprise Contract CLI.
# collections:
# - minimal
# - redhat
# effective_on: 2023-08-31T00:00:00Z
deny contains result if {
# Use input.attestations directly so we can detect the actual format in use.
some att in input.attestations
not att.statement
result := lib.result_helper(rego.metadata.chain(), [])
}
# Verify known_attestation_types is a non-empty list of strings
_rule_data_errors contains msg if {
# match_schema expects either a marshaled JSON resource (String) or an Object. It doesn't
# handle an Array directly.
value := json.marshal(lib.rule_data(_rule_data_key))
some violation in json.match_schema(
value,
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "array",
"items": {"type": "string"},
"uniqueItems": true,
"minItems": 1,
},
)[1]
msg := sprintf("Rule data %s has unexpected format: %s", [_rule_data_key, violation.error])
}
_rule_data_key := "known_attestation_types"