Skip to content

Instantly share code, notes, and snippets.

@jdolitsky

jdolitsky/policy-spdxjson.yaml

Last active July 27, 2022 21:33
Show Gist options
  • Save jdolitsky/5659271050d3b3490dcb0dc128bd6125 to your computer and use it in GitHub Desktop.
Save jdolitsky/5659271050d3b3490dcb0dc128bd6125 to your computer and use it in GitHub Desktop.
Download ZIP
ClustertImagePolicy requiring an SBOM in SPDX format stored as a keyless attestation against public Fulcio using cosign
Raw
policy-spdxjson.yaml
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: keyless-attestation-spdxjson
spec:
images:
- glob: **
authorities:
- name: keyless
keyless:
url: "https://fulcio.sigstore.dev"
attestations:
- name: must-have-spdxjson
predicateType: spdxjson
policy:
type: cue
data: |
predicateType: "cosign.sigstore.dev/attestation/v1"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment