diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego index e1e65db4..64522624 100644 --- a/checks/annotations_test.rego +++ b/checks/annotations_test.rego @@ -53,7 +53,7 @@ opa_inspect_valid := { "short_name": "pipelinerun_attestation_found", "solution": "Make sure the attestation being verified was generated from a Tekton pipelineRun.", }, - "description": "At least one PipelineRun attestation must be present.", + "description": "Confirm at least one PipelineRun attestation is present.", "scope": "rule", "title": "PipelineRun attestation found", }, @@ -78,7 +78,7 @@ opa_inspect_missing_annotations := { "annotations": [{ "annotations": { "scope": "rule", - "description": "Check for existence of a task bundle. Enforcing this rule will\nfail the contract if the task is not called from a bundle.", + "description": "Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.", "custom": { "flagiure_msg": "Task '%s' does not contain a bundle reference", "short_name": "disallowed_task_reference", diff --git a/policy/build_task/labels.rego b/policy/build_task/labels.rego index 6d5258f9..b2fa078c 100644 --- a/policy/build_task/labels.rego +++ b/policy/build_task/labels.rego @@ -1,8 +1,9 @@ # # METADATA -# title: Checks related to build tasks -# description: |- -# Checks related to build tasks +# title: Tekton task build type label checks +# description: >- +# Policies to verify that a Tekton build task definition has the +# required build type label. # package policy.build_task.labels @@ -16,24 +17,26 @@ import data.lib.tkn build_label := "build.appstudio.redhat.com/build_type" # METADATA -# title: Build task does not contain required label -# description: |- -# This policy enforces that a required build label is present in a build task +# title: Build task has build type label +# description: >- +# Confirm the build task definition has the required build type label. # custom: -# short_name: build_task_label_missing +# short_name: build_type_label_set # failure_msg: The required build label '%s' is missing +# deny contains result if { not build_label in object.keys(tkn.task_labels) result := lib.result_helper(rego.metadata.chain(), [build_label]) } # METADATA -# title: Build task does not contain any labels -# description: |- -# This policy enforces that the task contains a label +# title: Build task has label +# description: >- +# Confirm that the build task definition includes at least one label. # custom: -# short_name: build_task_no_labels -# failure_msg: The task does not contain labels +# short_name: build_task_has_label +# failure_msg: The task definition does not include any labels +# deny contains result if { not tkn.task_labels result := lib.result_helper(rego.metadata.chain(), []) diff --git a/policy/build_task/labels_test.rego b/policy/build_task/labels_test.rego index 713b7b4c..62549cb2 100644 --- a/policy/build_task/labels_test.rego +++ b/policy/build_task/labels_test.rego @@ -8,14 +8,14 @@ test_build_label_found { test_build_label_not_found { lib.assert_equal_results(deny, {{ - "code": "labels.build_task_label_missing", + "code": "labels.build_type_label_set", "msg": "The required build label 'build.appstudio.redhat.com/build_type' is missing", }}) with input as {"metadata": {"labels": {"bad": "docker"}}} } test_no_labels { lib.assert_equal_results(deny, {{ - "code": "labels.build_task_no_labels", - "msg": "The task does not contain labels", + "code": "labels.build_task_has_label", + "msg": "The task definition does not include any labels", }}) with input as {"metadata": {"name": "no_labels"}} } diff --git a/policy/pipeline/basic.rego b/policy/pipeline/basic.rego index 010ce68d..35f52170 100644 --- a/policy/pipeline/basic.rego +++ b/policy/pipeline/basic.rego @@ -2,9 +2,7 @@ # METADATA # title: Pipeline definition sanity checks # description: >- -# Currently there is just a check to confirm the input -# appears to be a Pipeline definition. We may add additional -# sanity checks in future. +# Policies to confirm the Tekton Pipeline definition has the expected kind. # package policy.pipeline.basic @@ -20,12 +18,12 @@ expected_kind := "Pipeline" # Fixme: It doesn't fail if the kind key is entirely missing.. # METADATA -# title: Input data has unexpected kind +# title: Pipeline definition has expected kind # description: >- -# A sanity check to confirm the input data has the kind "Pipeline" +# Confirm that the pipeline definition has the kind "Pipeline". # custom: -# short_name: unexpected_kind -# failure_msg: Unexpected kind '%s' +# short_name: expected_kind +# failure_msg: Unexpected kind '%s' for pipeline definition # deny contains result if { expected_kind != input.kind diff --git a/policy/pipeline/basic_test.rego b/policy/pipeline/basic_test.rego index 7e575af9..2504303e 100644 --- a/policy/pipeline/basic_test.rego +++ b/policy/pipeline/basic_test.rego @@ -4,7 +4,7 @@ import data.lib test_unexpected_kind { lib.assert_equal_results(deny, {{ - "code": "basic.unexpected_kind", - "msg": "Unexpected kind 