All Policies

Verify SLSA Provenance (Keyless)

Provenance is used to identify how an artifact was produced and from where it originated. SLSA provenance is an industry-standard method of representing that provenance. This policy verifies that an image has SLSA provenance and was signed by the expected subject and issuer when produced through GitHub Actions. It requires configuration based upon your own values.

Policy Definition

/other/verify-image-slsa/verify-image-slsa.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-slsa-provenance-keyless
 5  annotations:
 6    policies.kyverno.io/title: Verify SLSA Provenance (Keyless)
 7    policies.kyverno.io/category: Software Supply Chain Security
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.8.3
11    kyverno.io/kyverno-version: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      Provenance is used to identify how an artifact was produced
15      and from where it originated. SLSA provenance is an industry-standard
16      method of representing that provenance. This policy verifies that an
17      image has SLSA provenance and was signed by the expected subject and issuer
18      when produced through GitHub Actions. It requires configuration based upon
19      your own values.      
20spec:
21  validationFailureAction: audit
22  webhookTimeoutSeconds: 30
23  rules:
24    - name: check-slsa-keyless
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30      verifyImages:
31      - imageReferences:
32        - "myreg.org/path/repo:*"
33        attestations:
34        - predicateType: https://slsa.dev/provenance/v0.2
35          attestors:
36          - count: 1
37            entries:
38            - keyless:
39                subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v*"
40                issuer: "https://token.actions.githubusercontent.com"
41                rekor:
42                  url: https://rekor.sigstore.dev
43          conditions:
44          - all:
45            # This expression uses a regex pattern to ensure the builder.id in the attestation is equal to the official
46            # SLSA provenance generator workflow and uses a tagged release in semver format. If using a specific SLSA
47            # provenance generation workflow, you may need to adjust the first input as necessary.
48            - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9].[0-9].[0-9]$','{{ builder.id}}') }}"
49              operator: Equals
50              value: true
Create policy issue