Skip to content

Commit 64694fa

Browse files
committed
update and fix policies in docs
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
1 parent b7e4884 commit 64694fa

12 files changed

Lines changed: 346 additions & 348 deletions

docs/examples/policies/chainloop-commit.yaml

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -21,45 +21,44 @@ spec:
2121
- kind: ATTESTATION
2222
embedded: |
2323
package main
24-
24+
2525
import rego.v1
26-
26+
2727
################################
2828
# Common section do NOT change #
2929
################################
30-
30+
3131
result := {
32-
"skipped": skipped,
33-
"violations": violations,
34-
"skip_reason": skip_reason,
32+
"skipped": skipped,
33+
"violations": violations,
34+
"skip_reason": skip_reason,
3535
}
36-
36+
3737
default skip_reason := ""
38-
38+
3939
skip_reason := m if {
40-
not valid_input
41-
m := "the file content is not recognized"
40+
not valid_input
41+
m := "the file content is not recognized"
4242
}
43-
43+
4444
default skipped := true
45-
45+
4646
skipped := false if valid_input
47-
47+
4848
########################################
4949
# EO Common section, custom code below #
5050
########################################
51-
51+
5252
# TODO: update to validate if the file is expected, i.e checking the tool that generates it
5353
valid_input := true
54-
54+
5555
violations contains msg if {
56-
not has_commit
57-
msg := "missing commit in attestation material"
56+
not has_commit
57+
msg := "missing commit in attestation material"
5858
}
59-
59+
6060
has_commit if {
61-
some sub in input.subject
62-
sub.name == "git.head"
63-
sub.digest.sha1
61+
some sub in input.subject
62+
sub.name == "git.head"
63+
sub.digest.sha1
6464
}
65-

docs/examples/policies/chainloop-qa.yaml

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -24,45 +24,45 @@ spec:
2424
- kind: ATTESTATION
2525
embedded: |
2626
package main
27-
27+
2828
import rego.v1
29-
29+
3030
################################
3131
# Common section do NOT change #
3232
################################
33-
33+
3434
result := {
35-
"skipped": skipped,
36-
"violations": violations,
37-
"skip_reason": skip_reason,
35+
"skipped": skipped,
36+
"violations": violations,
37+
"skip_reason": skip_reason,
3838
}
39-
39+
4040
default skip_reason := ""
41-
41+
4242
skip_reason := m if {
43-
not valid_input
44-
m := "the file content is not recognized"
43+
not valid_input
44+
m := "the file content is not recognized"
4545
}
46-
46+
4747
default skipped := true
48-
48+
4949
skipped := false if valid_input
50-
50+
5151
########################################
5252
# EO Common section, custom code below #
5353
########################################
54-
54+
5555
# TODO: update to validate if the file is expected, i.e checking the tool that generates it
5656
valid_input := true
57-
57+
5858
violations contains msg if {
59-
not is_approved
60-
61-
msg:= "Container image is not approved"
59+
not is_approved
60+
61+
msg := "Container image is not approved"
6262
}
63-
63+
6464
is_approved if {
65-
input.predicate.annotations.approval == "true"
66-
some material in input.predicate.materials
67-
material.annotations["chainloop.material.type"] == "CONTAINER_IMAGE"
65+
input.predicate.annotations.approval == "true"
66+
some material in input.predicate.materials
67+
material.annotations["chainloop.material.type"] == "CONTAINER_IMAGE"
6868
}
Lines changed: 53 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -1,57 +1,57 @@
11
apiVersion: workflowcontract.chainloop.dev/v1
22
kind: Policy
33
metadata:
4-
name: cdx-fresh
5-
description: Checks that SBOM is maximum of 30 days old
6-
annotations:
7-
category: quickstart
4+
name: cdx-fresh
5+
description: Checks that SBOM is maximum of 30 days old
6+
annotations:
7+
category: quickstart
88
spec:
9-
policies:
10-
- embedded: |
11-
package main
12-
13-
import rego.v1
14-
15-
################################
16-
# Common section do NOT change #
17-
################################
18-
19-
result := {
20-
"skipped": skipped,
21-
"violations": violations,
22-
"skip_reason": skip_reason,
23-
"ignore": ignore,
24-
}
25-
26-
default skip_reason := ""
27-
28-
skip_reason := m if {
29-
not valid_input
30-
m := "invalid input"
31-
}
32-
33-
default skipped := true
34-
35-
skipped := false if valid_input
36-
37-
default ignore := false
38-
39-
########################################
40-
# EO Common section, custom code below #
41-
########################################
42-
# Validates if the input is valid and can be understood by this policy
43-
valid_input := true
44-
45-
limit := 30
46-
nanosecs_per_second := (1000 * 1000) * 1000
47-
nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second
48-
maximum_age := limit * nanosecs_per_day
49-
50-
# If the input is valid, check for any policy violation here
51-
violations contains msg if {
52-
sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp)
53-
exceeding = time.now_ns() - (sbom_ns + maximum_age)
54-
exceeding > 0
55-
msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit])
56-
}
57-
kind: SBOM_CYCLONEDX_JSON
9+
policies:
10+
- embedded: |
11+
package main
12+
13+
import rego.v1
14+
15+
################################
16+
# Common section do NOT change #
17+
################################
18+
19+
result := {
20+
"skipped": skipped,
21+
"violations": violations,
22+
"skip_reason": skip_reason,
23+
"ignore": ignore,
24+
}
25+
26+
default skip_reason := ""
27+
28+
skip_reason := m if {
29+
not valid_input
30+
m := "invalid input"
31+
}
32+
33+
default skipped := true
34+
35+
skipped := false if valid_input
36+
37+
default ignore := false
38+
39+
########################################
40+
# EO Common section, custom code below #
41+
########################################
42+
# Validates if the input is valid and can be understood by this policy
43+
valid_input := true
44+
45+
limit := 30
46+
nanosecs_per_second := (1000 * 1000) * 1000
47+
nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second
48+
maximum_age := limit * nanosecs_per_day
49+
50+
# If the input is valid, check for any policy violation here
51+
violations contains msg if {
52+
sbom_ns = time.parse_rfc3339_ns(input.metadata.timestamp)
53+
exceeding = time.now_ns() - (sbom_ns + maximum_age)
54+
exceeding > 0
55+
msg := sprintf("SBOM created at: %s which is too old (freshness limit set to %d days)", [input.metadata.timestamp, limit])
56+
}
57+
kind: SBOM_CYCLONEDX_JSON