'Foo'", + "code": "basic.expected_kind", + "msg": "Unexpected kind 'Foo' for pipeline definition", }}) with input.kind as "Foo" } diff --git a/policy/pipeline/required_tasks.rego b/policy/pipeline/required_tasks.rego index 61da549a..f9396a89 100644 --- a/policy/pipeline/required_tasks.rego +++ b/policy/pipeline/required_tasks.rego @@ -1,9 +1,10 @@ # # METADATA +# title: Required tasks # description: >- # RHTAP expects that certain Tekton tasks are executed during image builds. # This package includes policy rules to confirm that the pipeline definition -# includes the required Tekton tasks. +# includes those required tasks. # package policy.pipeline.required_tasks @@ -15,13 +16,12 @@ import data.lib import data.lib.tkn # METADATA -# title: No tasks in Pipeline +# title: Pipeline contains tasks # description: >- -# This policy enforces that at least one Task is present in the Pipeline -# definition. +# Confirm at least one task is present in the pipeline definition. # custom: -# short_name: tasks_missing -# failure_msg: No tasks found in Pipeline definition +# short_name: tasks_found +# failure_msg: No tasks found in pipeline deny contains result if { input.kind == "Pipeline" count(tkn.tasks(input)) == 0 @@ -29,11 +29,12 @@ deny contains result if { } # METADATA -# title: Missing required pipeline tasks +# title: Required tasks found in pipeline definition # description: >- -# This policy warns if a task list does not exist in the acceptable_bundles.yaml file +# Produce a warning if a task list does not exist in the acceptable +# bundles rule data. # custom: -# short_name: missing_required_pipeline_task +# short_name: required_tasks_found # failure_msg: Required tasks do not exist for pipeline %q warn contains result if { count(tkn.tasks(input)) > 0 @@ -49,7 +50,7 @@ warn contains result if { # METADATA # title: Missing required task # description: >- -# This policy enforces that the required set of tasks are included +# Ensure that the set of required tasks is included # in the Pipeline definition. # custom: # short_name: missing_required_task @@ -68,8 +69,8 @@ deny contains result if { # METADATA # title: Missing future required task # description: >- -# This policy warns when a task that will be required in the future -# was not included in the Pipeline definition. +# Produce a warning when a task that will be required in the future +# is not currently included in the Pipeline definition. # custom: # short_name: missing_future_required_task # failure_msg: Task %q is missing and will be required in the future @@ -86,12 +87,13 @@ warn contains result if { } # METADATA -# title: Missing required tasks data +# title: Required task list is present in rule data # description: >- -# The policy rules in this package require the required-tasks data to be provided. +# Confirm the `required-tasks` rule data was provided, since it's +# required by the policy rules in this package. # custom: -# short_name: missing_required_data -# failure_msg: Missing required task-bundles data +# short_name: required_tasks_list_present +# failure_msg: The required tasks list is missing from the rule data deny contains result if { tkn.missing_required_tasks_data not tkn.required_task_list(input) diff --git a/policy/pipeline/required_tasks_test.rego b/policy/pipeline/required_tasks_test.rego index 9dfa8f30..b3044a41 100644 --- a/policy/pipeline/required_tasks_test.rego +++ b/policy/pipeline/required_tasks_test.rego @@ -62,7 +62,7 @@ test_extra_tasks_ignored if { test_missing_pipeline_label if { expected := {{ - "code": "required_tasks.missing_required_pipeline_task", + "code": "required_tasks.required_tasks_found", "msg": "Required tasks do not exist for pipeline \"fbc\"", }} pipeline := _pipeline_with_tasks(_expected_required_tasks, [], []) @@ -140,8 +140,8 @@ test_current_equal_latest_also if { test_no_tasks_present if { expected := {{ - "code": "required_tasks.tasks_missing", - "msg": "No tasks found in Pipeline definition", + "code": "required_tasks.tasks_found", + "msg": "No tasks found in pipeline", }} lib.assert_equal_results(expected, deny) with data["pipeline-required-tasks"] as _time_based_pipeline_required_tasks @@ -183,8 +183,8 @@ test_parameterized if { test_missing_required_tasks_data if { pipeline := _pipeline_with_tasks_and_label(_expected_required_tasks, [], []) expected := {{ - "code": "required_tasks.missing_required_data", - "msg": "Missing required task-bundles data", + "code": "required_tasks.required_tasks_list_present", + "msg": "The required tasks list is missing from the rule data", }} lib.assert_equal_results(expected, deny) with data["required-tasks"] as [] with data["pipeline-required-tasks"] as {} @@ -269,7 +269,7 @@ _missing_tasks_warning(tasks) = warnings if { _missing_pipeline_tasks_warning(name) = warnings if { warnings := {warning | warning := { - "code": "required_tasks.missing_required_pipeline_task", + "code": "required_tasks.required_tasks_found", "msg": sprintf("Required tasks do not exist for pipeline %q", [name]), } } diff --git a/policy/pipeline/task_bundle.rego