ability to load Rego or CUE policies over OCI registries

[developer-guy]

Description

For example, conftest has the ability to share Rego policies^1 over OCI registries which means that users can pull or push rego policies to OCI registries, which we can do the same for CUE basically. So, we have support to verify attestation files via Rego or CUE-based policies. To do so, generally, we use file or directory formats to load policies, so, in addition to that, we can basically pull and load them over OCI registries.

cosign verify-attestation -policy devopps/cue-policies:latest $image

cosign verify-attestation -policy devopps/opa-policies:latest $image

[dlorenc]

+1!

[dlorenc]

Although I'd note that rego actually has a spec on how to bundle and fetch these, while I'm not sure cue does. Maybe we should start with rego?

[developer-guy]

Yes, I agree with you. Here are the mediaTypes defined for Rego policies 👇 https://github.com/open-policy-agent/conftest/blob/7d0099b5ed0d8c70a1e4eda9388e4e50bf068218/internal/commands/push.go#L48-L50

We should start implementing the OPA feature according to them. 🙋🏻‍♂️

[developer-guy]

I think we should provide a scheme for the types of policies such as oci:// for OCI images, file:// for files, dir:// for directories, WDYT @dentrax @dlorenc?

[dlorenc]

Do we need to do a full protocol like that? If it's a url, can we assume OCI? Otherwise local?