cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

feat: load rego policies from OCI images

Open developer-guy opened this issue 2 years ago • 2 comments

Signed-off-by: Batuhan Apaydın [email protected] Co-authored-by: Furkan Türkal [email protected]

Summary

You can test this with the following path:

do not forget to install conftest to push rego policies suitable with their spec

$ echo "bar" > foo
$ cosign attest --key cosign.key --predicate foo devopps/alpine:3.15.0
$ cat policy.rego
package signature

allow[msg] {
 input.predicate.Data != "bar-test\n"
 msg := sprintf("unexpected data: %v", [input.Data])
}

EOF
$ conftest push --policy policy.rego ghcr.io/developer-guy/policy-rego
2022/02/17 19:23:58 pushing bundle to: ghcr.io/developer-guy/policy-rego:latest
2022/02/17 19:24:01 pushed bundle with digest: sha256:7278b4301eb15f3e16e12d38af512879c1d5df1bd88c7641b094716e7eb7e779

$ cosign verify-attestation --key cosign.pub --policy ghcr.io/developer-guy/policy-rego devopps/alpine:3.15.0
will be validating against Rego policies: [/var/folders/pf/6h9t0mnd4d342ncgpjq_3zl80000gp/T/crane-append3411930157]
There are 1 number of errors occurred during the validation:
- unexpected data: bar

Error: 1 validation errors occurred
main.go:46: error during command execution: 1 validation errors occurred

Ticket Link

Fixes #1361

Release Note

feat: load rego policies from OCI images

cc: @Dentrax

developer-guy avatar Feb 17 '22 16:02 developer-guy

Sorry I'll get to this one this week!

dlorenc avatar Feb 26 '22 19:02 dlorenc

Codecov Report

Merging #1478 (9bb302a) into main (ae90c74) will decrease coverage by 0.19%. The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1478      +/-   ##
==========================================
- Coverage   34.00%   33.81%   -0.20%     
==========================================
  Files         153      153              
  Lines        9981    10038      +57     
==========================================
  Hits         3394     3394              
- Misses       6208     6265      +57     
  Partials      379      379
Impacted Files Coverage Δ
cmd/cosign/cli/verify/verify_attestation.go 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update ae90c74...9bb302a. Read the comment docs.

codecov-commenter avatar Jun 01 '22 21:06 codecov-commenter

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Aug 22 '22 02:08 github-actions[bot]

This PR was closed because it has been stalled for 10 days with no activity.

github-actions[bot] avatar Sep 01 '22 02:09 github-actions[bot]

Can we re-open this one @dlorenc if you still consider it useful?

developer-guy avatar Dec 02 '22 11:12 developer-guy