b/policy/pipeline/task_bundle.rego index b3fb9a70..71cd3a82 100644 --- a/policy/pipeline/task_bundle.rego +++ b/policy/pipeline/task_bundle.rego @@ -21,8 +21,8 @@ import data.lib.bundles # METADATA # title: Task bundle was not used or is not defined # description: >- -# Check for existence of a task bundle. Enforcing this rule will -# fail the contract if the task is not called from a bundle. +# Check for the existence of a task bundle. This rule will +# fail if the task is not called from a bundle. # custom: # short_name: disallowed_task_reference # failure_msg: Pipeline task '%s' does not contain a bundle reference @@ -35,7 +35,7 @@ deny contains result if { # METADATA # title: Task bundle reference is empty # description: >- -# Check for a valid task bundle reference being used. +# Check that a valid task bundle reference is being used. # custom: # short_name: empty_task_bundle_reference # failure_msg: Pipeline task '%s' uses an empty bundle image reference @@ -91,7 +91,8 @@ deny contains result if { # METADATA # title: Missing required data # description: >- -# The policy rules in this package require the task-bundles data to be provided. +# Confirm the `task-bundles` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: missing_required_data # failure_msg: Missing required task-bundles data diff --git a/policy/release/attestation_task_bundle.rego b/policy/release/attestation_task_bundle.rego index 3f08db0a..48a54ba4 100644 --- a/policy/release/attestation_task_bundle.rego +++ b/policy/release/attestation_task_bundle.rego @@ -21,8 +21,8 @@ import data.lib.bundles # METADATA # title: Tasks defined using bundle references # description: >- -# Check for existence of a task bundle. Enforcing this rule will -# fail the contract if the task is not called from a bundle. +# Check for the existence of a task bundle. This rule will +# fail if the task is not called from a bundle. # custom: # short_name: tasks_defined_in_bundle # failure_msg: Pipeline task '%s' does not contain a bundle reference @@ -40,7 +40,7 @@ deny contains result if { # METADATA # title: Task bundle references not empty # description: >- -# Check for a valid task bundle reference being used. +# Check that a valid task bundle reference is being used. # custom: # short_name: task_ref_bundles_not_empty # failure_msg: Pipeline task '%s' uses an empty bundle image reference @@ -123,8 +123,8 @@ deny contains result if { # METADATA # title: An acceptable Tekton bundles list was provided # description: >- -# The policy rules in this package require the acceptable Tekton task bundles -# rule data to be provided. +# Confirm the `task-bundles` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: acceptable_bundles_provided # failure_msg: Missing required task-bundles data diff --git a/policy/release/attestation_type.rego b/policy/release/attestation_type.rego index 87fac87f..11348ff8 100644 --- a/policy/release/attestation_type.rego +++ b/policy/release/attestation_type.rego @@ -14,7 +14,7 @@ import data.lib # METADATA # title: Known attestation type found # description: >- -# A sanity check to confirm the attestation found for the image has a known +# Confirm the attestation found for the image has a known # attestation type. # custom: # short_name: known_attestation_type @@ -38,7 +38,7 @@ deny contains result if { # METADATA # title: PipelineRun attestation found # description: >- -# At least one PipelineRun attestation must be present. +# Confirm at least one PipelineRun attestation is present. # custom: # short_name: pipelinerun_attestation_found # failure_msg: Missing pipelinerun attestation diff --git a/policy/release/base_image_registries.rego b/policy/release/base_image_registries.rego index af47efcf..ff2bf9aa 100644 --- a/policy/release/base_image_registries.rego +++ b/policy/release/base_image_registries.rego @@ -16,8 +16,8 @@ import data.lib # METADATA # title: Base image comes from permitted registry # description: >- -# The base images used when building a container image must come from a known set -# of trusted registries to reduce potential supply chain attacks. By default this +# Verify that the base images used when building a container image come from a known +# set of trusted registries to reduce potential supply chain attacks. By default this # policy defines trusted registries as registries that are fully maintained by Red # Hat and only contain content produced by Red Hat. The list of permitted registries # can be customized by setting the `allowed_registry_prefixes` list in the rule data. @@ -43,14 +43,14 @@ deny contains result if { # METADATA # title: Base image task result was provided # description: >- -# The attestation must provide the expected information about which base images +# Verify the attestation provides the expected information about which base images # were used during the build process. The base image information is expected to -# be found in a task result called `BASE_IMAGES_DIGESTS`. +# be found in a task result called