Skip to content

Commit 03374a1

Browse files
committed
undo change
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
1 parent 60a7e1d commit 03374a1

31 files changed

Lines changed: 3318 additions & 0 deletions
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: Policy
3+
metadata:
4+
name: container-policy
5+
description: test policy
6+
annotations:
7+
category: containers
8+
spec:
9+
policies:
10+
- kind: CONTAINER_IMAGE
11+
embedded: |
12+
package main
13+
14+
import rego.v1
15+
16+
result := {
17+
"violations": [],
18+
"skipped": true,
19+
"skip_reason": sprintf("the tag is '%s'", [input.chainloop_metadata.annotations["chainloop.material.image.tag"]])
20+
}
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: PolicyGroup
3+
metadata:
4+
name: group-with-inputs
5+
description: test group
6+
annotations:
7+
category: test
8+
spec:
9+
inputs:
10+
- name: user_name
11+
required: true
12+
- name: domainName
13+
required: false
14+
default: "chainloop.dev"
15+
policies:
16+
materials:
17+
- name: sbom
18+
type: SBOM_CYCLONEDX_JSON
19+
policies:
20+
- ref: file://testdata/policy_with_inputs.yaml
21+
with:
22+
email: "{{inputs.user_name}}@{{inputs.domainName}}"
23+
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: PolicyGroup
3+
metadata:
4+
name: group-with-inputs
5+
description: test group
6+
annotations:
7+
category: test
8+
spec:
9+
inputs:
10+
- name: sbom_name
11+
default: "sbom"
12+
- name: user_name
13+
required: true
14+
- name: domainName
15+
required: false
16+
default: "chainloop.dev"
17+
policies:
18+
materials:
19+
- name: "{{ inputs.sbom_name }}"
20+
type: SBOM_CYCLONEDX_JSON
21+
policies:
22+
- ref: file://testdata/policy_with_inputs.yaml
23+
with:
24+
email: "{{inputs.user_name}}@{{inputs.domainName}}"
25+
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
package main
2+
3+
import rego.v1
4+
5+
# Verifies there is a VEX material, even if not enforced by contract
6+
7+
################################
8+
# Common section do NOT change #
9+
################################
10+
11+
result := {
12+
"skipped": skipped,
13+
"violations": violations,
14+
"skip_reason": skip_reason,
15+
}
16+
17+
default skip_reason := ""
18+
19+
skip_reason := m if {
20+
not valid_input
21+
m := "invalid input"
22+
}
23+
24+
default skipped := true
25+
26+
skipped := false if valid_input
27+
28+
########################################
29+
# EO Common section, custom code below #
30+
########################################
31+
32+
# Validates if the input is valid and can be understood by this policy
33+
valid_input := true
34+
35+
# If the input is valid, check for any policy violation here
36+
violations contains msg if {
37+
valid_input
38+
not has_vex
39+
msg := "missing VEX material"
40+
}
41+
42+
# Collect all material types
43+
kinds contains kind if {
44+
some material in input.predicate.materials
45+
kind := material.annotations["chainloop.material.type"]
46+
}
47+
48+
has_vex if {
49+
"CSAF_VEX" in kinds
50+
}
51+
52+
has_vex if {
53+
"OPENVEX" in kinds
54+
}
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: Policy
3+
metadata:
4+
name: materials
5+
spec:
6+
type: ATTESTATION
7+
path: materials.rego
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: Policy
3+
metadata:
4+
name: missing-rego
5+
spec:
6+
type: ATTESTATION
7+
path: this_is_a_missing.rego
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: Policy
3+
metadata:
4+
name: multikind
5+
description: multikind policy
6+
annotations:
7+
category: SBOM
8+
spec:
9+
policies:
10+
- kind: SBOM_SPDX_JSON
11+
path: sbom_syft.rego
12+
- kind: ATTESTATION
13+
path: workflow.rego
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: PolicyGroup
3+
metadata:
4+
name: sbom-quality
5+
description: This policy group applies a number of SBOM-related policies
6+
annotations:
7+
category: SBOM
8+
spec:
9+
policies:
10+
attestation:
11+
- ref: file://testdata/with_arguments.yaml
12+
materials:
13+
- name: sbom
14+
type: SBOM_SPDX_JSON
15+
policies:
16+
- ref: file://testdata/multi-kind.yaml
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: PolicyGroup
3+
metadata:
4+
name: sbom-quality
5+
description: This policy group applies a number of SBOM-related policies
6+
annotations:
7+
category: SBOM
8+
spec:
9+
policies:
10+
materials:
11+
- type: SBOM_CYCLONEDX_JSON
12+
policies:
13+
- ref: file://testdata/policy_with_ignore.yaml
14+
- type: OPENVEX
15+
policies:
16+
- ref: file://testdata/policy_openvex_no_ignore.yaml
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: workflowcontract.chainloop.dev/v1
2+
kind: PolicyGroup
3+
metadata:
4+
name: sbom-quality
5+
description: policy group with name-less material
6+
annotations:
7+
category: SBOM
8+
spec:
9+
policies:
10+
attestation:
11+
- ref: file://testdata/with_arguments.yaml
12+
materials:
13+
- type: SBOM_SPDX_JSON
14+
policies:
15+
- ref: file://testdata/multi-kind.yaml

0 commit comments

Comments
 (0)