From 80210a4a7c1452926afc9e157bea5108c8325529 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Thu, 7 Aug 2025 16:19:29 +0200 Subject: [PATCH] fix policies Signed-off-by: Miguel Martinez --- docs/examples/policies/chainloop-commit.yaml | 2 +- docs/examples/policies/chainloop-qa.yaml | 5 ++--- docs/examples/policies/policy-template.rego | 11 ++++++----- docs/examples/policies/sarif-errors.yaml | 2 +- docs/examples/policies/trivy-vulns.yaml | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/examples/policies/chainloop-commit.yaml b/docs/examples/policies/chainloop-commit.yaml index 5d48cd5c0..5db355f22 100644 --- a/docs/examples/policies/chainloop-commit.yaml +++ b/docs/examples/policies/chainloop-commit.yaml @@ -57,7 +57,7 @@ spec: msg := "missing commit in attestation material" } - has_commit { + has_commit if { some sub in input.subject sub.name == "git.head" sub.digest.sha1 diff --git a/docs/examples/policies/chainloop-qa.yaml b/docs/examples/policies/chainloop-qa.yaml index 3a159a58f..618a2b5f7 100644 --- a/docs/examples/policies/chainloop-qa.yaml +++ b/docs/examples/policies/chainloop-qa.yaml @@ -61,9 +61,8 @@ spec: msg:= "Container image is not approved" } - is_approved { + is_approved if { + input.predicate.annotations.approval == "true" some material in input.predicate.materials material.annotations["chainloop.material.type"] == "CONTAINER_IMAGE" - - input.predicate.annotations.approval == "true" } diff --git a/docs/examples/policies/policy-template.rego b/docs/examples/policies/policy-template.rego index 512cfc835..cd91207e9 100644 --- a/docs/examples/policies/policy-template.rego +++ b/docs/examples/policies/policy-template.rego @@ -30,12 +30,13 @@ skipped := false if valid_input ######################################## # Validates if the input is valid and can be understood by this policy (3) -valid_input if { - # insert code here -} +valid_input := true + +# insert code here # If the input is valid, check for any policy violation here (4) violations contains msg if { - valid_input - # insert code here + valid_input } + +# insert code here diff --git a/docs/examples/policies/sarif-errors.yaml b/docs/examples/policies/sarif-errors.yaml index f17d0e77d..275ff4ab7 100644 --- a/docs/examples/policies/sarif-errors.yaml +++ b/docs/examples/policies/sarif-errors.yaml @@ -58,7 +58,7 @@ spec: msg := "There are errors in the SARIF report" } - has_errors { + has_errors if { some run in input.runs some result in run.results result.level == "error" diff --git a/docs/examples/policies/trivy-vulns.yaml b/docs/examples/policies/trivy-vulns.yaml index efa7c83c4..6a2d2298b 100644 --- a/docs/examples/policies/trivy-vulns.yaml +++ b/docs/examples/policies/trivy-vulns.yaml @@ -59,7 +59,7 @@ spec: msg := "CVE report has vulnerabilities with severity MEDIUM or HIGH" } - has_vulnerabilities { + has_vulnerabilities if { severities := ["HIGH", "MEDIUM"] some result in input.Results some vuln in result.Vulnerabilities