BASE_IMAGES_DIGESTS. # custom: # short_name: base_image_info_found # failure_msg: Base images result is missing # solution: >- -# A Tekton task must exist that emits a result named 'BASE_IMAGES_DIGESTS'. +# A Tekton task must exist that emits a result named BASE_IMAGES_DIGESTS. # collections: # - minimal # - redhat @@ -70,8 +70,8 @@ deny contains result if { # METADATA # title: Allowed base image registry prefixes list was provided # description: >- -# The policy rules in this package require the `allowed_registry_prefixes` -# rule data to be provided. +# Confirm the `allowed_registry_prefixes` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: allowed_registries_provided # failure_msg: Missing required allowed_registry_prefixes rule data diff --git a/policy/release/buildah_build_task.rego b/policy/release/buildah_build_task.rego index 62401421..438c5809 100644 --- a/policy/release/buildah_build_task.rego +++ b/policy/release/buildah_build_task.rego @@ -16,7 +16,7 @@ import data.lib # METADATA # title: Buildah task has Dockerfile param defined # description: >- -# This policy verifies that a DOCKERFILE parameter was provided to +# Verify that a DOCKERFILE parameter was provided to # the buildah task. # custom: # short_name: buildah_task_has_dockerfile_param @@ -39,8 +39,8 @@ deny contains result if { # METADATA # title: Buildah task uses a local Dockerfile # description: >- -# This policy verifies that the Dockerfile used in the buildah task is not -# fetched from an external source +# Verify the Dockerfile used in the buildah task was not +# fetched from an external source. # custom: # short_name: buildah_uses_local_dockerfile # failure_msg: DOCKERFILE param value (%s) is an external source diff --git a/policy/release/cve.rego b/policy/release/cve.rego index d22a683f..2ae0eca0 100644 --- a/policy/release/cve.rego +++ b/policy/release/cve.rego @@ -21,8 +21,8 @@ import data.lib # of certain security levels have not been detected. If detected, this policy # rule will fail. By default, only CVEs of critical and high security level # cause a failure. This is configurable by the rule data key -# "restrict_cve_security_levels". The available levels are critical, high, -# medium, and low. +# `restrict_cve_security_levels`. The available levels are critical, high, +# medium, and low. # custom: # short_name: cve_blockers # failure_msg: Found %d CVE vulnerabilities of %s security level @@ -47,8 +47,8 @@ deny contains result if { # of certain security levels have not been detected. If detected, this policy # rule will raise a warning. By default, the list of CVE security levels used # by this policy is empty. However, this is configurable by the rule data key -# "warn_cve_security_levels". The available levels are critical, high, -# medium, and low. +# `warn_cve_security_levels`. The available levels are critical, high, +# medium, and low. # custom: # short_name: cve_warnings # failure_msg: Found %d non-blocking CVE vulnerabilities of %s security level @@ -69,7 +69,7 @@ warn contains result if { # METADATA # title: CVE scan results found # description: >- -# The clair-scan task results have not been found in the SLSA Provenance +# Confirm that clair-scan task results are present in the SLSA Provenance # attestation of the build pipeline. # custom: # short_name: cve_results_found diff --git a/policy/release/external_parameters.rego b/policy/release/external_parameters.rego index b0634e57..9bd8b800 100644 --- a/policy/release/external_parameters.rego +++ b/policy/release/external_parameters.rego @@ -14,12 +14,12 @@ import future.keywords.in import data.lib # METADATA -# title: pipeline run params +# title: Pipeline run params # description: >- # Verify the PipelineRun was initialized with a set of expected parameters. # By default it asserts git-repo, git-revision, and output-image are provided # with non-empty values. This is configurable by the rule data key -# "pipeline_run_params". Any additional parameters are NOT allowed. +# `pipeline_run_params`. Any additional parameters are NOT allowed. # custom: # short_name: pipeline_run_params # failure_msg: PipelineRun params, %v, do not match expectation, %v. @@ -37,7 +37,7 @@ deny contains result if { } # METADATA -# title: restrict shared volumes +# title: Restrict shared volumes # description: >- # Verify the PipelineRun did not use any pre-existing PersistentVolumeClaim # workspaces. diff --git a/policy/release/github_certificate.rego b/policy/release/github_certificate.rego index 0ba8a995..de4a1369 100644 --- a/policy/release/github_certificate.rego +++ b/policy/release/github_certificate.rego @@ -34,7 +34,7 @@ warn contains result if { # description: >- # Check if the value of the GitHub Workflow Repository extension in the image # signature certificate matches one of the allowed values. Use the rule data -# key "allowed_gh_workflow_repos" to specify the list of allowed values. +# key `allowed_gh_workflow_repos` to specify the list of allowed values. # An empty allow list, which is the default value, causes this check to succeeded. # custom: # short_name: gh_workflow_repository @@ -49,7 +49,7 @@ deny contains result if { # description: >- # Check if the value of the GitHub Workflow Ref extension in the image # signature certificate matches one of the allowed values. Use the rule data -# key "allowed_gh_workflow_refs" to specify the list of allowed values. +# key `allowed_gh_workflow_refs` to specify the list of allowed values. # An empty allow list, which is the default value, causes this check to succeeded. # custom: # short_name: gh_workflow_ref @@ -64,7 +64,7 @@ deny contains result if { # description: >- # Check if the value of the GitHub Workflow Name extension in the image # signature certificate matches one of the allowed values. Use the rule data -# key "allowed_gh_workflow_names" to specify the list of allowed values. +# key `allowed_gh_workflow_names` to specify the list of allowed values. # An empty allow list, which is the default value, causes this check to succeeded. # custom: # short_name: gh_workflow_name @@ -79,7 +79,7 @@ deny contains result if { # description: >- # Check if the value of the GitHub Workflow Trigger extension in the image # signature certificate matches one of the allowed values. Use the rule data -# key "allowed_gh_workflow_triggers" to specify the list of allowed values. +# key `allowed_gh_workflow_triggers` to specify the list of allowed values. # An empty allow list, which is the default value, causes this check to succeeded. # custom: # short_name: gh_workflow_trigger diff --git a/policy/release/hermetic_build_task.rego b/policy/release/hermetic_build_task.rego index b15de169..2a432aa2 100644 --- a/policy/release/hermetic_build_task.rego +++ b/policy/release/hermetic_build_task.rego @@ -16,7 +16,7 @@ import data.lib.tkn # METADATA # title: Build task called with hermetic param set # description: >- -# This policy verifies the build task in the PipelineRun attestation +# Verify the build task in the PipelineRun attestation # was invoked with the proper parameters to make the build process # hermetic. # custom: diff --git a/policy/release/java.rego b/policy/release/java.rego index 8c9edf2d..8de4305c 100644 --- a/policy/release/java.rego +++ b/policy/release/java.rego @@ -18,10 +18,10 @@ import data.lib # METADATA # title: Java builds have no foreign dependencies # description: >- -# The SBOM_JAVA_COMPONENTS_COUNT TaskResult finds dependencies that have +# The SBOM_JAVA_COMPONENTS_COUNT task result finds dependencies that have # originated from foreign repositories, i.e. ones that are not rebuilt or -# provided by Red Hat. This rule uses the `allowed_java_component_sources` -# rule data. +# provided by Red Hat. Verify there are no dependencies from sources not +# listed in the `allowed_java_component_sources` rule data. # custom: # short_name: no_foreign_dependencies # failure_msg: Found Java dependencies from '%s', expecting to find only from '%s' @@ -43,8 +43,8 @@ deny contains result if { # METADATA # title: Trusted Java dependency source list was provided # description: >- -# The policy rules in this package require the `allowed_java_component_sources` -# rule data to be provided. +# Confirm the `allowed_java_component_sources` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: trusted_dependencies_source_list_provided # failure_msg: Missing required allowed_java_component_sources rule data diff --git a/policy/release/labels.rego b/policy/release/labels.rego index c92d9b85..dd16ccb8 100644 --- a/policy/release/labels.rego +++ b/policy/release/labels.rego @@ -19,7 +19,7 @@ import data.lib # title: Deprecated labels # description: >- # Check the image for the presence of labels that have been deprecated. -# Use the rule data key "deprecated_labels" to set the list of labels +# Use the rule data key `deprecated_labels` to set the list of labels # to check. # custom: # short_name: deprecated_labels @@ -44,8 +44,8 @@ deny contains result if { # title: Required labels # description: >- # Check the image for the presence of labels that are required. -# Use the rule data "required_labels" key to set the list of labels -# to check, or the "fbc_required_labels" key for fbc images. +# Use the rule data `required_labels` key to set the list of labels +# to check, or the `fbc_required_labels` key for fbc images. # custom: # short_name: required_labels # failure_msg: 'The required %q label is missing. Label description: %s' @@ -70,8 +70,8 @@ deny contains result if { # title: Optional labels # description: >- # Check the image for the presence of labels that are recommended, -# but not required. Use the rule data "optional_labels" key to set -# the list of labels to check, or the "fbc_optional_labels" key for +# but not required. Use the rule data `optional_labels` key to set +# the list of labels to check, or the `fbc_optional_labels` key for # fbc images. # custom: # short_name: optional_labels @@ -99,8 +99,8 @@ warn contains result if { # Check that certain labels on the image have different values than the