mattmoor
commented
1 year ago I believe the fix is either to add a top-level policy that checks the policy result for all of the attestation names, or breaking out a policy for each of these predicate types.
Describe the bug
I believe that these attestations end up being a giant OR: https://github.com/chainguard-dev/policy-catalog/blob/524be7dc1c401f5cb55644e022add82d43a84925/policies/vendors/chainguard/chainguard-images-attested-cue.yaml
To Reproduce
Find an image that only has one of the specified attestations, and run this on it.
Expected behavior
Any of the missing attestations trigger a failure