Closed jdolitsky closed 1 year ago
I've tested this here:
And works with a related policy:
# Create policy cat >03-has-sbom-attestation.yaml <<EOL apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: has-spdxjson-attestation spec: images: - glob: ghcr.io/jdolitsky/* authorities: - name: keyless-authority keyless: url: https://fulcio.sigstore.dev identities: - issuer: https://token.actions.githubusercontent.com subject: https://github.com/jdolitsky/apko-att-test-2/.github/workflows/build.yml@refs/heads/main ctlog: url: https://rekor.sigstore.dev attestations: - name: must-have-spdx-attestation predicateType: https://spdx.dev/Document EOL # Validate index policy-tester -image ghcr.io/jdolitsky/apko-att-test-2:latest -policy 03-has-sbom-attestation.yaml # Validate each arch for combo in `crane manifest ghcr.io/jdolitsky/apko-att-test-2:latest | jq -r '.manifests[] | .digest'`; do echo "ghcr.io/jdolitsky/apko-att-test-2@${digest}" policy-tester -image "ghcr.io/jdolitsky/apko-att-test-2@${digest}" -policy ./03-has-sbom-attestation.yaml done
I've tested this here:
And works with a related policy: