Merge pull request #104 from jhrozek/artifact_constraints

Change the artifact_signature rule to use constraints evaluation, not deny-by-default
mindersec · May 7, 2024 · 43ac564 · 43ac564
2 parents 88749cb + 91e1f33
commit 43ac564
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/rule-types/github/artifact_signature.yaml b/rule-types/github/artifact_signature.yaml
@@ -85,21 +85,25 @@ def:
   eval:
     type: rego
     rego:
-      type: deny-by-default
+      type: constraints
       def: |
         package minder
 
         import future.keywords.every
         import future.keywords.if
 
-        default allow := false
+        violations[{"msg": msg}] {
+          # iterate over the artifacts. We want all artifacts to be checked individually
+          artifactVersion := input.ingested[_]
 
-        allow if {
-          every artifactVersion in input.ingested {
-            every key, value in input.profile {
-              artifactVersion.Verification[key] == value
-            }
-          }
+          # for each artifact, iterate over all the profile keys
+          keys := object.keys(input.profile)
+          key := keys[_]
+          value := input.profile[key]
+
+          artifactVersion.Verification[key] != value
+
+          msg := sprintf("Verification failed for on key '%s': expected '%v', got '%v'", [key, value, artifactVersion.Verification[key]])
         }
   # Defines the configuration for alerting on the rule
   alert: