build: rego source policies #23782
build: rego source policies #23782
Conversation
dvdksn
added
the
status/do-not-merge
github-actions
bot
added
area/build
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
build-input-policy
branch
from
640026d to
b152a76
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
b152a76 to
1dcccf6
Compare
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
1dcccf6 to
7741d9b
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
9ef9e13 to
04835cd
Compare
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
04835cd to
92feb6f
Compare
|
|
||
| ## Prerequisites | ||
|
|
||
| Build policies require: |
There was a problem hiding this comment.
Let's mark it that build policies are experimental in the current release.
| upstream compromises, malicious dependencies, and unauthorized modifications to | ||
| your build inputs. | ||
|
|
||
| With build policies, you can perform extended verifications on inputs, such as: |
There was a problem hiding this comment.
optional: "you can make your project to always perform"
|
|
||
| default allow := false | ||
|
|
||
| # Allow any local inputs for this build |
There was a problem hiding this comment.
mark: "Example local input is local directory path set as build context"
| ### Ensure signed releases | ||
|
|
||
| Require that all dependencies - whether container images or downloaded files - | ||
| have valid signatures from trusted parties. Use GPG signatures, Sigstore |
There was a problem hiding this comment.
Maybe let's not combine GPG and Sigstore together as it seems they are interchangeable. Sigstore is for attestations and GPG only for Git atm (maybe for HTTP in the future but not implemented atm).
| ## How policies work | ||
|
|
||
| When you build an image, buildx resolves all the inputs your Dockerfile | ||
| references: base images from `FROM` instructions, files from `ADD` or `COPY`, |
| ``` | ||
|
|
||
| When using Sigstore signatures, additional fields are available under | ||
| `input.image.signature` (singular) with details about the signing workflow. |
| } | ||
| ``` | ||
|
|
||
| #### `input.git.commitChecksum` |
There was a problem hiding this comment.
There is also checksum isAnnotatedTag.
|
|
||
| ```rego | ||
| allow if { | ||
| input.git.ref == "v0.12.0" |
There was a problem hiding this comment.
this is incorrect I think. Ref would be refs/heads/master or refs/tags/v0.12.0 or refs/pull/123/head
|
|
||
| ## Environment fields | ||
|
|
||
| The `input.env` object provides build context information not specific to a |
There was a problem hiding this comment.
"build configuration information set by user on invoking the build, not spe"
| **Cause:** `policy eval` doesn't fetch sources, so many fields remain | ||
| unresolved. | ||
|
|
||
| **Solution:** Use actual builds with `--progress=plain` to see complete field |
There was a problem hiding this comment.
Solution should be to include --field
2 participants
Description
Buildx support for rego policies for validating build inputs (local, http, git, image).
Preview: https://deploy-preview-23782--docsdocker.netlify.app/build/policies/
Related issues or tickets