diff --git a/docs/examples/contracts/container-image-sbom/azure-pipeline.yaml b/docs/examples/contracts/container-image-sbom/azure-pipeline.yaml index c86d9a81c..aed9ec764 100644 --- a/docs/examples/contracts/container-image-sbom/azure-pipeline.yaml +++ b/docs/examples/contracts/container-image-sbom/azure-pipeline.yaml @@ -1,13 +1,17 @@ -schemaVersion: v1 - # Require both a container image reference and a CycloneDX SBOM with the attestation happening in Azure Devops Pipeline -materials: - - type: CONTAINER_IMAGE - name: image - output: true +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: azure-pipeline + description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in Azure Devops Pipeline +spec: + materials: + - type: CONTAINER_IMAGE + name: image + output: true - - type: SBOM_CYCLONEDX_JSON - name: sbom + - type: SBOM_CYCLONEDX_JSON + name: sbom -runner: - type: "AZURE_PIPELINE" + runner: + type: "AZURE_PIPELINE" diff --git a/docs/examples/contracts/container-image-sbom/github.yaml b/docs/examples/contracts/container-image-sbom/github.yaml index b302232d5..5fdf63245 100644 --- a/docs/examples/contracts/container-image-sbom/github.yaml +++ b/docs/examples/contracts/container-image-sbom/github.yaml @@ -1,13 +1,17 @@ # Require both a container image reference and a CycloneDX SBOM with the attestation happening in GitHub actions -schemaVersion: v1 +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: github + description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in GitHub actions +spec: + materials: + - type: CONTAINER_IMAGE + name: image + output: true -materials: - - type: CONTAINER_IMAGE - name: image - output: true + - type: SBOM_CYCLONEDX_JSON + name: sbom - - type: SBOM_CYCLONEDX_JSON - name: sbom - -runner: - type: "GITHUB_ACTION" + runner: + type: "GITHUB_ACTION" diff --git a/docs/examples/contracts/container-image-sbom/gitlab.yaml b/docs/examples/contracts/container-image-sbom/gitlab.yaml index 5db6fc969..0026ec702 100644 --- a/docs/examples/contracts/container-image-sbom/gitlab.yaml +++ b/docs/examples/contracts/container-image-sbom/gitlab.yaml @@ -1,13 +1,17 @@ -schemaVersion: v1 - # Require both a container image reference and a CycloneDX SBOM with the attestation happening in Gitlab -materials: - - type: CONTAINER_IMAGE - name: image - output: true +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: gitlab + description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in Gitlab +spec: + materials: + - type: CONTAINER_IMAGE + name: image + output: true - - type: SBOM_CYCLONEDX_JSON - name: sbom + - type: SBOM_CYCLONEDX_JSON + name: sbom -runner: - type: "GITLAB_PIPELINE" + runner: + type: "GITLAB_PIPELINE" diff --git a/docs/examples/contracts/csaf/contract.yaml b/docs/examples/contracts/csaf/contract.yaml index 0d54730dd..dfefe81c6 100644 --- a/docs/examples/contracts/csaf/contract.yaml +++ b/docs/examples/contracts/csaf/contract.yaml @@ -1,14 +1,19 @@ -schemaVersion: v1 -materials: - # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex - - type: CSAF_VEX - name: vex-disclosure - # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory - - type: CSAF_INFORMATIONAL_ADVISORY - name: informational-advisory - # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory - - type: CSAF_SECURITY_ADVISORY - name: security-advisory - # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response - - type: CSAF_SECURITY_INCIDENT_RESPONSE - name: security-incident-response +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract + description: Contract for CSAF advisories and VEX +spec: + materials: + # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex + - type: CSAF_VEX + name: vex-disclosure + # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory + - type: CSAF_INFORMATIONAL_ADVISORY + name: informational-advisory + # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory + - type: CSAF_SECURITY_ADVISORY + name: security-advisory + # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response + - type: CSAF_SECURITY_INCIDENT_RESPONSE + name: security-incident-response diff --git a/docs/examples/contracts/empty/azure-pipeline.yaml b/docs/examples/contracts/empty/azure-pipeline.yaml index 304249447..c953d8ff0 100644 --- a/docs/examples/contracts/empty/azure-pipeline.yaml +++ b/docs/examples/contracts/empty/azure-pipeline.yaml @@ -1,5 +1,10 @@ # Empty Chainloop contract valid for a workflow run in a Azure Pipeline -schemaVersion: "v1" # See https://docs.chainloop.dev/reference/operator/contract#runner-context -runner: - type: "AZURE_PIPELINE" +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: azure-pipeline + description: Empty Chainloop contract valid for a workflow run in a Azure Pipeline +spec: + runner: + type: "AZURE_PIPELINE" diff --git a/docs/examples/contracts/empty/generic.yaml b/docs/examples/contracts/empty/generic.yaml index 75f9f98ee..34df99394 100644 --- a/docs/examples/contracts/empty/generic.yaml +++ b/docs/examples/contracts/empty/generic.yaml @@ -1,2 +1,7 @@ # Empty Chainloop contract valid for any runner type -schemaVersion: "v1" +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: generic + description: Empty Chainloop contract valid for any runner type +spec: diff --git a/docs/examples/contracts/empty/github.yaml b/docs/examples/contracts/empty/github.yaml index 017424b78..b2b7872c9 100644 --- a/docs/examples/contracts/empty/github.yaml +++ b/docs/examples/contracts/empty/github.yaml @@ -1,5 +1,10 @@ # Empty Chainloop contract valid for a workflow run in a Github Action -schemaVersion: "v1" # See https://docs.chainloop.dev/reference/operator/contract#runner-context -runner: - type: "GITHUB_ACTION" +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: github + description: Empty Chainloop contract valid for a workflow run in a Github Action +spec: + runner: + type: "GITHUB_ACTION" diff --git a/docs/examples/contracts/empty/gitlab.yaml b/docs/examples/contracts/empty/gitlab.yaml index 0ff33479d..6904b449c 100644 --- a/docs/examples/contracts/empty/gitlab.yaml +++ b/docs/examples/contracts/empty/gitlab.yaml @@ -1,5 +1,10 @@ # Empty Chainloop contract valid for a workflow run in a Gitlab pipeline -schemaVersion: "v1" # See https://docs.chainloop.dev/reference/operator/contract#runner-context -runner: - type: "GITLAB_PIPELINE" +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: gitlab + description: Empty Chainloop contract valid for a workflow run in a Gitlab pipeline +spec: + runner: + type: "GITLAB_PIPELINE" diff --git a/docs/examples/contracts/helm-chart/contract.yaml b/docs/examples/contracts/helm-chart/contract.yaml index d0016cc0c..b18e8d069 100644 --- a/docs/examples/contracts/helm-chart/contract.yaml +++ b/docs/examples/contracts/helm-chart/contract.yaml @@ -1,4 +1,9 @@ -schemaVersion: v1 -materials: - - type: HELM_CHART - name: helm-chart +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract + description: Contract for Helm chart attestation +spec: + materials: + - type: HELM_CHART + name: helm-chart diff --git a/docs/examples/contracts/sarif/sarif.yaml b/docs/examples/contracts/sarif/sarif.yaml index 9bb94e215..3149514e0 100644 --- a/docs/examples/contracts/sarif/sarif.yaml +++ b/docs/examples/contracts/sarif/sarif.yaml @@ -1,4 +1,9 @@ -schemaVersion: v1 -materials: - - type: SARIF - name: static-output +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: sarif + description: Contract for SARIF static analysis output +spec: + materials: + - type: SARIF + name: static-output diff --git a/docs/examples/contracts/sbom/cyclonedx.yaml b/docs/examples/contracts/sbom/cyclonedx.yaml index 5048e050d..7c4dcfb34 100644 --- a/docs/examples/contracts/sbom/cyclonedx.yaml +++ b/docs/examples/contracts/sbom/cyclonedx.yaml @@ -1,7 +1,12 @@ -schemaVersion: v1 -materials: - # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation - # Additionally they can be sent to any downstream integration for analysis - # i.e https://docs.chainloop.dev/guides/dependency-track/ - - type: SBOM_CYCLONEDX_JSON - name: skynet-sbom +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: cyclonedx + description: Contract for CycloneDX SBOM attestation +spec: + materials: + # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation + # Additionally they can be sent to any downstream integration for analysis + # i.e https://docs.chainloop.dev/guides/dependency-track/ + - type: SBOM_CYCLONEDX_JSON + name: skynet-sbom diff --git a/docs/examples/contracts/sbom/sbom-quality.yaml b/docs/examples/contracts/sbom/sbom-quality.yaml index 84ac562f4..387db3f85 100644 --- a/docs/examples/contracts/sbom/sbom-quality.yaml +++ b/docs/examples/contracts/sbom/sbom-quality.yaml @@ -1,9 +1,14 @@ #release-contract -schemaVersion: v1 -materials: - # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation - # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - - type: SBOM_CYCLONEDX_JSON - name: sbom -policyGroups: - - ref: sbom-quality +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: sbom-quality + description: Contract for SBOM quality checks +spec: + materials: + # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation + # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + - type: SBOM_CYCLONEDX_JSON + name: sbom + policyGroups: + - ref: sbom-quality diff --git a/docs/examples/contracts/sbom/spdx-cyclonedx.yaml b/docs/examples/contracts/sbom/spdx-cyclonedx.yaml index 78bcedd00..04afe31a5 100644 --- a/docs/examples/contracts/sbom/spdx-cyclonedx.yaml +++ b/docs/examples/contracts/sbom/spdx-cyclonedx.yaml @@ -1,10 +1,15 @@ -schemaVersion: v1 -materials: - # Software Bill Of Materials (SBOMs) will be uploaded - # to your artifact registry and referenced by digest in the attestation - # Both SPDX - - type: SBOM_SPDX_JSON - name: skynet-sbom - # and CYCLONEDX SBOMs are supported - - type: SBOM_CYCLONEDX_JSON - name: skynet-sbom-cyclonedx +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: spdx-cyclonedx + description: Contract for both SPDX and CycloneDX SBOM attestation +spec: + materials: + # Software Bill Of Materials (SBOMs) will be uploaded + # to your artifact registry and referenced by digest in the attestation + # Both SPDX + - type: SBOM_SPDX_JSON + name: skynet-sbom + # and CYCLONEDX SBOMs are supported + - type: SBOM_CYCLONEDX_JSON + name: skynet-sbom-cyclonedx diff --git a/docs/examples/contracts/sbom/spdx.yaml b/docs/examples/contracts/sbom/spdx.yaml index a5535a95d..2961c6ee3 100644 --- a/docs/examples/contracts/sbom/spdx.yaml +++ b/docs/examples/contracts/sbom/spdx.yaml @@ -1,6 +1,11 @@ -schemaVersion: v1 -materials: - # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation - # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - - type: SBOM_SPDX_JSON - name: skynet-sbom +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: spdx + description: Contract for SPDX SBOM attestation +spec: + materials: + # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation + # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + - type: SBOM_SPDX_JSON + name: skynet-sbom diff --git a/docs/examples/contracts/skynet/contract.cue b/docs/examples/contracts/skynet/contract.cue index 35b891375..54cfa1401 100644 --- a/docs/examples/contracts/skynet/contract.cue +++ b/docs/examples/contracts/skynet/contract.cue @@ -1,48 +1,52 @@ -schemaVersion: "v1" -// Arbitrary set of annotations can be added to the contract and will be part of the attestation -annotations: [ - { - name: "version" - value: "oss" // if the value is left empty, it will be required and resolved at attestation time +apiVersion: "chainloop.dev/v1" +kind: "Contract" +metadata: { + name: "contract" + description: "Comprehensive contract for Skynet project in CUE format" + // Arbitrary set of annotations can be added to the contract and will be part of the attestation + annotations: { + version: "oss" // if the value is left empty, it will be required and resolved at attestation time } -] -// Three required and one optional materials of three different kinds -// The output flag indicates that the material will be part of the attestation subject -materials: [ - // CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - { - type: "CONTAINER_IMAGE" - name: "skynet-control-plane" - output: true - // Arbitrary annotations can be added to the material - annotations: [ - { - name: "component" - value: "control-plane" - }, - { - // The value can be left empty so it can be provided at attestation time - name: "asset" - }, - ] - }, - // ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS) - {type: "ARTIFACT", name: "rootfs"}, - {type: "ARTIFACT", name: "dockerfile", optional: true}, - // STRING kind materials will be injected as simple keypairs - {type: "STRING", name: "build-ref"}, - // SBOMs will be uploaded to the CAS and referenced in the attestation - // Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - {type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"}, - // CSAF_VEX and OPENVEX are supported - {type: "OPENVEX", name: "disclosure"}, - // And static analysis reports in SARIF format - {type: "SARIF", name: "static-out"}, -] +} +spec: { + // Three required and one optional materials of three different kinds + // The output flag indicates that the material will be part of the attestation subject + materials: [ + // CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest + { + type: "CONTAINER_IMAGE" + name: "skynet-control-plane" + output: true + // Arbitrary annotations can be added to the material + annotations: [ + { + name: "component" + value: "control-plane" + }, + { + // The value can be left empty so it can be provided at attestation time + name: "asset" + }, + ] + }, + // ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS) + {type: "ARTIFACT", name: "rootfs"}, + {type: "ARTIFACT", name: "dockerfile", optional: true}, + // STRING kind materials will be injected as simple keypairs + {type: "STRING", name: "build-ref"}, + // SBOMs will be uploaded to the CAS and referenced in the attestation + // Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + {type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"}, + // CSAF_VEX and OPENVEX are supported + {type: "OPENVEX", name: "disclosure"}, + // And static analysis