diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego index c082f367..b2de5f3c 100644 --- a/policy/release/slsa_build_scripted_build.rego +++ b/policy/release/slsa_build_scripted_build.rego @@ -19,7 +19,6 @@ import future.keywords.in import data.lib import data.lib.bundles import data.lib.image -import data.lib.refs import data.lib.tkn # METADATA @@ -134,15 +133,14 @@ deny contains result if { # Find all the Tekton Bundle references from the Tasks that claim to have built the image being # validated. - bundles := {bundle | + tasks := {build_task | some attestation in lib.pipelinerun_attestations some build_task in tkn.build_tasks(attestation) digest := tkn.task_result(build_task, "IMAGE_DIGEST") digest == expected_digest - bundle := refs.task_ref(build_task).bundle } - error := trusted_build_task_error(bundles) + error := _trusted_build_task_error(tasks) result := lib.result_helper(rego.metadata.chain(), [expected_ref, error]) } @@ -155,11 +153,17 @@ subject_digest(subject) := digest if { digest := concat(":", [algorithm, value]) } -trusted_build_task_error(build_task_bundles) := error if { - count(build_task_bundles) == 0 +_trusted_build_task_error(tasks) := error if { + count(tasks) == 0 error := "No Pipeline Tasks built the image" } else := error if { - some task in bundles.unacceptable_task_bundle(lib.tasks_from_pipelinerun) - refs.task_ref(task).bundle in build_task_bundles - error := sprintf("Build Task %q is not trusted", [tkn.task_name(task)]) + unacceptable_tasks := bundles.unacceptable_task_bundle(lib.tasks_from_pipelinerun) + unacceptable_build_tasks = unacceptable_tasks & tasks + count(unacceptable_build_tasks) > 0 + + names := {name | + some task in unacceptable_build_tasks + name := tkn.task_name(task) + } + error := sprintf("Build Task(s) %q are not trusted", [concat(",", names)]) } diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego index 5e7e575b..95481ef1 100644 --- a/policy/release/slsa_build_scripted_build_test.rego +++ b/policy/release/slsa_build_scripted_build_test.rego @@ -398,7 +398,54 @@ test_image_built_by_trusted_task_not_trusted if { expected := {{ "code": "slsa_build_scripted_build.image_built_by_trusted_task", - "msg": "Image \"some.image/foo:bar@sha256:123\" not built by a trusted task: Build Task \"buildah\" is not trusted", + # regal ignore:line-length + "msg": `Image "some.image/foo:bar@sha256:123" not built by a trusted task: Build Task(s) "buildah" are not trusted`, + }} + + lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image + with input.attestations as [_mock_attestation(tasks)] +} + +test_image_built_by_multiple_not_trusted_tasks if { + tasks := [ + { + "results": [ + {"name": "IMAGE_URL", "value": _image_url}, + {"name": "IMAGE_DIGEST", "value": _image_digest}, + ], + "ref": { + "resolver": "bundles", + "params": [ + {"name": "bundle", "value": mock_bundle}, + {"name": "name", "value": "buildah-1"}, + {"name": "kind", "value": "task"}, + ], + }, + "steps": [{"entrypoint": "/bin/bash"}], + }, + { + "results": [ + {"name": "IMAGE_URL", "value": _image_url}, + {"name": "IMAGE_DIGEST", "value": _image_digest}, + ], + "ref": { + "resolver": "bundles", + "params": [ + {"name": "bundle", "value": mock_bundle}, + {"name": "name", "value": "buildah-2"}, + {"name": "kind", "value": "task"}, + ], + }, + "steps": [{"entrypoint": "/bin/bash"}], + }, + ] + + image := {"ref": _image_ref} + + expected := {{ + "code": "slsa_build_scripted_build.image_built_by_trusted_task", + # regal ignore:line-length + "msg": `Image "some.image/foo:bar@sha256:123" not built by a trusted task: Build Task(s) "buildah-1,buildah-2" are not trusted`, }} lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image