Set Policies expectations
In the previous step, we created a contract that set the expectation of a container image, an SBOM and a vulnerability report. Our Compliance team now wants to verify that those comply with the company’s security and compliance criteria.
We introduce Policies, which are rules evaluated against materials and/or the whole attestation document. Policies can be grouped into Policy Groups to be able to attach a set of policies to a workflow contract.
Attaching policies to the contract
As we did before, let’s “Update our contract”, but this time the contract will contain policies and policy groups.
As we did before, let’s “Update our contract”, but this time the contract will contain policies and policy groups.
In this contract, we added two policies and three policy groups.
artifact-signed
policy checks that all OCI artifacts (container images and Helm Charts) are properly signed with Cosign or Notaryartifact-tag-not-latest
checks that the container image is not using thelatest
tagslsa-checks
is a policy group that makes sure the attestation is compliant with the SLSA frameworkvulnerability-management
is a policy group that makes sure the attestation is compliant with the vulnerability management policysbom-quality
is a policy group that makes sure the attestation is compliant with the SBOM quality policy
Chainloop comes with a set of built-in policies and policy groups, you can see them all in the “Policies library”.
You can also create custom policies tailored to your needs. For more information about authoring policies, see this guide.
Evaluating policies
Let’s create an attestation and add our materials to see how policies are evaluated:
Initialize an attestation
Add the container image
You’ll notice how Chainloop will evaluate automatically as part of providing the container image.
Add the SBOM
Add the vulnerability report
Push the attestation
We can see in the output that the policies have been evaluated and the only ones failing are:
- the ones related to the build-environment, since we are running the attestation process locally.
- the one that checks the container image is not using the
latest
tag.
You can give it a try and attach an old SBOM or Vulnerability report with vulnerabilities to see how the policies being evaluated and failing.
Inspecting policy evaluations
Now, the Chainloop platform gives us more insights into the status of the attestation. If we go to the workflow run view, besides the usual attestation and material information, we can now see the result of those policy evaluations.