reports in SARIF format + {type: "SARIF", name: "static-out"}, + ] -// Env vars we want the system to resolve and inject during attestation initialization -// Additional ones can be inherited from the specified runner context below -envAllowList: [ "CUSTOM_VAR"] -// Enforce in what runner context the attestation must happen -// If not specified, the attestation crafting process is allowed to run anywhere -runner: type: "GITHUB_ACTION" + // Env vars we want the system to resolve and inject during attestation initialization + // Additional ones can be inherited from the specified runner context below + envAllowList: [ "CUSTOM_VAR"] + // Enforce in what runner context the attestation must happen + // If not specified, the attestation crafting process is allowed to run anywhere + runner: type: "GITHUB_ACTION" +} diff --git a/docs/examples/contracts/skynet/contract.json b/docs/examples/contracts/skynet/contract.json index 7f5c7e422..5b2b78223 100644 --- a/docs/examples/contracts/skynet/contract.json +++ b/docs/examples/contracts/skynet/contract.json @@ -1,33 +1,37 @@ { - "schemaVersion": "v1", - "annotations": [ - { - "name": "version", - "value": "oss" + "apiVersion": "chainloop.dev/v1", + "kind": "Contract", + "metadata": { + "name": "contract", + "description": "Comprehensive contract for Skynet project in JSON format", + "annotations": { + "version": "oss" } - ], - "materials": [ - { - "type": "CONTAINER_IMAGE", - "name": "skynet-control-plane", - "output": true, - "annotations": [ - { - "name": "component", - "value": "control-plane" - }, - { - "name": "asset" - } - ] - }, - { "type": "ARTIFACT", "name": "rootfs" }, - { "type": "ARTIFACT", "name": "dockerfile", "optional": true }, - { "type": "STRING", "name": "build-ref" }, - { "type": "SBOM_CYCLONEDX_JSON", "name": "skynet-sbom" }, - { "type": "OPENVEX", "name": "disclosure" }, - { "type": "SARIF", "name": "static-output" } - ], - "envAllowList": ["CUSTOM_VAR"], - "runner": { "type": "GITHUB_ACTION" } + }, + "spec": { + "materials": [ + { + "type": "CONTAINER_IMAGE", + "name": "skynet-control-plane", + "output": true, + "annotations": [ + { + "name": "component", + "value": "control-plane" + }, + { + "name": "asset" + } + ] + }, + { "type": "ARTIFACT", "name": "rootfs" }, + { "type": "ARTIFACT", "name": "dockerfile", "optional": true }, + { "type": "STRING", "name": "build-ref" }, + { "type": "SBOM_CYCLONEDX_JSON", "name": "skynet-sbom" }, + { "type": "OPENVEX", "name": "disclosure" }, + { "type": "SARIF", "name": "static-output" } + ], + "envAllowList": ["CUSTOM_VAR"], + "runner": { "type": "GITHUB_ACTION" } + } } diff --git a/docs/examples/contracts/skynet/contract.yaml b/docs/examples/contracts/skynet/contract.yaml index 85dc18455..735819577 100644 --- a/docs/examples/contracts/skynet/contract.yaml +++ b/docs/examples/contracts/skynet/contract.yaml @@ -1,55 +1,58 @@ -schemaVersion: v1 -# Arbitrary set of annotations can be added to the contract and will be part of the attestation -annotations: - - name: version - value: oss # if the value is left empty, it will be required and resolved at attestation time +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract + description: Comprehensive contract for Skynet project + # Arbitrary set of annotations can be added to the contract and will be part of the attestation + annotations: + version: oss # if the value is left empty, it will be required and resolved at attestation time +spec: + # https://docs.chainloop.dev/reference/operator/material-types + materials: + # CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest + - type: CONTAINER_IMAGE + name: + skynet-control-plane + # The output flag indicates that the material will be part of the attestation subject + output: true + # Arbitrary annotations can be added to the material + annotations: + - name: component + value: control-plane + # The value can be left empty so it can be provided at attestation time + - name: asset + # ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS) + # Optional dockerfile + - type: ARTIFACT + name: dockerfile + optional: true + # SBOMs will be uploaded to the artifact registry and referenced in the attestation + # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported + - type: SBOM_CYCLONEDX_JSON + name: skynet-sbom + # CSAF_VEX and OPENVEX are supported + - type: OPENVEX + name: disclosure + # And static analysis reports in SARIF format + - type: SARIF + name: static-out + # or additional tools + - type: TWISTCLI_SCAN_JSON + name: scan-result -# https://docs.chainloop.dev/reference/operator/material-types -materials: - # CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - - type: CONTAINER_IMAGE - name: - skynet-control-plane - # The output flag indicates that the material will be part of the attestation subject - output: true - # Arbitrary annotations can be added to the material - annotations: - - name: component - value: control-plane - # The value can be left empty so it can be provided at attestation time - - name: asset - # ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS) - # Optional dockerfile - - type: ARTIFACT - name: dockerfile - optional: true - # SBOMs will be uploaded to the artifact registry and referenced in the attestation - # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - - type: SBOM_CYCLONEDX_JSON - name: skynet-sbom - # CSAF_VEX and OPENVEX are supported - - type: OPENVEX - name: disclosure - # And static analysis reports in SARIF format - - type: SARIF - name: static-out - # or additional tools - - type: TWISTCLI_SCAN_JSON - name: scan-result + # https://docs.chainloop.dev/reference/policies + policies: + materials: # policies applied to materials + - ref: file://cyclonedx-licenses.yaml + attestation: # policies applied to the whole attestation + - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2) -# https://docs.chainloop.dev/reference/policies -policies: - materials: # policies applied to materials - - ref: file://cyclonedx-licenses.yaml - attestation: # policies applied to the whole attestation - - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2) + # Env vars we want the system to resolve and inject during attestation initialization + # Additional ones can be inherited from the specified runner context below + envAllowList: + - CUSTOM_VAR -# Env vars we want the system to resolve and inject during attestation initialization -# Additional ones can be inherited from the specified runner context below -envAllowList: - - CUSTOM_VAR - -# Enforce in what runner context the attestation must happen -# If not specified, the attestation crafting process is allowed to run anywhere -runner: - type: "GITHUB_ACTION" + # Enforce in what runner context the attestation must happen + # If not specified, the attestation crafting process is allowed to run anywhere + runner: + type: "GITHUB_ACTION" diff --git a/docs/examples/contracts/slsa/github.yaml b/docs/examples/contracts/slsa/github.yaml index 228febe27..5545761f0 100644 --- a/docs/examples/contracts/slsa/github.yaml +++ b/docs/examples/contracts/slsa/github.yaml @@ -1,11 +1,15 @@ # Require a container image reference and include SLSA complicance verification -schemaVersion: v1 +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: github + description: Require a container image reference and include SLSA compliance verification +spec: + materials: + - type: CONTAINER_IMAGE + name: container -materials: - - type: CONTAINER_IMAGE - name: container - -policyGroups: - - ref: slsa-checks - with: - runner: GITHUB_ACTION # or GITLAB_PIPELINE + policyGroups: + - ref: slsa-checks + with: + runner: GITHUB_ACTION # or GITLAB_PIPELINE diff --git a/docs/examples/contracts/vex/csaf_vex.yaml b/docs/examples/contracts/vex/csaf_vex.yaml index 8c83e830d..e1dd03a06 100644 --- a/docs/examples/contracts/vex/csaf_vex.yaml +++ b/docs/examples/contracts/vex/csaf_vex.yaml @@ -1,4 +1,9 @@ -schemaVersion: v1 -materials: - - type: CSAF_VEX - name: disclosure +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: csaf-vex + description: Contract for CSAF VEX vulnerability disclosure +spec: + materials: + - type: CSAF_VEX + name: disclosure diff --git a/docs/examples/contracts/vex/openvex.yaml b/docs/examples/contracts/vex/openvex.yaml index 0e9ca14a0..0730cafbd 100644 --- a/docs/examples/contracts/vex/openvex.yaml +++ b/docs/examples/contracts/vex/openvex.yaml @@ -1,4 +1,9 @@ -schemaVersion: v1 -materials: - - type: OPENVEX - name: disclosure +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: openvex + description: Contract for OpenVEX vulnerability disclosure +spec: + materials: + - type: OPENVEX + name: disclosure diff --git a/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml index f0fbe4acc..11dc031e9 100644 --- a/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml +++ b/docs/examples/contracts/vulnerabilities/vulnerability-management.yaml @@ -1,11 +1,16 @@ #vuln-scan-contract -schemaVersion: v1 -materials: - # SCA scans will be uploaded to your artifact registry and referenced by digest in the attestation - # BLACKDUCK_SCA_JSON, SARIF, TWISTCLI_SCAN_JSON, GHAS_DEPENDENCY_SCAN - # are supported - - type: SARIF - name: vuln-scan -policyGroups: - - ref: vulnerability-management +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: vulnerability-management + description: Contract for vulnerability scanning and management +spec: + materials: + # SCA scans will be uploaded to your artifact registry and referenced by digest in the attestation + # BLACKDUCK_SCA_JSON, SARIF, TWISTCLI_SCAN_JSON, GHAS_DEPENDENCY_SCAN + # are supported + - type: SARIF + name: vuln-scan + policyGroups: + - ref: vulnerability-management diff --git a/docs/examples/policies/http-hostname-validation/README.md b/docs/examples/policies/http-hostname-validation/README.md index 307db0b84..ae62d635b 100644 --- a/docs/examples/policies/http-hostname-validation/README.md +++ b/docs/examples/policies/http-hostname-validation/README.md @@ -44,19 +44,21 @@ chainloop policy develop eval \ Add this policy to your workflow contract: ```yaml -apiVersion: workflowcontract.chainloop.dev/v1 -kind: WorkflowContract +apiVersion: chainloop.dev/v1 +kind: Contract metadata: name: platform-validation-workflow + description: Workflow contract for platform validation spec: materials: - type: EVIDENCE name: platform-check - + policies: - - ref: ./http-hostname-validation/policy.yaml - with: - expected_version: "2.0.0" # Optional, defaults to "1.2.3" + materials: + - ref: ./http-hostname-validation/policy.yaml + with: + expected_version: "2.0.0" # Optional, defaults to "1.2.3" ``` **Note**: When running in production, the Control Plane manages hostname allowlisting through organization settings. The `--allowed-hostnames` flag is only for local development and testing. diff --git a/docs/examples/policies/json-field-validator/README.md b/docs/examples/policies/json-field-validator/README.md index ffd19c5a5..2d73d8138 100644 --- a/docs/examples/policies/json-field-validator/README.md +++ b/docs/examples/policies/json-field-validator/README.md @@ -26,43 +26,46 @@ This policy allows you to validate individual fields in JSON evidence files. It Add this policy to your workflow contract: ```yaml -apiVersion: workflowcontract.chainloop.dev/v1 -kind: WorkflowContract +apiVersion: chainloop.dev/v1 +kind: Contract metadata: name: my-workflow + description: Workflow contract for application config validation spec: materials: - type: EVIDENCE name: app-config - + policies: - - ref: ./json-field-validator/policy.yaml - with: - required_field: application.environment - expected_value: production + materials: + - ref: ./json-field-validator/policy.yaml + with: + required_field: application.environment + expected_value: production ``` ### Multiple Field Validations ```yaml policies: - # Validate environment - - ref: ./json-field-validator/policy.yaml - with: - required_field: application.environment - expected_value: production - - # Validate version format - - ref: ./json-field-validator/policy.yaml - with: - required_field: application.version - field_pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$" - - # Validate security is enabled - - ref: ./json-field-validator/policy.yaml - with: - required_field: security.enabled - expected_value: "true" + materials: + # Validate environment + - ref: ./json-field-validator/policy.yaml + with: + required_field: application.environment + expected_value: production + + # Validate version format + - ref: ./json-field-validator/policy.yaml + with: + required_field: application.version + field_pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$" + + # Validate security is enabled + - ref: ./json-field-validator/policy.yaml + with: + required_field: security.enabled + expected_value: "true" ``` ## Development & Testing diff --git a/docs/examples/policies/sbom-freshness/README.md b/docs/examples/policies/sbom-freshness/README.md index 73e2f2681..fbd1c8835 100644 --- a/docs/examples/policies/sbom-freshness/README.md +++ b/docs/examples/policies/sbom-freshness/README.md @@ -22,34 +22,37 @@ This policy validates the freshness of SBOM (Software Bill of Materials) files b Add this policy to your workflow contract: ```yaml -apiVersion: workflowcontract.chainloop.dev/v1 -kind: WorkflowContract +apiVersion: chainloop.dev/v1 +kind: Contract metadata: name: my-workflow + description: Workflow contract for SBOM freshness validation spec: materials: - type: SBOM_CYCLONEDX_JSON name: app-sbom - + policies: - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 30 + materials: + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 30 ``` ### Multiple Freshness Requirements ```yaml policies: - # Strict freshness for production - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 7 - - # Moderate freshness for development - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 30 + materials: + # Strict freshness for production + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 7 + + # Moderate freshness for development + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 30 ``` ## Development & Testing @@ -117,27 +120,30 @@ The policy calculates freshness using: ```yaml # Require fresh SBOMs for security