labels # from the parent image. If the label is inherited from the parent image but not # redefined for the image, it will contain an incorrect value for the image. -# Use the rule data "disallowed_inherited_labels" key to set the list of labels -# to check, or the "fbc_disallowed_inherited_labels" key for fbc images. +# Use the rule data `disallowed_inherited_labels` key to set the list of labels +# to check, or the `fbc_disallowed_inherited_labels` key for fbc images. # custom: # short_name: disallowed_inherited_labels # failure_msg: The %q label should not be inherited from the parent image diff --git a/policy/release/olm.rego b/policy/release/olm.rego index e060e9b4..19976dab 100644 --- a/policy/release/olm.rego +++ b/policy/release/olm.rego @@ -17,8 +17,8 @@ olm_manifestv1 := "operators.operatorframework.io.bundle.manifests.v1" # METADATA # title: Unpinned images in OLM bundle # description: >- -# Checks the OLM bundle image for the presence of unpinned image references. -# Unpinned image pull refernces are references to images found in +# Check the OLM bundle image for the presence of unpinned image references. +# Unpinned image pull references are references to images found in # link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying # locations] that do not contain a digest -- uniquely identifying the version of # the image being pulled. diff --git a/policy/release/provenance_materials.rego b/policy/release/provenance_materials.rego index 56e6b80b..03255355 100644 --- a/policy/release/provenance_materials.rego +++ b/policy/release/provenance_materials.rego @@ -17,7 +17,7 @@ import data.lib.tkn # METADATA # title: Git clone task found # description: >- -# The attestation must contain a git-clone task with `commit` and `url` task results. +# Confirm that the attestation contains a git-clone task with `commit` and `url` task results. # custom: # short_name: git_clone_task_found # failure_msg: Task git-clone not found @@ -38,7 +38,7 @@ deny contains result if { # METADATA # title: Git clone source matches materials provenance # description: >- -# The result of the git-clone task must be included in the materials section of the SLSA +# Confirm that the result of the git-clone task is included in the materials section of the SLSA # provenance attestation. # custom: # short_name: git_clone_source_matches_provenance diff --git a/policy/release/slsa_build_build_service.rego b/policy/release/slsa_build_build_service.rego index a5e56398..48215312 100644 --- a/policy/release/slsa_build_build_service.rego +++ b/policy/release/slsa_build_build_service.rego @@ -21,7 +21,7 @@ import data.lib # METADATA # title: SLSA Builder ID found # description: >- -# The attestation attribute predicate.builder.id is set. +# Verify that the attestation attribute predicate.builder.id is set. # custom: # short_name: slsa_builder_id_found # failure_msg: Builder ID not set in attestation @@ -44,8 +44,8 @@ deny contains result if { # METADATA # title: SLSA Builder ID is known and accepted # description: >- -# The attestation attribute predicate.builder.id is set to one -# of the values in the allowed_builder_ids rule data, e.g. +# Verify that the attestation attribute predicate.builder.id is set to one +# of the values in the `allowed_builder_ids` rule data, e.g. # "https://tekton.dev/chains/v2". # custom: # short_name: slsa_builder_id_accepted diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego index cfdd55d5..6fa491ef 100644 --- a/policy/release/slsa_build_scripted_build.rego +++ b/policy/release/slsa_build_scripted_build.rego @@ -23,8 +23,8 @@ import data.lib.tkn # METADATA # title: Build task contains steps # description: >- -# The attestation attribute predicate.buildConfig.tasks.steps is not -# empty of the pipeline task responsible for building the image. +# Verify that the predicate.buildConfig.tasks.steps attribute for the task +# responsible for building and pushing the image is not empty. # custom: # short_name: build_script_used # failure_msg: Build task %q does not contain any steps @@ -50,8 +50,8 @@ deny contains result if { # METADATA # title: Build task set image digest and url task results # description: >- -# The attestations must contain a build task with the expected -# IMAGE_DIGEST and IMAGE_URL results. +# Confirm that a build task exists and it has the expected +# IMAGE_DIGEST and IMAGE_URL task results. # custom: # short_name: build_task_image_results_found # failure_msg: Build task not found @@ -75,7 +75,7 @@ deny contains result if { # METADATA # title: Provenance subject matches build task image result # description: >- -# The subject of the attestations must match the IMAGE_DIGEST and +# Verify the subject of the attestations matches the IMAGE_DIGEST and # IMAGE_URL values from the build task. # custom: # short_name: subject_build_task_matches diff --git a/policy/release/slsa_provenance_available.rego b/policy/release/slsa_provenance_available.rego index 3da130b6..07e8452d 100644 --- a/policy/release/slsa_provenance_available.rego +++ b/policy/release/slsa_provenance_available.rego @@ -21,8 +21,8 @@ import data.lib # METADATA # title: Expected attestation predicate type found # description: >- -# The predicateType field of the attestation must indicate the in-toto SLSA Provenance format -# was used to attest the PipelineRun. +# Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance +# format was used to attest the PipelineRun. # custom: # short_name: attestation_predicate_type_accepted # failure_msg: Attestation predicate type %q is not an expected type (%s) diff --git a/policy/release/slsa_source_version_controlled.rego b/policy/release/slsa_source_version_controlled.rego index 1c0d7328..39ba586d 100644 --- a/policy/release/slsa_source_version_controlled.rego +++ b/policy/release/slsa_source_version_controlled.rego @@ -35,7 +35,7 @@ import data.lib # METADATA # title: Materials have uri and digest # description: >- -# At least one entry in the predicate.materials array of the attestation contains +# Confirm at least one entry in the predicate.materials array of the attestation contains # the expected attributes: uri and digest.sha1. # custom: # short_name: materials_format_okay @@ -60,7 +60,7 @@ deny contains result if { # METADATA # title: Material uri is a git repo # description: >- -# Each entry in the predicate.materials array of the attestation uses +# Ensure each entry in the predicate.materials array of the attestation uses # a git URI. # custom: # short_name: materials_uri_is_git_repo @@ -86,7 +86,7 @@ deny contains result if { # METADATA # title: Materials include git commit shas # description: >- -# Each entry in the predicate.materials array of the attestation includes +# Ensure each entry in the predicate.materials array of the attestation includes # a SHA1 digest which corresponds to a git commit. # custom: # short_name: materials_include_git_sha diff --git a/policy/release/step_image_registries.rego b/policy/release/step_image_registries.rego index d3400ed7..ba96b9a8 100644 --- a/policy/release/step_image_registries.rego +++ b/policy/release/step_image_registries.rego @@ -16,9 +16,9 @@ import data.lib # METADATA # title: Task steps ran on permitted container images # description: >- -# Enterprise Contract has a list of allowed registry prefixes. Each step in each -# TaskRun must run on a container image with a url that matches one of the -# prefixes in the list. +# Confirm that each step in each TaskRun ran on a container image with a url that +# matches one of the prefixes in the provided list of allowed step image registry +# prefixes. # custom: # short_name: task_step_images_permitted # failure_msg: Step %d in task '%s' has disallowed image ref '%s' @@ -44,8 +44,8 @@ deny contains result if { # METADATA # title: Permitted step image registry prefix list provided # description: >- -# The policy rules in this package require the allowed_step_image_registry_prefixes -# rule data to be provided. +# Confirm the `allowed_step_image_registry_prefixes` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: step_image_registry_prefix_list_provided # failure_msg: Missing required allowed_step_image_registry_prefixes rule data diff --git a/policy/release/tasks.rego b/policy/release/tasks.rego index fae19de2..fdbb6b40 100644 --- a/policy/release/tasks.rego +++ b/policy/release/tasks.rego @@ -24,7 +24,7 @@ import data.lib.tkn # METADATA # title: Pipeline run includes at least one task # description: >- -# This policy enforces that at least one Task is present in the PipelineRun +# Ensure that at least one Task is present in the PipelineRun # attestation. # custom: # short_name: pipeline_has_tasks @@ -47,7 +47,7 @@ deny contains result if { # METADATA # title: All required tasks were included in the pipeline # description: >- -# This policy enforces that the required set of tasks are included +# Ensure that the set of required tasks are included # in the PipelineRun attestation. # custom: # short_name: required_tasks_found @@ -71,7 +71,7 @@ deny contains result if { # METADATA # title: Required tasks list for pipeline was provided # description: >- -# This policy warns if a task list does not exist in the required_tasks.yaml file +# Produce a warning if the required tasks list rule data was not provided. # custom: # short_name: pipeline_required_tasks_list_provided # failure_msg: Required tasks do not exist for pipeline @@ -91,7 +91,7 @@ warn contains result if { # METADATA # title: Future required tasks were found # description: >- -# This policy warns when a task that will be required in the future +# Produce a warning when a task that will be required in the future # was not included in the PipelineRun attestation. # custom: # short_name: future_required_tasks_found @@ -116,7 +116,8 @@ warn contains result if { # METADATA # title: Required tasks list was provided # description: >- -# The policy rules in this package require the required-tasks data to be provided. +# Confirm the `required-tasks` rule data was provided, since it's +# required by the