Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integrate Rego or CUE for validation provenance metadata #236

Open
developer-guy opened this issue Aug 26, 2022 · 1 comment
Open

integrate Rego or CUE for validation provenance metadata #236

developer-guy opened this issue Aug 26, 2022 · 1 comment
Labels
type:feature New feature request

Comments

@developer-guy
Copy link
Contributor

At the time of writing this, there are some options for validating the final provenance like tag, branch, etc.1 We (w/@Dentrax) thought that maybe people could write Rego policies against them to do the same validation. Instead of adding every flag to the command, people can write a Rego policy to define what they want to validate, similar to what we did in cosign project.2

Footnotes

  1. https://github.com/slsa-framework/slsa-verifier/blob/main/options/options.go#L4

  2. https://github.com/sigstore/cosign/pull/641

@laurentsimon laurentsimon mentioned this issue Aug 29, 2022
Closed
@ianlewis
Copy link
Member

If the verifier was able to accept the same CUE or rego policies that cosign can verify that would be ideal. I don't know how specific they need to be to cosign though.

@ianlewis ianlewis added the type:feature New feature request label Nov 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ianlewis @developer-guy