Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
michaelvl committed Feb 25, 2024
1 parent c877701 commit 53db0a8
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,40 @@ spec:
}
```

## Rego Policies

`artifact-underwriter` will fetch and verify signatures on all
attestations as specified in the policy. Next, it will pass the
attestation bundle to Open Policy Agent as `input`. The pass/no-pass
status of the Rego policy evaluation is determined by the query
`data.governance.allow` against the OpenPolicyAgent output.

A simple Rego policy could thus be (see [`examples/policy/governance.rego`](examples/policy/governance.rego)):

```rego
package governance
default allow = false
# Collect all provenance attestions
provenance_attestations := [input[i] | input[i].predicateType == "https://slsa.dev/provenance/v0.2"]
...
# Check for violations in provenance attestations - this is a simple check for presence of provenance
provenance_violations[msg] {
count(provenance_attestations) == 0
msg:= "no provenance attestation"
}
# Produce final verdict by combining all checks
allow {
violations := provenance_violations | sbom_violations | vuln_violations | pr_violations
print(violations)
count(violations) == 0
}
```

## Credits and References

- This tool is inspired by
Expand Down

0 comments on commit 53db0a8

Please sign in to comment.