policy rules in this package. # custom: # short_name: required_tasks_list_provided # failure_msg: Missing required task-bundles data diff --git a/policy/release/test.rego b/policy/release/test.rego index 21811713..6bb70ba1 100644 --- a/policy/release/test.rego +++ b/policy/release/test.rego @@ -15,14 +15,14 @@ import future.keywords.in # METADATA # title: Test data found in task results # description: >- -# Fails if none of the tasks in the pipeline included a TEST_OUTPUT -# task result, which is where Enterprise Contract expects to find -# test result data. +# Ensure that at least one of the tasks in the pipeline includes a +# TEST_OUTPUT task result, which is where Enterprise Contract expects +# to find test result data. # custom: # short_name: test_data_found # failure_msg: No test data found # solution: >- -# At least one task in the build pipeline must contain a result named TEST_OUTPUT. +# Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT. # collections: # - redhat # depends_on: @@ -39,8 +39,8 @@ deny contains result if { # METADATA # title: Test data includes results key # description: >- -# Each test result is expected to have a 'results' key. The check fails if -# in at least one of the TEST_OUTPUT task results this key was not present. +# Each test result is expected to have a `results` key. Verify that the `results` +# key is present in all of the TEST_OUTPUT task results. # custom: # short_name: test_results_found # failure_msg: Found tests without results @@ -61,9 +61,7 @@ deny contains result if { # METADATA # title: No unsupported test result values found # description: >- -# This policy expects all test results to be one of a set of known/supported -# values. It is a failure if we encounter a result in the test data that is -# not supported. +# Ensure all test data result values are in the set of known/supported result values. # custom: # short_name: test_results_known # failure_msg: Test '%s' has unsupported result '%s' @@ -95,7 +93,7 @@ deny contains result if { # METADATA # title: All required tests passed # description: >- -# Enterprise Contract requires that all the tests in the test results +# Confirm that all the tests in the test results # have a successful result. A successful result is one that isn't a # "FAILURE" or "ERROR". This will fail if any of the tests failed and # the failure message will list the names of the failing tests. @@ -118,7 +116,7 @@ deny contains result if { # METADATA # title: No tests were skipped # description: >- -# Reports any test that has its result set to "SKIPPED". +# Produce a warning if any tests have their result set to "SKIPPED". # custom: # short_name: no_skipped_tests # failure_msg: "Test %q was skipped" @@ -139,7 +137,7 @@ warn contains result if { # METADATA # title: No tests produced warnings # description: >- -# Reports any test that has its result set to "WARNING". +# Produce a warning if any tests have their result set to "WARNING". # custom: # short_name: no_test_warnings # failure_msg: "Test %q returned a warning" diff --git a/policy/task/kind.rego b/policy/task/kind.rego index b9b90b0e..69876ab1 100644 --- a/policy/task/kind.rego +++ b/policy/task/kind.rego @@ -1,8 +1,9 @@ # # METADATA -# title: Task definition kind checks +# title: Tekton task kind checks # description: >- -# Task definition kind check +# Policies to verify that a Tekton task definition has the expected +# value for kind. # package policy.task.kind @@ -14,12 +15,12 @@ import data.lib expected_kind := "Task" # METADATA -# title: Input data has unexpected kind +# title: Task definition has expected kind # description: >- -# Check to confirm the input data has the kind "Task" +# Confirm the task definition has the kind "Task". # custom: -# short_name: unexpected_kind -# failure_msg: Unexpected kind '%s' +# short_name: expected_kind +# failure_msg: Unexpected kind '%s' for task definition # deny contains result if { input.kind @@ -28,11 +29,11 @@ deny contains result if { } # METADATA -# title: Input data has kind defined +# title: Kind field is present in task definition # description: >- -# Check to confirm the input data has the kind field +# Confirm the task definition includes the kind field. # custom: -# short_name: kind_not_found +# short_name: kind_present # failure_msg: Required field 'kind' not found # deny contains result if { diff --git a/policy/task/kind_test.rego b/policy/task/kind_test.rego index 4bf84fb2..3c8d6c11 100644 --- a/policy/task/kind_test.rego +++ b/policy/task/kind_test.rego @@ -4,8 +4,8 @@ import data.lib test_unexpected_kind { lib.assert_equal_results(deny, {{ - "code": "kind.unexpected_kind", - "msg": "Unexpected kind 'Foo'", + "code": "kind.expected_kind", + "msg": "Unexpected kind 'Foo' for task definition", }}) with input.kind as "Foo" } @@ -15,7 +15,7 @@ test_expected_kind { test_kind_not_found { lib.assert_equal_results(deny, {{ - "code": "kind.kind_not_found", + "code": "kind.kind_present", "msg": "Required field 'kind' not found", }}) with input as {"bad": "Foo"} }