issue: policy status for versioned artifacts may differ from reality

[rdimitrov]

Describe the bug

This issue is to track a potential problem with wrong statuses of policies for versioned artifacts.

Let's have a policy saying that every image tagged with latest should be signed. A policy for an artifact might be confusing, because it can mislead users into thinking that Mediator will notify them (via policy status change, create issue, SA, etc), if the image that they configured - image name (tagged with latest) ends up being unsigned.

This is true as long as this image is built only from a registered repository. The reality may differ because we don't have a notion (yet?) to verify if the state we have so far (for example which digest corresponds to latest now) is up to date with what's actually being served to the users by the artifact repository. There might be another pipeline that pushed such an image in the repository - whether it's an unregistered repository, malicious push, Mediator was offline for that time or even manual push.

This means we can end up in a situation where we say that this policy is successful whereas in reality it's not. Possible solution is perhaps cross checking the rule evaluation status with what's in the registry (polling) or have a statement about what the policy scope is.

Additional context

Related issues:

• https://github.com/stacklok/mediator/issues/805
• https://github.com/stacklok/mediator/issues/722

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[evankanderson]

Is this still relevant / needed?