Misc description edits for consistency & brevity

- Remove "This policy.." prefix in task descriptions - Shorten "Enforcing this rule..." description text - Remove "A sanity check to" from rule description - Add some missing periods at the end of the description - Fix some misindented description annotations - More consistent use of back-ticks for rule data keys Plus a few more along those lines...
enterprise-contract · Aug 15, 2023 · b61f692 · b61f692
1 parent 0e382f9
commit b61f692
Show file tree

Hide file tree

Showing 20 changed files with 79 additions and 78 deletions.
diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego
@@ -53,7 +53,7 @@ opa_inspect_valid := {
 					"short_name": "pipelinerun_attestation_found",
 					"solution": "Make sure the attestation being verified was generated from a Tekton pipelineRun.",
 				},
-				"description": "At least one PipelineRun attestation must be present.",
+				"description": "Confirm at least one PipelineRun attestation is present.",
 				"scope": "rule",
 				"title": "PipelineRun attestation found",
 			},
@@ -78,7 +78,7 @@ opa_inspect_missing_annotations := {
 	"annotations": [{
 		"annotations": {
 			"scope": "rule",
-			"description": "Check for existence of a task bundle. Enforcing this rule will\nfail the contract if the task is not called from a bundle.",
+			"description": "Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.",
 			"custom": {
 				"flagiure_msg": "Task '%s' does not contain a bundle reference",
 				"short_name": "disallowed_task_reference",

diff --git a/policy/pipeline/required_tasks.rego b/policy/pipeline/required_tasks.rego
@@ -18,7 +18,7 @@ import data.lib.tkn
 # METADATA
 # title: Pipeline contains tasks
 # description: >-
-#   Confirm that at least one task is present in the pipeline definition.
+#   Confirm at least one task is present in the pipeline definition.
 # custom:
 #   short_name: tasks_found
 #   failure_msg: No tasks found in pipeline
@@ -50,7 +50,7 @@ warn contains result if {
 # METADATA
 # title: Missing required task
 # description: >-
-#   This policy enforces that the required set of tasks are included
+#   Ensure that the set of required tasks is included
 #   in the Pipeline definition.
 # custom:
 #   short_name: missing_required_task
@@ -69,8 +69,8 @@ deny contains result if {
 # METADATA
 # title: Missing future required task
 # description: >-
-#   This policy warns when a task that will be required in the future
-#   was not included in the Pipeline definition.
+#   Produce a warning when a task that will be required in the future
+#   is not currently included in the Pipeline definition.
 # custom:
 #   short_name: missing_future_required_task
 #   failure_msg: Task %q is missing and will be required in the future
@@ -89,7 +89,8 @@ warn contains result if {
 # METADATA
 # title: Required task list is present in rule data
 # description: >-
-#   The policy rules in this package require the required-tasks rule data to be provided.
+#   Confirm the `required-tasks` rule data was provided, since it's
+#   required by the policy rules in this package.
 # custom:
 #   short_name: required_tasks_list_present
 #   failure_msg: The required tasks list is missing from the rule data

diff --git a/policy/pipeline/task_bundle.rego b/policy/pipeline/task_bundle.rego
@@ -21,8 +21,8 @@ import data.lib.bundles
 # METADATA
 # title: Task bundle was not used or is not defined
 # description: >-
-#   Check for existence of a task bundle. Enforcing this rule will
-#   fail the contract if the task is not called from a bundle.
+#   Check for the existence of a task bundle. This rule will
+#   fail if the task is not called from a bundle.
 # custom:
 #   short_name: disallowed_task_reference
 #   failure_msg: Pipeline task '%s' does not contain a bundle reference
@@ -35,7 +35,7 @@ deny contains result if {
 # METADATA
 # title: Task bundle reference is empty
 # description: >-
-#   Check for a valid task bundle reference being used.
+#   Check that a valid task bundle reference is being used.
 # custom:
 #   short_name: empty_task_bundle_reference
 #   failure_msg: Pipeline task '%s' uses an empty bundle image reference
@@ -91,7 +91,8 @@ deny contains result if {
 # METADATA
 # title: Missing required data
 # description: >-
-#   The policy rules in this package require the task-bundles data to be provided.
+#   Confirm the `task-bundles` rule data was provided, since it's
+#   required by the policy rules in this package.
 # custom:
 #   short_name: missing_required_data
 #   failure_msg: Missing required task-bundles data

diff --git a/policy/release/attestation_task_bundle.rego b/policy/release/attestation_task_bundle.rego
@@ -21,8 +21,8 @@ import data.lib.bundles
 # METADATA
 # title: Tasks defined using bundle references
 # description: >-
-#   Check for existence of a task bundle. Enforcing this rule will
-#   fail the contract if the task is not called from a bundle.
+#   Check for the existence of a task bundle. This rule will
+#   fail if the task is not called from a bundle.
 # custom:
 #   short_name: tasks_defined_in_bundle
 #   failure_msg: Pipeline task '%s' does not contain a bundle reference
@@ -40,7 +40,7 @@ deny contains result if {
 # METADATA
 # title: Task bundle references not empty
 # description: >-
-#   Check for a valid task bundle reference being used.
+#   Check that a valid task bundle reference is being used.
 # custom:
 #   short_name: task_ref_bundles_not_empty
 #   failure_msg: Pipeline task '%s' uses an empty bundle image reference
@@ -123,8 +123,8 @@ deny contains result if {
 # METADATA
 # title: An acceptable Tekton bundles list was provided
 # description: >-
-#   The policy rules in this package require the acceptable Tekton task bundles
-#   rule data to be provided.
+#   Confirm the `task-bundles` rule data was provided, since it's
+#   required by the policy rules in this package.
 # custom:
 #   short_name: acceptable_bundles_provided
 #   failure_msg: Missing required task-bundles data

diff --git a/policy/release/attestation_type.rego b/policy/release/attestation_type.rego
@@ -14,7 +14,7 @@ import data.lib
 # METADATA
 # title: Known attestation type found
 # description: >-
-#   A sanity check to confirm the attestation found for the image has a known
+#   Confirm the attestation found for the image has a known
 #   attestation type.
 # custom:
 #   short_name: known_attestation_type
@@ -38,7 +38,7 @@ deny contains result if {
 # METADATA
 # title: PipelineRun attestation found
 # description: >-
-#   At least one PipelineRun attestation must be present.
+#   Confirm at least one PipelineRun attestation is present.
 # custom:
 #   short_name: pipelinerun_attestation_found
 #   failure_msg: Missing pipelinerun attestation

diff --git a/policy/release/base_image_registries.rego b/policy/release/base_image_registries.rego
@@ -16,8 +16,8 @@ import data.lib
 # METADATA
 # title: Base image comes from permitted registry
 # description: >-
-#   The base images used when building a container image must come from a known set
-#   of trusted registries to reduce potential supply chain attacks. By default this
+#   Verify that the base images used when building a container image come from a known
+#   set of trusted registries to reduce potential supply chain attacks. By default this
 #   policy defines trusted registries as registries that are fully maintained by Red
 #   Hat and only contain content produced by Red Hat. The list of permitted registries
 #   can be customized by setting the `allowed_registry_prefixes` list in the rule data.
@@ -43,7 +43,7 @@ deny contains result if {
 # METADATA
 # title: Base image task result was provided
 # description: >-
-#   The attestation must provide the expected information about which base images
+#   Verify the attestation provides the expected information about which base images
 #   were used during the build process. The base image information is expected to
 #   be found in a task result called `BASE_IMAGES_DIGESTS`.
 # custom:
@@ -70,8 +70,8 @@ deny contains result if {
 # METADATA
 # title: Allowed base image registry prefixes list was provided
 # description: >-
-#   The policy rules in this package require the `allowed_registry_prefixes`
-#   rule data to be provided.
+#   Confirm the `allowed_registry_prefixes` rule data was provided, since it's
+#   required by the policy rules in this package.
 # custom:
 #   short_name: allowed_registries_provided
 #   failure_msg: Missing required allowed_registry_prefixes rule data

diff --git a/policy/release/buildah_build_task.rego b/policy/release/buildah_build_task.rego
@@ -16,7 +16,7 @@ import data.lib
 # METADATA
 # title: Buildah task has Dockerfile param defined
 # description: >-
-#   This policy verifies that a DOCKERFILE parameter was provided to
+#   Verify that a DOCKERFILE parameter was provided to
 #   the buildah task.
 # custom:
 #   short_name: buildah_task_has_dockerfile_param
@@ -39,8 +39,8 @@ deny contains result if {
 # METADATA
 # title: Buildah task uses a local Dockerfile
 # description: >-
-#   This policy verifies that the Dockerfile used in the buildah task is not
-#   fetched from an external source
+#   Verify the Dockerfile used in the buildah task was not
+#   fetched from an external source.
 # custom:
 #   short_name: buildah_uses_local_dockerfile
 #   failure_msg: DOCKERFILE param value (%s) is an external source

