Check Tekton TaskRun Vulnerability Scan

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-tekton-taskrun-vuln-scan
 5  annotations:
 6    policies.kyverno.io/title: Check Tekton TaskRun Vulnerability Scan
 7    policies.kyverno.io/category: Tekton
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: TaskRun
10    kyverno.io/kyverno-version: 1.7.2
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      A signed bundle is required and a vulnerability scan made by Grype must
15      return no vulnerabilities greater than 8.0.
16spec:
17  validationFailureAction: Audit
18  webhookTimeoutSeconds: 30
19  rules:
20  - name: check-signature
21    match:
22      any:
23      - resources:
24          kinds:
25          - tekton.dev/v1beta1/TaskRun.status 
26    imageExtractors:
27      TaskRun:
28        - name: "taskrunstatus"
29          path: "/status/taskSpec/steps/*"
30          value: "image"
31          key: "name"
32    verifyImages:
33    - imageReferences:
34      - "*"
35      attestations:
36      - predicateType: https://grype.anchore.io/scan
37        attestors:
38        - entries:
39          - keys:
40              publicKeys: |-
41                -----BEGIN PUBLIC KEY-----
42                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/
43                gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg==
44                -----END PUBLIC KEY-----          
45        conditions:
46        - any:
47          - key: "{{ matches[].vulnerability[].cvss[?metrics.impactScore > '8.0'][] | length(@) }}"
48            operator: Equals
49            value: 0
50          - key: "{{ source.target.userInput }}"
51            operator: Equals
52            value: "ghcr.io/tap8stry/git-init:v0.21.0@sha256:322e3502c1e6fba5f1869efb55cfd998a3679e073840d33eb0e3c482b5d5609b"