[WIP] Feature: Add support for verifying base image policies.

[mattmoor]

🎁 This implements the very basics from my recent comment on #356.

This still needs a bunch of work, but some playing with it and go run seem to demonstrate what I'd hope for.

Things I'd like to do still:

• Add validation that warns/errors if aspects of CIP irrelevant outside K8s are used (e.g. match:, includeSpec:),
• Expand unit test coverage significantly,
• Move pkg/policy upstream to sigstore/policy-controller to facilitate using this in other projects with similar ease (e.g. kaniko, buildpacks, ...)
• e2e tests with verification failures

/kind feature

Fixes: #356 (comment)

[codecov-commenter]

Codecov Report

Merging #918 (6d3bd33) into main (199156f) will decrease coverage by 1.13%.
The diff coverage is 32.35%.

@@            Coverage Diff             @@
##             main     #918      +/-   ##
==========================================
- Coverage   51.30%   50.16%   -1.14%     
==========================================
  Files          44       48       +4     
  Lines        3417     3654     +237     
==========================================
+ Hits         1753     1833      +80     
- Misses       1435     1588     +153     
- Partials      229      233       +4     

Impacted Files	Coverage Δ
pkg/policy/policy.go	0.00% <0.00%> (ø)
pkg/policy/verifier.go	0.00% <0.00%> (ø)
pkg/policy/parse.go	28.12% <28.12%> (ø)
pkg/commands/options/build.go	69.23% <56.52%> (-1.85%)	⬇️
pkg/policy/validate.go	85.41% <85.41%> (ø)
pkg/commands/config.go	64.19% <100.00%> (+6.30%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[mattmoor]

The upstream work is ongoing here: sigstore/policy-controller#480

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.