knqyf263/policy.yaml

## policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-vulnerabilities
spec:
  validationFailureAction: enforce
  webhookTimeoutSeconds: 10
  failurePolicy: Fail
  rules:
    - name: no-critical-vuln
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - imageReferences:
        - "*"
        attestors:
        - entries:
          - keyless:
              subject: "knqyf263@gmail.com"
              issuer: "https://github.com/login/oauth"
        attestations:
        - predicateType: cosign.sigstore.dev/attestation/vuln/v1
          conditions:
            - all:
              - key: "{{scanner.uri}}"
                operator: Equals
                value: "pkg:github/aquasecurity/trivy@*"
              - key: "{{scanner.result.Results[].Vulnerabilities[].Severity | (contains(@, 'HIGH') || contains(@, 'CRITICAL'))}}"
                operator: Equals
                value: false
	apiVersion: kyverno.io/v1
	kind: ClusterPolicy
	metadata:
	name: check-vulnerabilities
	spec:
	validationFailureAction: enforce
	webhookTimeoutSeconds: 10
	failurePolicy: Fail
	rules:
	- name: no-critical-vuln
	match:
	any:
	- resources:
	kinds:
	- Pod
	verifyImages:
	- imageReferences:
	- "*"
	attestors:
	- entries:
	- keyless:
	subject: "knqyf263@gmail.com"
	issuer: "https://github.com/login/oauth"
	attestations:
	- predicateType: cosign.sigstore.dev/attestation/vuln/v1
	conditions:
	- all:
	- key: "{{scanner.uri}}"
	operator: Equals
	value: "pkg:github/aquasecurity/trivy@*"
	- key: "{{scanner.result.Results[].Vulnerabilities[].Severity \| (contains(@, 'HIGH') \|\| contains(@, 'CRITICAL'))}}"
	operator: Equals
	value: false