From 98f206af827844e06bc4c8b81866704030610524 Mon Sep 17 00:00:00 2001
From: Zoran Regvart <zoran@regvart.com>
Date: Mon, 8 Jan 2024 12:05:49 +0100
Subject: [PATCH 1/2] Use image digest parsed from the reference

EC CLI will set the `input.image.ref` to the image reference, so the
digest for comparison needs to be parsed from that string. Note that the
digest when parsed, if not present in the image reference will be set to
`""`.
---
 policy/release/slsa_build_scripted_build.rego      |  5 +++--
 policy/release/slsa_build_scripted_build_test.rego | 12 +++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego
index 346a8744..c082f367 100644
--- a/policy/release/slsa_build_scripted_build.rego
+++ b/policy/release/slsa_build_scripted_build.rego
@@ -129,7 +129,8 @@ deny contains result if {
 #   - attestation_type.known_attestation_type
 #
 deny contains result if {
-	expected_digest := input.image.ref
+	expected_ref := input.image.ref
+	expected_digest := image.parse(expected_ref).digest
 
 	# Find all the Tekton Bundle references from the Tasks that claim to have built the image being
 	# validated.
@@ -142,7 +143,7 @@ deny contains result if {
 	}
 
 	error := trusted_build_task_error(bundles)
-	result := lib.result_helper(rego.metadata.chain(), [expected_digest, error])
+	result := lib.result_helper(rego.metadata.chain(), [expected_ref, error])
 }
 
 task_steps(task) := steps if {
diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego
index df357f9a..819857fb 100644
--- a/policy/release/slsa_build_scripted_build_test.rego
+++ b/policy/release/slsa_build_scripted_build_test.rego
@@ -23,7 +23,7 @@ test_all_good if {
 		"steps": [{"entrypoint": "/bin/bash"}],
 	}]
 
-	image := {"ref": _image_digest}
+	image := {"ref": _image_ref}
 
 	task_bundles := {mock_bundle_repo: [{
 		"digest": mock_bundle_digest,
@@ -366,11 +366,11 @@ test_image_built_by_trusted_task_no_build_task if {
 		}],
 	)
 
-	image := {"ref": _image_digest}
+	image := {"ref": _image_ref}
 
 	expected := {{
 		"code": "slsa_build_scripted_build.image_built_by_trusted_task",
-		"msg": "Image \"sha256:123\" not built by a trusted task: No Pipeline Tasks built the image",
+		"msg": "Image \"some.image/foo:bar@sha256:123\" not built by a trusted task: No Pipeline Tasks built the image",
 	}}
 
 	lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image
@@ -394,11 +394,11 @@ test_image_built_by_trusted_task_not_trusted if {
 		"steps": [{"entrypoint": "/bin/bash"}],
 	}]
 
-	image := {"ref": _image_digest}
+	image := {"ref": _image_ref}
 
 	expected := {{
 		"code": "slsa_build_scripted_build.image_built_by_trusted_task",
-		"msg": "Image \"sha256:123\" not built by a trusted task: Build Task \"buildah\" is not trusted",
+		"msg": "Image \"some.image/foo:bar@sha256:123\" not built by a trusted task: Build Task \"buildah\" is not trusted",
 	}}
 
 	lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image
@@ -413,6 +413,8 @@ _image_digest_value := "123"
 
 _image_digest := concat(":", [_image_digest_algorithm, _image_digest_value])
 
+_image_ref := sprintf("%s@%s:%s", [_image_url, _image_digest_algorithm, _image_digest_value])
+
 _mock_attestation(original_tasks) := d if {
 	default_task := {
 		"name": "buildah",

From 7389d69e14729623d81deee85714e23077baffea Mon Sep 17 00:00:00 2001
From: Zoran Regvart <zoran@regvart.com>
Date: Mon, 8 Jan 2024 16:29:34 +0100
Subject: [PATCH 2/2] Update policy/release/slsa_build_scripted_build_test.rego

Co-authored-by: Simon Baird <simon.baird@gmail.com>
---
 policy/release/slsa_build_scripted_build_test.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego
index 819857fb..5e7e575b 100644
--- a/policy/release/slsa_build_scripted_build_test.rego
+++ b/policy/release/slsa_build_scripted_build_test.rego
@@ -413,7 +413,7 @@ _image_digest_value := "123"
 
 _image_digest := concat(":", [_image_digest_algorithm, _image_digest_value])
 
-_image_ref := sprintf("%s@%s:%s", [_image_url, _image_digest_algorithm, _image_digest_value])
+_image_ref := sprintf("%s@%s", [_image_url, _image_digest])
 
 _mock_attestation(original_tasks) := d if {
 	default_task := {