Sample Policies

Sample policies for use with policy-controller live in the examples directory of the project.

Images have a signed SPDX SBOM attestation from a custom key

This sample policy asserts that all images must have a signed SPDX SBOM (spdxjson) attestation using a custom key.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: custom-key-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - name: custom-key
    key:
      data: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg
        4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==
        -----END PUBLIC KEY-----
    attestations:
    - name: must-have-spdxjson
      predicateType: https://spdx.dev/Document
      policy:
        type: cue
        data: |
          predicateType: "https://spdx.dev/Document"

To use this policy, set the POLICY and IMAGE environment variables appropriately, pointing to the sample policy and the image you would like to test.

POLICY="policies/custom-key-attestation-sbom-spdxjson.yaml"

Use the tool of your choice to generate an SPDX SBOM.

For example purposes, you can use sboms/example.spdx.json.

Then attach the SBOM to your image using cosign attest with the flag --type 'https://spdx.dev/Document', and signing it with a private key (for example, one located in a keys directory as in keys/cosign.key). You can review this in our examples directory.

export COSIGN_PASSWORD=""

cosign attest --yes --type https://spdx.dev/Document \
  --predicate sboms/example.spdx.json \
  --key keys/cosign.key \
  "${IMAGE}"

Review the full YAML file at policies/custom-key-attestation-sbom-spdxjson.yaml

Images have a “keyless” signed SPDX SBOM attestation against the public Fulcio root

This sample policy asserts that all images must have a “keyless” signed SPDX SBOM (spdxjson) attestation against the public Fulcio root.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: keyless-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - name: keyless
    keyless:
      url: "https://fulcio.sigstore.dev"
    attestations:
    - name: must-have-spdxjson
      predicateType: https://spdx.dev/Document
      policy:
        type: cue
        data: |
          predicateType: "https://spdx.dev/Document"

To use this policy, set the POLICY and IMAGE environment variables, pointing to the sample policy and the image you would like to test.

POLICY="policies/keyless-attestation-sbom-spdxjson.yaml"

Use the tool of your choice to generate an SPDX SBOM.

For example purposes, you can use sboms/example.spdx.json.

Then attach the SBOM to your image using cosign attest along with the flag --type 'https://spdx.dev/Document', signing keylessly against the public Fulcio root:

export COSIGN_EXPERIMENTAL=1

cosign attest --yes --type https://spdx.dev/Document \
  --predicate sboms/example.spdx.json \
  "${IMAGE}"

Review the full YAML file at policies/keyless-attestation-sbom-spdxjson.yaml

Images have been signed by a specific AWS KMS key

This sample policy asserts that images have been signed by a specific AWS KMS key.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: image-is-signed-by-aws-kms-key
spec:
  images:
  # All images
  - glob: "**"
  authorities:
  - name: aws-kms
    key:
      # NB: the policy controller must have kms.DescribeKey, kms.GetPublicKey
      # and kms.Verify IAM permissions on the relevant key.
      kms: awskms:///arn:aws:kms:<< region >>:<< account id >>:key/<< key id >>

Set the POLICY and IMAGE environment variables, pointing to the sample policy and the image you would like to test.

POLICY="policies/signed-by-aws-kms.yaml"

Create an AWS KMS key — or use an existing one — to sign your container images. Note the ARN (key ID or Amazon Resource Name) of the key.

$ aws kms create-key \
  --description "Container signing key" \
  --key-spec ECC_NIST_P256 \
  --key-usage SIGN_VERIFY
{
    "KeyMetadata": {
        "AWSAccountId": "...."
        "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
        ....
    }
}

Next, sign your container using the KMS key and Cosign.

cosign sign --key "awskms:///<< arn of kms key >>" "${IMAGE}"