diff --git a/policy/release/cve.rego b/policy/release/cve.rego
@@ -21,8 +21,8 @@ import data.lib
 #   of certain security levels have not been detected. If detected, this policy
 #   rule will fail. By default, only CVEs of critical and high security level
 #   cause a failure. This is configurable by the rule data key
-#   "restrict_cve_security_levels". The available levels are critical, high,
-#    medium, and low.
+#   `restrict_cve_security_levels`. The available levels are critical, high,
+#   medium, and low.
 # custom:
 #   short_name: cve_blockers
 #   failure_msg: Found %d CVE vulnerabilities of %s security level
@@ -47,8 +47,8 @@ deny contains result if {
 #   of certain security levels have not been detected. If detected, this policy
 #   rule will raise a warning. By default, the list of CVE security levels used
 #   by this policy is empty. However, this is configurable by the rule data key
-#   "warn_cve_security_levels". The available levels are critical, high,
-#    medium, and low.
+#   `warn_cve_security_levels`. The available levels are critical, high,
+#   medium, and low.
 # custom:
 #   short_name: cve_warnings
 #   failure_msg: Found %d non-blocking CVE vulnerabilities of %s security level

diff --git a/policy/release/github_certificate.rego b/policy/release/github_certificate.rego
@@ -34,7 +34,7 @@ warn contains result if {
 # description: >-
 #   Check if the value of the GitHub Workflow Repository extension in the image
 #   signature certificate matches one of the allowed values. Use the rule data
-#   key "allowed_gh_workflow_repos" to specify the list of allowed values.
+#   key `allowed_gh_workflow_repos` to specify the list of allowed values.
 #   An empty allow list, which is the default value, causes this check to succeeded.
 # custom:
 #   short_name: gh_workflow_repository
@@ -49,7 +49,7 @@ deny contains result if {
 # description: >-
 #   Check if the value of the GitHub Workflow Ref extension in the image
 #   signature certificate matches one of the allowed values. Use the rule data
-#   key "allowed_gh_workflow_refs" to specify the list of allowed values.
+#   key `allowed_gh_workflow_refs` to specify the list of allowed values.
 #   An empty allow list, which is the default value, causes this check to succeeded.
 # custom:
 #   short_name: gh_workflow_ref
@@ -64,7 +64,7 @@ deny contains result if {
 # description: >-
 #   Check if the value of the GitHub Workflow Name extension in the image
 #   signature certificate matches one of the allowed values. Use the rule data
-#   key "allowed_gh_workflow_names" to specify the list of allowed values.
+#   key `allowed_gh_workflow_names` to specify the list of allowed values.
 #   An empty allow list, which is the default value, causes this check to succeeded.
 # custom:
 #   short_name: gh_workflow_name

diff --git a/policy/release/hermetic_build_task.rego b/policy/release/hermetic_build_task.rego
@@ -16,7 +16,7 @@ import data.lib.tkn
 # METADATA
 # title: Build task called with hermetic param set
 # description: >-
-#   This policy verifies the build task in the PipelineRun attestation
+#   Verify the build task in the PipelineRun attestation
 #   was invoked with the proper parameters to make the build process
 #   hermetic.
 # custom:

diff --git a/policy/release/java.rego b/policy/release/java.rego
@@ -18,10 +18,10 @@ import data.lib
 # METADATA
 # title: Java builds have no foreign dependencies
 # description: >-
-#   The SBOM_JAVA_COMPONENTS_COUNT TaskResult finds dependencies that have
+#   The SBOM_JAVA_COMPONENTS_COUNT task result finds dependencies that have
 #   originated from foreign repositories, i.e. ones that are not rebuilt or
-#   provided by Red Hat. This rule uses the `allowed_java_component_sources`
-#   rule data.
+#   provided by Red Hat. Verify there are no dependencies from sources not
+#   listed in the `allowed_java_component_sources` rule data.
 # custom:
 #   short_name: no_foreign_dependencies
 #   failure_msg: Found Java dependencies from '%s', expecting to find only from '%s'
@@ -43,8 +43,8 @@ deny contains result if {
 # METADATA
 # title: Trusted Java dependency source list was provided
 # description: >-
-#   The policy rules in this package require the `allowed_java_component_sources`
-#   rule data to be provided.
+#   Confirm the `allowed_java_component_sources` rule data was provided, since it's
+#   required by the policy rules in this package.
 # custom:
 #   short_name: trusted_dependencies_source_list_provided
 #   failure_msg: Missing required allowed_java_component_sources rule data

diff --git a/policy/release/olm.rego b/policy/release/olm.rego
@@ -17,8 +17,8 @@ olm_manifestv1 := "operators.operatorframework.io.bundle.manifests.v1"
 # METADATA
 # title: Unpinned images in OLM bundle
 # description: >-
-#   Checks the OLM bundle image for the presence of unpinned image references.
-#   Unpinned image pull refernces are references to images found in
+#   Check the OLM bundle image for the presence of unpinned image references.
+#   Unpinned image pull references are references to images found in
 #   link:https://osbs.readthedocs.io/en/latest/users.html#pullspec-locations[varying
 #   locations] that do not contain a digest -- uniquely identifying the version of
 #   the image being pulled.

