-
Notifications
You must be signed in to change notification settings - Fork 23
/
provenance_materials.rego
87 lines (77 loc) · 2.4 KB
/
provenance_materials.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#
# METADATA
# title: Provenance Materials
# description: >-
# This package provides rules for verifying the contents of the materials section
# of the SLSA Provenance attestation.
#
package policy.release.provenance_materials
import rego.v1
import data.lib
import data.lib.tkn
# METADATA
# title: Git clone task found
# description: >-
# Confirm that the attestation contains a git-clone task with `commit` and `url` task results.
# custom:
# short_name: git_clone_task_found
# failure_msg: Task git-clone not found
# solution: >-
# Make sure the build pipeline contains a task named 'git-clone'.
# collections:
# - minimal
# - redhat
# depends_on:
# - attestation_type.known_attestation_type
#
deny contains result if {
some attestation in lib.pipelinerun_attestations
count(tkn.git_clone_tasks(attestation)) == 0
result := lib.result_helper(rego.metadata.chain(), [])
}
# METADATA
# title: Git clone source matches materials provenance
# description: >-
# Confirm that the result of the git-clone task is included in the materials section of the SLSA
# provenance attestation.
# custom:
# short_name: git_clone_source_matches_provenance
# failure_msg: Entry in materials for the git repo %q and commit %q not found
# solution: >-
# The build pipeline must contain a task named 'git-clone' and that task must emit
# results named 'url' and 'commit' and contain the clone git repository and commit,
# respectively.
# collections:
# - minimal
# - redhat
# depends_on:
# - provenance_materials.git_clone_task_found
#
deny contains result if {
some attestation in lib.pipelinerun_attestations
some task in tkn.git_clone_tasks(attestation)
url := _normalize_git_url(tkn.task_result(task, "url"))
commit := tkn.task_result(task, "commit")
materials := [m |
some m in attestation.statement.predicate.materials
m.uri == url
m.digest.sha1 == commit
]
count(materials) == 0
result := lib.result_helper(rego.metadata.chain(), [url, commit])
}
_normalize_git_url(url) := _suffix_git_url(_prefix_git_url(url))
_prefix_git_url(url) := normalized if {
prefix := "git+"
not strings.any_prefix_match(url, prefix)
normalized := concat("", [prefix, url])
} else := normalized if {
normalized := url
}
_suffix_git_url(url) := normalized if {
suffix := ".git"
not strings.any_suffix_match(url, suffix)
normalized := concat("", [url, suffix])
} else := normalized if {
normalized := url
}