Require Image Vulnerability Scans

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-vulnerability-scan
 5  annotations:
 6    policies.kyverno.io/title: Require Image Vulnerability Scans
 7    policies.kyverno.io/category: Software Supply Chain Security
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.9.0
10    policies.kyverno.io/minversion: 1.8.3
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      An important part of ensuring software supply chain integrity is performing
15      periodic vulnerability scans on images. Initial scans as part of the build process
16      is necessary, but as new vulnerabilities are discovered the scans must be refreshed.
17      This policy ensures that images, signed with Cosign's keyless ability during a GitHub
18      Actions workflow, have attested vulnerability scans not older than one week. This
19      policy is expected to be customized based upon your signing strategy and applicable to
20      the images you designate.
21spec:
22  validationFailureAction: Audit
23  webhookTimeoutSeconds: 10
24  failurePolicy: Fail
25  rules:
26    - name: scan-not-older-than-one-week
27      match:
28        any:
29        - resources:
30            kinds:
31              - Pod
32      verifyImages:
33      - imageReferences:
34        - "ghcr.io/myorg/myrepo:*"
35        attestations:
36        - predicateType: cosign.sigstore.dev/attestation/vuln/v1
37          attestors:
38          - entries:
39            - keyless:
40                subject: "https://github.com/myorg/myrepo/.github/workflows/*"
41                issuer: "https://token.actions.githubusercontent.com"
42                rekor:
43                  url: https://rekor.sigstore.dev
44          conditions:
45          - all:
46            - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
47              operator: LessThanOrEquals
48              value: "168h"