diff --git a/policy/release/provenance_materials.rego b/policy/release/provenance_materials.rego
@@ -17,7 +17,7 @@ import data.lib.tkn
 # METADATA
 # title: Git clone task found
 # description: >-
-#   The attestation must contain a git-clone task with `commit` and `url` task results.
+#   Confirm that the attestation contains a git-clone task with `commit` and `url` task results.
 # custom:
 #   short_name: git_clone_task_found
 #   failure_msg: Task git-clone not found
@@ -38,7 +38,7 @@ deny contains result if {
 # METADATA
 # title: Git clone source matches materials provenance
 # description: >-
-#   The result of the git-clone task must be included in the materials section of the SLSA
+#   Confirm that the result of the git-clone task is included in the materials section of the SLSA
 #   provenance attestation.
 # custom:
 #   short_name: git_clone_source_matches_provenance

diff --git a/policy/release/slsa_build_build_service.rego b/policy/release/slsa_build_build_service.rego
@@ -21,7 +21,7 @@ import data.lib
 # METADATA
 # title: SLSA Builder ID found
 # description: >-
-#   The attestation attribute predicate.builder.id is set.
+#   Verify that the attestation attribute predicate.builder.id is set.
 # custom:
 #   short_name: slsa_builder_id_found
 #   failure_msg: Builder ID not set in attestation
@@ -44,8 +44,8 @@ deny contains result if {
 # METADATA
 # title: SLSA Builder ID is known and accepted
 # description: >-
-#   The attestation attribute predicate.builder.id is set to one
-#   of the values in the allowed_builder_ids rule data, e.g.
+#   Verify that the attestation attribute predicate.builder.id is set to one
+#   of the values in the `allowed_builder_ids` rule data, e.g.
 #   "https://tekton.dev/chains/v2".
 # custom:
 #   short_name: slsa_builder_id_accepted

diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego
@@ -23,8 +23,8 @@ import data.lib.tkn
 # METADATA
 # title: Build task contains steps
 # description: >-
-#   The attestation attribute predicate.buildConfig.tasks.steps is not
-#   empty of the pipeline task responsible for building the image.
+#   Verify that the predicate.buildConfig.tasks.steps attribute for the task
+#   responsible for building and pushing the image is not empty.
 # custom:
 #   short_name: build_script_used
 #   failure_msg: Build task %q does not contain any steps
@@ -50,8 +50,8 @@ deny contains result if {
 # METADATA
 # title: Build task set image digest and url task results
 # description: >-
-#   The attestations must contain a build task with the expected
-#   IMAGE_DIGEST and IMAGE_URL results.
+#   Confirm that a build task exists and it has the expected
+#   IMAGE_DIGEST and IMAGE_URL task results.
 # custom:
 #   short_name: build_task_image_results_found
 #   failure_msg: Build task not found
@@ -75,7 +75,7 @@ deny contains result if {
 # METADATA
 # title: Provenance subject matches build task image result
 # description: >-
-#   The subject of the attestations must match the IMAGE_DIGEST and
+#   Verify the subject of the attestations matches the IMAGE_DIGEST and
 #   IMAGE_URL values from the build task.
 # custom:
 #   short_name: subject_build_task_matches

diff --git a/policy/release/slsa_provenance_available.rego b/policy/release/slsa_provenance_available.rego
@@ -21,8 +21,8 @@ import data.lib
 # METADATA
 # title: Expected attestation predicate type found
 # description: >-
-#   The predicateType field of the attestation must indicate the in-toto SLSA Provenance format
-#   was used to attest the PipelineRun.
+#   Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance
+#   format was used to attest the PipelineRun.
 # custom:
 #   short_name: attestation_predicate_type_accepted
 #   failure_msg: Attestation predicate type %q is not an expected type (%s)

diff --git a/policy/release/slsa_source_version_controlled.rego b/policy/release/slsa_source_version_controlled.rego
@@ -35,7 +35,7 @@ import data.lib
 # METADATA
 # title: Materials have uri and digest
 # description: >-
-#   At least one entry in the predicate.materials array of the attestation contains
+#   Confirm at least one entry in the predicate.materials array of the attestation contains
 #   the expected attributes: uri and digest.sha1.
 # custom:
 #   short_name: materials_format_okay
@@ -60,7 +60,7 @@ deny contains result if {
 # METADATA
 # title: Material uri is a git repo
 # description: >-
-#   Each entry in the predicate.materials array of the attestation uses
+#   Ensure each entry in the predicate.materials array of the attestation uses
 #   a git URI.
 # custom:
 #   short_name: materials_uri_is_git_repo
@@ -86,7 +86,7 @@ deny contains result if {
 # METADATA
 # title: Materials include git commit shas
 # description: >-
-#   Each entry in the predicate.materials array of the attestation includes
+#   Ensure each entry in the predicate.materials array of the attestation includes
 #   a SHA1 digest which corresponds to a git commit.
 # custom:
 #   short_name: materials_include_git_sha