Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 3. Creating a policy

A Conforma policy is a rule or set of rules and Conforma-specific annotations. Conforma can perform several types of policy checks, including checking all of the policy rules required for Red Hat products. Conforma uses the general purpose policy engine called Open Policy Agent (OPA). OPA defines its policy rules by using Rego. This means that the policy rules from OPA that are in a Conforma policy are also defined in Rego.

Procedure

  1. Create a Rego file to define a new policy rule, as in the following example: 

    echo 'package zero_to_hero

import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# title: Builder ID
# description: Verify the SLSA Provenance has the builder.id set to
#   the expected value.
# custom:
#   short_name: builder_id
#   failure_msg: The builder ID %q is not the expected %q
#   solution: >-
#     Ensure the correct build system was used to build the container
#     image.
deny contains result if {
	some attestation in input.attestations
	attestation.statement.predicateType == "https://slsa.dev/provenance/v0.2"

	expected := "https://localhost/dummy-id"
	got := attestation.statement.predicate.builder.id

	expected != got

	result := {
		"code": "zero_to_hero.builder_id",
		"msg": sprintf("The builder ID %q is not expected, %q", [got, expected])
	}
}
' > rules.rego
    Copy to Clipboard Toggle word wrap
    METADATA
    The first 10 lines of code comprise the METADATA comment block, which is how rego specifies rules annotations so that Conforma can include those annotation details in its successes and violations report.
    short_name
    This single policy rule verifies that the builder.id in your new policy rule matches the builder.id in your Supply-chain Levels for Software Artifacts (SLSA) provenance.
    input.attestations

    input is a Rego object that contains all of the information about your container image, its signature, and its attestations. The input.attestations attribute of the input object contains a list of attestations associated with the image.

    Tip

    You can save the input object to a JSON file to view the available values, which is helpful in writing new policy rules. To save the input object as a JSON file named input.json, run a command similar to the following example: 

    $ ec validate image --public-key cosign.pub \
  --image "$REPOSITORY:latest" \
  --policy policy.yaml \
  --output policy-input=input.json
    Copy to Clipboard Toggle word wrap

  2. Create a policy configuration to use your new policy rule: 

    echo "
---
sources:
  - policy:
      - $(pwd)/rules.rego
" > policy.yaml
    Copy to Clipboard Toggle word wrap

  3. Use the new policy to validate your container image, and to display additional information in the successes and violations report, as in the following example: 

    $ ec validate image --public-key cosign.pub \
  --image "$REPOSITORY:latest" \
  --policy policy.yaml \
  --show-successes --info --output yaml
    Copy to Clipboard Toggle word wrap

Verification

  • Check the successes and violations report to make sure that your new rule is in the successes list.

3.1. Configuring a policy
复制链接

You can configure a Conforma policy with an inline JSON or YAML string. This policy, sometimes called a config or a contract, specifies where Conforma should find the rules and data to use to apply the policies you want to enforce. You can also include or exclude a single rule or a particular package of rules.

Procedure

  1. Configure your policy in the command line as a JSON or YAML string, as in the following example: 

    $ ec validate image --policy '{
    "sources": [
        {
            "policy": ["oci::quay.io/enterprise-contract/ec-release-policy:latest"],
            "data": ["git::https://github.com/enterprise-contract/ec-policies//example/data"],
            "config": {"include": ["@minimal"]}
        }
    ]
}' ...
    Copy to Clipboard Toggle word wrap

  2. (Optional) Exclude a particular package of rules from your Conforma policy, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "attestation_task_bundle",
          "slsa_build_scripted_build"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command includes every rule from every package except for the rules in the specified packages.

  3. (Optional) Exclude a single rule, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "attestation_task_bundle.unacceptable_task_bundle"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This commands includes every rule from the attestation_task_bundle package except for the unacceptable_task_bundle rule.

  4. (Optional) Include rules from only a particular package, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "include": [
          "test",
          "java"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command includes only the rules from the specified packages.

  5. (Optional) Include only some rules from a particular package. This means that you can specify both include and exclude to select only the rules you want your Conforma policy to include, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "include": [
          ""*"",
          "attestation_task_bundle.unacceptable_task_bundle"
        ],
        "exclude": [
          "attestation_task_bundle.*"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap
    asterisk (*)

    The asterisk (*) acts as a wildcard to match any package. It does not match partial names. For example, you cannot specify "s*" to match every package that starts with "s".

    These commands specify that you want to include only the unacceptable_task_bundle rule from the attestation_task_bundle package, and exclude all the other rules in that package.

  6. (Optional) Exclude certain checks so that Conforma can validate your container image even if those checks fail or don’t complete, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "test:get-clair-scan",
          "test:clamav-scan"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command specifies that, if either of the identified checks fails or does not complete, Conforma can still finish to validate your container image.

  7. (Optional) Modify the defaults for rules in a package by running either the config.policy.include command or the config.policy.exclude command, along with a list of strings.

    Your list of strings should include one of the following:

    package name
    Choose from the packages in the "Available rule collections" list.
    rule name
    Specify a rule name by entering the name of the package and the rule code, separated by a dot (.), as in this example: attestation_type.unknown_att_type. You can find rule codes under "Attestation type" in the upstream Conforma documentation.
    package name:term
    Some policy rules process a list of items. When you add "term" to the "package name" string, you can exclude or include a particular item from that list. This works similarly to "package name," except that it applies only to policy rules in the package that match that term. For example, if you run the test package, you can choose to ignore a given test case but include all the others.
    rule name:term
    This is similar to "package name:term" except that, instead of including or excluding an item from a package, you can include or exclude a particular package policy rule.
    @collection name
    Add this to your string to specify a predefined collection of rules. Prefix the collection name with the @ symbol. Choose from the available rule collections.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部