Add ec.oci.image_manifest rego function #1357
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1357 +/- ##
==========================================
- Coverage 79.01% 72.07% -6.95%
==========================================
Files 62 69 +7
Lines 4217 4612 +395
==========================================
- Hits 3332 3324 -8
- Misses 885 1288 +403
Flags with carried forward coverage won't be shown. Click here to find out more.
|
| remote.WithAuthFromKeychain(authn.DefaultKeychain), | ||
| } | ||
|
|
||
| image, err := oci.NewClient(bctx.Context).Image(ref, opts...) |
There was a problem hiding this comment.
For reviewers: Took me a minute to find where it gets the image. Here ^
| # short_name: match | ||
| deny contains result if { | ||
| manifest := ec.oci.image_manifest(input.image.ref) | ||
| not manifest_matches(manifest) |
There was a problem hiding this comment.
We could take the approach of failing, and then since the manifest is in the result message, match it in the snapshot, with a bit of creativity on the digest matching regex bit if we already don't have that
There was a problem hiding this comment.
I'm gonna leave this as is for now. I don't want to blindly replace any digest with a token, and plumbing through the different digests seems non-trivial.
This commit adds a new custom rego function, `ec.oci.image_manifest`. This function retrieves the Image Manifest from an OCI registry. (It does not download the image, just its manifest.) The main use case this is trying to achieve is validating image references that may occur in the SLSA Provenance attestation of an image being validated. For example, the SLSA Provenance may contain a link to the corresponding source container image. This function allows policy rules to be created to verify that such references actually exists. Ref: EC-235 Signed-off-by: Luiz Carvalho <[email protected]>
This commit adds a new custom rego function,
ec.oci.image_manifest. This function retrieves the Image Manifest from an OCI registry. (It does not download the image, just its manifest.)The main use case this is trying to achieve is validating image references that may occur in the SLSA Provenance attestation of an image being validated. For example, the SLSA Provenance may contain a link to the corresponding source container image. This function allows policy rules to be created to verify that such references actually exists.
Ref: EC-235