Skip to content

Instantly share code, notes, and snippets.

@simonbaird
Last active May 26, 2022 13:27
Show Gist options
  • Save simonbaird/8e0b9cc44e7dfec03b8efade89525569 to your computer and use it in GitHub Desktop.
Save simonbaird/8e0b9cc44e7dfec03b8efade89525569 to your computer and use it in GitHub Desktop.

HACBS Enterprise Contract Policies

About

The HACBS Enterprise Contract is a Tekton task that can be used to verify the provenence of a container image built in HACBS and validate it against a set of policies.

The policies are defined in rego and are described here.

Policy Rules

Attestation Type Rules

[unknown_att_type] An unknown attestation type was found

A sanity check that the attestation found for the image has the expected attestation type. Currently there type is only one attestation type supported, https://in-toto.io/Statement/v0.1.

  • Path: data.policies.attestation_type.deny
  • Failure message: Unknown attestation type '%s'
  • Source

Not Useful Rules

[bad_day] A dummy rule that always fails

It's expected this rule will be skipped by policy configuration. This rule is for demonstration and test purposes and should be deleted soon.

  • Path: data.policies.not_useful.deny
  • Failure message: It just feels like a bad day to do a release
  • Source

Step Image Registries Rules

[disallowed_task_step_image] Task steps ran on container images that are disallowed

Enterprise Contract has a list of allowed registry prefixes. Each step in each each TaskRun must run on a container image with a url that matches one of the prefixes in the list.

The permitted registry prefixes are:

quay.io/buildah
quay.io/redhat-appstudio
registry.access.redhat.com/ubi8
registry.access.redhat.com/ubi8-minimal
registry.redhat.io/ocp-tools-4-tech-preview
registry.redhat.io/openshift4
registry.redhat.io/openshift-pipelines
  • Path: data.policies.step_image_registries.deny
  • Failure message: Step %d has disallowed image ref '%s'
  • Source

Test Rules

[test_data_missing] No test data was found

No test data was found in the data directory.

  • Path: data.policies.test.deny
  • Failure message: No test data provided
  • Source

[test_data_empty] Test data is empty

The top level key was found for test data but it contained no test results.

  • Path: data.policies.test.deny
  • Failure message: Empty test data provided
  • Source

[test_results_missing] Test data is missing results

Each test result is expected to have 'results' key. In at least one of the test results this key was missing.

  • Path: data.policies.test.deny
  • Failure message: Found tests without results
  • Source

[test_result_failures] Some tests did not pass

Enterprise Contract requires that all the tests in the test results have a result of 'SUCCESS'. This will fail if any of the tests failed and the failure message will list the names of the failing tests.

  • Path: data.policies.test.deny
  • Failure message: The following tests failed: %s
  • Source

See Also



Thu May 26 09:27:10 AM EDT 2022
20d6d2887aeabe38b42c008760a6e6d851d8559d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment