File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 5555 - key : " {{ `{{ predicate.runDetails.builder.id }}` }}"
5656 operator : Equals
5757 value : " devguard.org"
58- - key : " {{ `{{ contains(predicate.buildDefinition.externalParameters.remotes, 'https://github.com/l3montree-dev/devguard') }}` }}"
59- operator : Equals
60- value : true
58+ - key : " {{ `{{ predicate.buildDefinition.externalParameters.remotes }}` }}"
59+ operator : AnyIn
60+ value :
61+ - " https://github.com/l3montree-dev/devguard"
62+ - " https://github.com/l3montree-dev/devguard-web"
6163 # personal email addresses from maintainers - those are
6264 # hardcoded because we don't want to allow any other maintainers to sign the images
6365 # numeric GitHub user IDs in noreply emails are permanent even if username changes
Original file line number Diff line number Diff line change @@ -7,6 +7,7 @@ policies:
77resources :
88 - resources/pod-devguard.yaml
99 - resources/pod-devguard-web.yaml
10+ - resources/pod-postgresql.yaml
1011results :
1112 - policy : verify-image-signatures
1213 rule : verify-devguard-images
@@ -20,3 +21,9 @@ results:
2021 - devguard-web-test
2122 kind : Pod
2223 result : pass
24+ - policy : verify-image-signatures
25+ rule : verify-devguard-postgresql-image
26+ resources :
27+ - postgresql-test
28+ kind : Pod
29+ result : pass
Original file line number Diff line number Diff line change @@ -2,7 +2,7 @@ apiVersion: kyverno.io/v1
22kind : Policy
33metadata :
44 name : verify-image-signatures
5- namespace : devguard
5+ namespace : default
66 annotations :
77 policies.kyverno.io/title : Verify Image Signatures
88 policies.kyverno.io/category : Software Supply Chain Security
5454 - key : " {{ predicate.runDetails.builder.id }}"
5555 operator : Equals
5656 value : " devguard.org"
57- - key : " {{ contains(predicate.buildDefinition.externalParameters.remotes, 'https://github.com/l3montree-dev/devguard') }}"
58- operator : Equals
59- value : true
57+ - key : " {{ predicate.buildDefinition.externalParameters.remotes }}"
58+ operator : AnyIn
59+ value :
60+ - " https://github.com/l3montree-dev/devguard"
61+ - " https://github.com/l3montree-dev/devguard-web"
6062 # personal email addresses from maintainers - those are
6163 # hardcoded because we don't want to allow any other maintainers to sign the images
6264 # numeric GitHub user IDs in noreply emails are permanent even if username changes
Original file line number Diff line number Diff line change @@ -6,4 +6,4 @@ metadata:
66spec :
77 containers :
88 - name : devguard-web
9- image : ghcr.io/l3montree-dev/devguard-web:main-01c6e761-1773761560@sha256:bf2a9efcd36b158011775126a57a1a2e814286858690918289e974baa50ea7c3
9+ image : ghcr.io/l3montree-dev/devguard-web:main-01c6e761-1773761560
Original file line number Diff line number Diff line change @@ -6,4 +6,4 @@ metadata:
66spec :
77 containers :
88 - name : devguard
9- image : ghcr.io/l3montree-dev/devguard:main-latest@sha256:3f73f656067e25bcf0ff6d62aaff2834f1c8f7d55261d5dbb866abb0f1d2124f
9+ image : ghcr.io/l3montree-dev/devguard:main-latest
Original file line number Diff line number Diff line change 1+ apiVersion : v1
2+ kind : Pod
3+ metadata :
4+ name : postgresql-test
5+ namespace : default
6+ spec :
7+ containers :
8+ - name : postgresql
9+ image : ghcr.io/l3montree-dev/devguard/postgresql:v1.1.0
You can’t perform that action at this time.
0 commit comments