docs/examples/policies/sarif-errors.yaml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -22,44 +22,44 @@ spec:
2222
- kind: SARIF
2323
embedded: |
2424
package main
25-
25+
2626
import rego.v1
27-
27+
2828
################################
2929
# Common section do NOT change #
3030
################################
31-
31+
3232
result := {
33-
"skipped": skipped,
34-
"violations": violations,
35-
"skip_reason": skip_reason,
33+
"skipped": skipped,
34+
"violations": violations,
35+
"skip_reason": skip_reason,
3636
}
37-
37+
3838
default skip_reason := ""
39-
39+
4040
skip_reason := m if {
41-
not valid_input
42-
m := "the file content is not recognized"
41+
not valid_input
42+
m := "the file content is not recognized"
4343
}
44-
44+
4545
default skipped := true
46-
46+
4747
skipped := false if valid_input
48-
48+
4949
########################################
5050
# EO Common section, custom code below #
5151
########################################
52-
52+
5353
# TODO: update to validate if the file is expected, i.e checking the tool that generates it
5454
valid_input := true
55-
55+
5656
violations contains msg if {
57-
has_errors
58-
msg := "There are errors in the SARIF report"
57+
has_errors
58+
msg := "There are errors in the SARIF report"
5959
}
60-
60+
6161
has_errors if {
62-
some run in input.runs
63-
some result in run.results
64-
result.level == "error"
62+
some run in input.runs
63+
some result in run.results
64+
result.level == "error"
6565
}

docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -24,42 +24,42 @@ spec:
2424
- kind: SBOM_CYCLONEDX_JSON
2525
embedded: |
2626
package main
27-
27+
2828
import rego.v1
29-
29+
3030
################################
3131
# Common section do NOT change #
3232
################################
33-
33+
3434
result := {
35-
"skipped": skipped,
36-
"violations": violations,
37-
"skip_reason": skip_reason,
35+
"skipped": skipped,
36+
"violations": violations,
37+
"skip_reason": skip_reason,
3838
}
39-
39+
4040
default skip_reason := ""
41-
41+
4242
skip_reason := m if {
43-
not valid_input
44-
m := "the file content is not recognized"
43+
not valid_input
44+
m := "the file content is not recognized"
4545
}
46-
46+
4747
default skipped := true
48-
48+
4949
skipped := false if valid_input
50-
50+
5151
########################################
5252
# EO Common section, custom code below #
5353
########################################
54-
54+
5555
# TODO: update to validate if the file is expected, i.e checking the tool that generates it
5656
valid_input := true
5757
5858
banned_licenses := ["GPL-2.0", "GPL-3.0"]
5959
6060
violations contains ref if {
61-
some comp in input.components
62-
some lic in comp.licenses
63-
lic.license.name in banned_licenses
64-
ref := sprintf("Forbidden license %v for %v (%v)", [license.name, comp.name, comp["bom-ref"]])
61+
some comp in input.components
62+
some lic in comp.licenses
63+
lic.license.name in banned_licenses
64+
ref := sprintf("Forbidden license %v for %v (%v)", [license.name, comp.name, comp["bom-ref"]])
6565
}

0 commit comments

Comments
 (0)