Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions app/cli/cmd/policy_develop_eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,12 @@ import (

func newPolicyDevelopEvalCmd() *cobra.Command {
var (
materialPath string
kind string
annotations []string
policyPath string
inputs []string
materialPath string
kind string
annotations []string
policyPath string
inputs []string
allowedHostnames []string
)

cmd := &cobra.Command{
Expand All @@ -44,11 +45,12 @@ evaluates the policy against the provided material or attestation.`,
chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCLONEDX_JSON --annotation key1=value1,key2=value2 --input key3=value3`,
RunE: func(_ *cobra.Command, _ []string) error {
opts := &action.PolicyEvalOpts{
MaterialPath: materialPath,
Kind: kind,
Annotations: parseKeyValue(annotations),
PolicyPath: policyPath,
Inputs: parseKeyValue(inputs),
MaterialPath: materialPath,
Kind: kind,
Annotations: parseKeyValue(annotations),
PolicyPath: policyPath,
Inputs: parseKeyValue(inputs),
AllowedHostnames: allowedHostnames,
}

policyEval, err := action.NewPolicyEval(opts, actionOpts)
Expand All @@ -71,6 +73,7 @@ evaluates the policy against the provided material or attestation.`,
cmd.Flags().StringSliceVar(&annotations, "annotation", []string{}, "Key-value pairs of material annotations (key=value)")
cmd.Flags().StringVarP(&policyPath, "policy", "p", "policy.yaml", "Path to custom policy file")
cmd.Flags().StringSliceVar(&inputs, "input", []string{}, "Key-value pairs of policy inputs (key=value)")
cmd.Flags().StringSliceVar(&allowedHostnames, "allowed-hostnames", []string{}, "Additional hostnames allowed for http.send requests in policies")

return cmd
}
Expand Down
13 changes: 7 additions & 6 deletions app/cli/documentation/cli-reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2810,12 +2810,13 @@ chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCL
Options

```
--annotation strings Key-value pairs of material annotations (key=value)
-h, --help help for eval
--input strings Key-value pairs of policy inputs (key=value)
--kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--material string Path to material or attestation file
-p, --policy string Path to custom policy file (default "policy.yaml")
--allowed-hostnames strings Additional hostnames allowed for http.send requests in policies
--annotation strings Key-value pairs of material annotations (key=value)
-h, --help help for eval
--input strings Key-value pairs of policy inputs (key=value)
--kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--material string Path to material or attestation file
-p, --policy string Path to custom policy file (default "policy.yaml")
```

Options inherited from parent commands
Expand Down
22 changes: 12 additions & 10 deletions app/cli/internal/action/policy_develop_eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,12 @@ import (
)

type PolicyEvalOpts struct {
MaterialPath string
Kind string
Annotations map[string]string
PolicyPath string
Inputs map[string]string
MaterialPath string
Kind string
Annotations map[string]string
PolicyPath string
Inputs map[string]string
AllowedHostnames []string
}

type PolicyEvalResult struct {
Expand All @@ -50,11 +51,12 @@ func NewPolicyEval(opts *PolicyEvalOpts, actionOpts *ActionsOpts) (*PolicyEval,

func (action *PolicyEval) Run() ([]*PolicyEvalResult, error) {
evalOpts := &policydevel.EvalOptions{
PolicyPath: action.opts.PolicyPath,
MaterialKind: action.opts.Kind,
Annotations: action.opts.Annotations,
MaterialPath: action.opts.MaterialPath,
Inputs: action.opts.Inputs,
PolicyPath: action.opts.PolicyPath,
MaterialKind: action.opts.Kind,
Annotations: action.opts.Annotations,
MaterialPath: action.opts.MaterialPath,
Inputs: action.opts.Inputs,
AllowedHostnames: action.opts.AllowedHostnames,
}

// Evaluate policy
Expand Down
21 changes: 13 additions & 8 deletions app/cli/internal/policydevel/eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,12 @@ import (
)

type EvalOptions struct {
PolicyPath string
MaterialKind string
Annotations map[string]string
MaterialPath string
Inputs map[string]string
PolicyPath string
MaterialKind string
Annotations map[string]string
MaterialPath string
Inputs map[string]string
AllowedHostnames []string
}

type EvalResult struct {
Expand All @@ -58,7 +59,7 @@ func Evaluate(opts *EvalOptions, logger zerolog.Logger) ([]*EvalResult, error) {
material.Annotations = opts.Annotations

// 3. Verify material against policy
result, err := verifyMaterial(schema, material, opts.MaterialPath, &logger)
result, err := verifyMaterial(schema, material, opts.MaterialPath, opts.AllowedHostnames, &logger)
if err != nil {
return nil, err
}
Expand All @@ -81,8 +82,12 @@ func createCraftingSchema(policyPath string, inputs map[string]string) (*v1.Craf
}, nil
}

func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, logger *zerolog.Logger) ([]*EvalResult, error) {
v := policies.NewPolicyVerifier(schema, nil, logger)
func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, allowedHostnames []string, logger *zerolog.Logger) ([]*EvalResult, error) {
var opts []policies.PolicyVerifierOption
if len(allowedHostnames) > 0 {
opts = append(opts, policies.WithAllowedHostnames(allowedHostnames...))
}
v := policies.NewPolicyVerifier(schema, nil, logger, opts...)
policyEvs, err := v.VerifyMaterial(context.Background(), material, materialPath)
if err != nil {
return nil, err
Expand Down
Loading