Open developer-guy opened 2 years ago
+1!
Although I'd note that rego actually has a spec on how to bundle and fetch these, while I'm not sure cue does. Maybe we should start with rego?
Yes, I agree with you. Here are the mediaTypes defined for Rego policies 👇 https://github.com/open-policy-agent/conftest/blob/7d0099b5ed0d8c70a1e4eda9388e4e50bf068218/internal/commands/push.go#L48-L50
We should start implementing the OPA feature according to them. 🙋🏻♂️
I think we should provide a scheme for the types of policies such as oci:// for OCI images, file:// for files, dir:// for directories, WDYT @dentrax @dlorenc?
Do we need to do a full protocol like that? If it's a url, can we assume OCI? Otherwise local?
Description
For example, conftest has the ability to share Rego policies^1 over OCI registries which means that users can pull or push rego policies to OCI registries, which we can do the same for CUE basically. So, we have support to verify attestation files via Rego or CUE-based policies. To do so, generally, we use file or directory formats to load policies, so, in addition to that, we can basically pull and load them over OCI registries.