Skip to content

Create SBOM Control with a rego policy #319

Description

@JonJagger

Plan is for rego to check:

  • Non-empty inventory — packages count ≥ a threshold (an SBOM with 0–1 packages usually means generation silently failed).
    → defined
    • Every package has a version — no versionInfo missing/"NOASSERTION". An unversioned dependency isn't managed.
    • Every package has a resolvable identity — a purl in externalRefs (type PACKAGE-MANAGER) or a downloadLocation !=
      "NOASSERTION". → auditable
    • Every package has a declared license — licenseDeclared/licenseConcluded present and not NOASSERTION (or: count of
      unknown-license packages is 0, or below a tolerated cap you record explicitly).
    • Valid, current document — spdxVersion is an allowed value, creationInfo.created present, and creationInfo.creators
      records the generating tool (proves how it was built → auditable).
    • Has relationships — relationships non-empty, so it's a real dependency graph rooted at the image, not a flat list.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions