| 1 | apiVersion: kyverno.io/v1 |
| 2 | kind: ClusterPolicy |
| 3 | metadata: |
| 4 | name: verify-signed-images |
| 5 | annotations: |
| 6 | policies.kyverno.io/title: Verify image signatures |
| 7 | policies.kyverno.io/category: Supply Chain Security |
| 8 | policies.kyverno.io/severity: high |
| 9 | spec: |
| 10 | validationFailureAction: Enforce |
| 11 | webhookTimeoutSeconds: 30 |
| 12 | failurePolicy: Fail |
| 13 | background: false |
| 14 | rules: |
| 15 | - name: check-cosign-signature |
| 16 | match: |
| 17 | any: |
| 18 | - resources: |
| 19 | kinds: |
| 20 | - Pod |
| 21 | verifyImages: |
| 22 | - imageReferences: |
| 23 | - "ghcr.io/zionboggan/*" |
| 24 | attestors: |
| 25 | - count: 1 |
| 26 | entries: |
| 27 | - keyless: |
| 28 | subject: "https://github.com/zionboggan/*" |
| 29 | issuer: "https://token.actions.githubusercontent.com" |
| 30 | rekor: |
| 31 | url: https://rekor.sigstore.dev |
| 32 | mutateDigest: true |
| 33 | verifyDigest: true |
| 34 | required: true |
| 35 | - name: require-sbom-attestation |
| 36 | match: |
| 37 | any: |
| 38 | - resources: |
| 39 | kinds: |
| 40 | - Pod |
| 41 | verifyImages: |
| 42 | - imageReferences: |
| 43 | - "ghcr.io/zionboggan/*" |
| 44 | attestations: |
| 45 | - type: https://spdx.dev/Document |
| 46 | attestors: |
| 47 | - count: 1 |
| 48 | entries: |
| 49 | - keyless: |
| 50 | subject: "https://github.com/zionboggan/*" |
| 51 | issuer: "https://token.actions.githubusercontent.com" |