artifact-signed
policy checks that all OCI artifacts (container images and Helm Charts) are properly signed with Cosign or Notaryartifact-tag-not-latest
checks that the container image is not using the latest
tagslsa-checks
is a policy group that makes sure the attestation is compliant with the SLSA frameworkvulnerability-management
is a policy group that makes sure the attestation is compliant with the vulnerability management policysbom-quality
is a policy group that makes sure the attestation is compliant with the SBOM quality policyInitialize an attestation
Add the container image
Add the SBOM
Add the vulnerability report
Push the attestation
latest
tag.