scanning policies: - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 7 # Weekly refresh requirement + materials: + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 7 # Weekly refresh requirement ``` ### Development Workflows ```yaml # Allow older SBOMs for development environments policies: - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 90 # Quarterly refresh acceptable + materials: + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 90 # Quarterly refresh acceptable ``` ### Release Gates ```yaml # Strict freshness for production releases policies: - - ref: ./sbom-freshness/policy.yaml - with: - freshness_days: 1 # Daily refresh for releases + materials: + - ref: ./sbom-freshness/policy.yaml + with: + freshness_days: 1 # Daily refresh for releases ``` ## Test Framework diff --git a/docs/examples/quickstart/contract-only-materials.yaml b/docs/examples/quickstart/contract-only-materials.yaml index 2dd367d56..ff500cbc7 100644 --- a/docs/examples/quickstart/contract-only-materials.yaml +++ b/docs/examples/quickstart/contract-only-materials.yaml @@ -1,8 +1,13 @@ -schemaVersion: v1 -materials: - - name: container - type: CONTAINER_IMAGE - - name: sbom - type: SBOM_CYCLONEDX_JSON - - name: vulnerabilities-report - type: SARIF \ No newline at end of file +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract-only-materials + description: Basic contract with materials only +spec: + materials: + - name: container + type: CONTAINER_IMAGE + - name: sbom + type: SBOM_CYCLONEDX_JSON + - name: vulnerabilities-report + type: SARIF \ No newline at end of file diff --git a/docs/examples/quickstart/contract-with-policies-oss.yaml b/docs/examples/quickstart/contract-with-policies-oss.yaml index 3c1cd2178..bd8a07673 100644 --- a/docs/examples/quickstart/contract-with-policies-oss.yaml +++ b/docs/examples/quickstart/contract-with-policies-oss.yaml @@ -1,18 +1,23 @@ -schemaVersion: v1 -materials: - - name: container - type: CONTAINER_IMAGE - - name: sbom - type: SBOM_CYCLONEDX_JSON - - name: vulnerabilities-report - type: SARIF - -# We can attach policies from the provided library of policies https://app.chainloop.dev/policies -# or custom ones as explained here https://docs.chainloop.dev/concepts/policies -policies: - attestation: - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/chainloop-commit.yaml - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/sbom-present.yaml +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract-with-policies-oss + description: Contract with policies for OSS projects +spec: materials: - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/cyclonedx-licenses.yaml + - name: container + type: CONTAINER_IMAGE + - name: sbom + type: SBOM_CYCLONEDX_JSON + - name: vulnerabilities-report + type: SARIF + + # We can attach policies from the provided library of policies https://app.chainloop.dev/policies + # or custom ones as explained here https://docs.chainloop.dev/concepts/policies + policies: + attestation: + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/chainloop-commit.yaml + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/sbom-present.yaml + materials: + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/cyclonedx-licenses.yaml diff --git a/docs/examples/quickstart/contract-with-policies.yaml b/docs/examples/quickstart/contract-with-policies.yaml index 5ed4d88f5..557c847f4 100644 --- a/docs/examples/quickstart/contract-with-policies.yaml +++ b/docs/examples/quickstart/contract-with-policies.yaml @@ -1,27 +1,32 @@ -schemaVersion: v1 -materials: - - name: container - type: CONTAINER_IMAGE - - name: sbom - type: SBOM_CYCLONEDX_JSON - - name: vulnerabilities-report - type: SARIF - -# We can attach policies from the provided library of policies https://app.chainloop.dev/policies -# or custom ones as explained here https://docs.chainloop.dev/concepts/policies -policies: +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: contract-with-policies + description: Contract with policies and policy groups for comprehensive checks +spec: materials: - # artifact-signed checks that all OCI artifacts such as Container Images and Charts are signed - - ref: artifact-signed - # Make sure we are not using latest in the container image - - ref: artifact-tag-not-latest + - name: container + type: CONTAINER_IMAGE + - name: sbom + type: SBOM_CYCLONEDX_JSON + - name: vulnerabilities-report + type: SARIF + + # We can attach policies from the provided library of policies https://app.chainloop.dev/policies + # or custom ones as explained here https://docs.chainloop.dev/concepts/policies + policies: + materials: + # artifact-signed checks that all OCI artifacts such as Container Images and Charts are signed + - ref: artifact-signed + # Make sure we are not using latest in the container image + - ref: artifact-tag-not-latest -# alternatively to policies you can apply policy groups -# https://docs.chainloop.dev/concepts/policy-groups#policy-groups -policyGroups: - - ref: slsa-checks - - ref: vulnerability-management - - ref: sbom-quality - with: - bannedComponents: log4j@2.14.1 - bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later + # alternatively to policies you can apply policy groups + # https://docs.chainloop.dev/concepts/policy-groups#policy-groups + policyGroups: + - ref: slsa-checks + - ref: vulnerability-management + - ref: sbom-quality + with: + bannedComponents: log4j@2.14.1 + bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later diff --git a/docs/examples/quickstart/quickstart-contract-oss.yaml b/docs/examples/quickstart/quickstart-contract-oss.yaml index dcb9fa4f5..d9168caf3 100644 --- a/docs/examples/quickstart/quickstart-contract-oss.yaml +++ b/docs/examples/quickstart/quickstart-contract-oss.yaml @@ -1,19 +1,24 @@ # This is an example contract that expects a container, an SBOM, and a vulnerabilities report. -schemaVersion: v1 -materials: - - name: container - type: CONTAINER_IMAGE - - name: sbom - type: SBOM_CYCLONEDX_JSON - optional: true - - name: vulnerabilities-report - type: SARIF - optional: true - -policies: - attestation: - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/chainloop-commit.yaml - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/sbom-present.yaml +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: quickstart-contract-oss + description: Example contract with container, SBOM, and vulnerabilities report for OSS +spec: materials: - - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/cyclonedx-licenses.yaml + - name: container + type: CONTAINER_IMAGE + - name: sbom + type: SBOM_CYCLONEDX_JSON + optional: true + - name: vulnerabilities-report + type: SARIF + optional: true + + policies: + attestation: + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/chainloop-commit.yaml + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/sbom-present.yaml + materials: + - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/policies/sbom/cyclonedx-licenses.yaml diff --git a/docs/examples/quickstart/quickstart-contract.yaml b/docs/examples/quickstart/quickstart-contract.yaml index d76ab0434..7f8ad6efe 100644 --- a/docs/examples/quickstart/quickstart-contract.yaml +++ b/docs/examples/quickstart/quickstart-contract.yaml @@ -1,32 +1,37 @@ # This is an example contract that expects all containers to have a valid SBOM # and all artifacts to be signed. It also checks that the vulnerabilities # reports do not contain any vulnerabilities with severity higher than MEDIUM -schemaVersion: v1 -materials: - - name: container - type: CONTAINER_IMAGE - - name: sbom - type: SBOM_CYCLONEDX_JSON - optional: true - - name: vulnerabilities-report - type: SARIF - optional: true -policies: - attestation: - # Container with sbom checks that all containers added to the attestation - # have a valid SBOM also present in the attestation - - ref: containers-with-sbom +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: quickstart-contract + description: Example contract with SBOM, signing, and vulnerability checks +spec: materials: - # Artifact signed checks that all artifacts such as Container Images and Charts are signed - - ref: artifact-signed - # Vulnerabilities checks the vulnerabilities reports if present in the attestation - # does not contain any vulnerabilities with severity higher than the specified - - ref: vulnerabilities + - name: container + type: CONTAINER_IMAGE + - name: sbom + type: SBOM_CYCLONEDX_JSON + optional: true + - name: vulnerabilities-report + type: SARIF + optional: true + policies: + attestation: + # Container with sbom checks that all containers added to the attestation + # have a valid SBOM also present in the attestation + - ref: containers-with-sbom + materials: + # Artifact signed checks that all artifacts such as Container Images and Charts are signed + - ref: artifact-signed + # Vulnerabilities checks the vulnerabilities reports if present in the attestation + # does not contain any vulnerabilities with severity higher than the specified + - ref: vulnerabilities + with: + severity: "MEDIUM" + policyGroups: + # This policy group applies a number of SBOM-related policies + - ref: sbom-quality with: - severity: "MEDIUM" -policyGroups: - # This policy group applies a number of SBOM-related policies - - ref: sbom-quality - with: - bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later - bannedComponents: log4j@2.14.1 + bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later + bannedComponents: log4j@2.14.1