├── .github ├── ISSUE_TEMPLATE │ ├── bug-report.yaml │ └── feature-request.yaml ├── actions │ └── restore_trivy_cache │ │ └── action.yml ├── codecov.yml ├── crd.trivyignore.yaml ├── dependabot.yml ├── licenserc.yml ├── pull_request_template.md ├── semantic.yml └── workflows │ ├── build-pr.yml │ ├── build.yml │ ├── cache-cleanup.yml │ ├── check-license.yml │ ├── clean-dev-package.yml │ ├── codeql.yml │ ├── e2e-aks.yml │ ├── e2e-cli.yml │ ├── e2e-k8s.yml │ ├── golangci-lint.yml │ ├── high-availability.yml │ ├── markdown-link-check.yml │ ├── markdown.links.config.json │ ├── pr-to-main.yml │ ├── publish-charts.yml │ ├── publish-cosign-sample.yml │ ├── publish-dev-assets.yml │ ├── publish-package.yml │ ├── publish-sample.yml │ ├── quick-start.yml │ ├── release.yml │ ├── run-full-validation.yml │ ├── scan-vulns.yaml │ ├── scorecards.yml │ ├── sync-gh-pages.yml │ └── update-trivy-cache.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── .well-known └── pki-validation │ ├── ratify-verification.crt │ ├── ratify-verification_20250328.crt │ └── trustpolicy.json ├── ADOPTERS.md ├── BREAKING_CHANGE_AND_DEPRECATION.md ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dockerfile ├── KubernetesLocalProcessConfig.yaml ├── LICENSE ├── MAINTAINERS ├── Makefile ├── NOTICE ├── PROJECT ├── README.md ├── RELEASES.md ├── REVIEWING.md ├── ROADMAP.md ├── SECURITY.md ├── api ├── group.go ├── unversioned │ ├── certificatestore_types.go │ ├── common.go │ ├── doc.go │ ├── keymanagementprovider_types.go │ ├── namespacedkeymanagementprovider_types.go │ ├── namespacedpolicy_types.go │ ├── namespacedstore_types.go │ ├── namespacedverifier_types.go │ ├── policy_types.go │ ├── store_types.go │ ├── verifier_types.go │ └── zz_generated.deepcopy.go ├── v1alpha1 │ ├── certificatestore_conversion.go │ ├── certificatestore_types.go │ ├── common.go │ ├── doc.go │ ├── groupversion_info.go │ ├── policy_conversion.go │ ├── policy_conversion_test.go │ ├── policy_types.go │ ├── store_conversion.go │ ├── store_types.go │ ├── verifier_conversion.go │ ├── verifier_types.go │ ├── zz_generated.conversion.go │ └── zz_generated.deepcopy.go └── v1beta1 │ ├── certificatestore_types.go │ ├── common.go │ ├── doc.go │ ├── groupversion_info.go │ ├── keymanagementproviders_types.go │ ├── namespacedkeymanagementprovider_types.go │ ├── namespacedpolicy_types.go │ ├── namespacedstore_types.go │ ├── namespacedverifier_types.go │ ├── policy_types.go │ ├── store_types.go │ ├── verifier_types.go │ ├── zz_generated.conversion.go │ └── zz_generated.deepcopy.go ├── assets └── logo.svg ├── charts └── ratify │ ├── .helmignore │ ├── Chart.yaml │ ├── crds │ ├── certificatestore-customresourcedefinition.yaml │ ├── keymanagementprovider-customresourcedefinition.yaml │ ├── namespacedkeymanagementprovider-customresourcedefinition.yaml │ ├── namespacedpolicy-customresourcedefinition.yaml │ ├── namespacedstore-customresourcedefinition.yaml │ ├── namespacedverifier-customresourcedefinition.yaml │ ├── policy-customresourcedefinition.yaml │ ├── store-customresourcedefinition.yaml │ └── verifier-customresourcedefinition.yaml │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── akv-key-management-provider.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── dockerconfigsecret.yaml │ ├── inline-key-management-provider.yaml │ ├── policy.yaml │ ├── ratify-manager-role-clusterrole.yaml │ ├── ratify-manager-role-role.yaml │ ├── ratify-manager-rolebinding-clusterrolebinding.yaml │ ├── ratify-manager-rolebinding-rolebinding.yaml │ ├── secret.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ ├── store.yaml │ ├── tests │ │ └── test-connection.yaml │ ├── upgrade-crds-hook.yaml │ └── verifier.yaml │ └── values.yaml ├── cmd └── ratify-gatekeeper-provider │ ├── main.go │ └── main_test.go ├── config ├── config.go ├── config.json ├── config_cli.json ├── config_test.go ├── crd │ ├── bases │ │ ├── config.ratify.deislabs.io_certificatestores.yaml │ │ ├── config.ratify.deislabs.io_keymanagementproviders.yaml │ │ ├── config.ratify.deislabs.io_namespacedkeymanagementproviders.yaml │ │ ├── config.ratify.deislabs.io_namespacedpolicies.yaml │ │ ├── config.ratify.deislabs.io_namespacedstores.yaml │ │ ├── config.ratify.deislabs.io_namespacedverifiers.yaml │ │ ├── config.ratify.deislabs.io_policies.yaml │ │ ├── config.ratify.deislabs.io_stores.yaml │ │ └── config.ratify.deislabs.io_verifiers.yaml │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── patches │ │ ├── cainjection_in_certificatestores.yaml │ │ ├── cainjection_in_clusterpolicies.yaml │ │ ├── cainjection_in_keymanagementproviders.yaml │ │ ├── cainjection_in_namespacedkeymanagementproviders.yaml │ │ ├── cainjection_in_namespacedpolicies.yaml │ │ ├── cainjection_in_namespacedstores.yaml │ │ ├── cainjection_in_namespacedverifiers.yaml │ │ ├── cainjection_in_policies.yaml │ │ ├── cainjection_in_stores.yaml │ │ ├── cainjection_in_verifiers.yaml │ │ ├── webhook_in_certificatestores.yaml │ │ ├── webhook_in_clusterpolicies.yaml │ │ ├── webhook_in_keymanagementproviders.yaml │ │ ├── webhook_in_namespacedkeymanagementproviders.yaml │ │ ├── webhook_in_namespacedpolicies.yaml │ │ ├── webhook_in_namespacedstores.yaml │ │ ├── webhook_in_namespacedverifiers.yaml │ │ ├── webhook_in_policies.yaml │ │ ├── webhook_in_stores.yaml │ │ └── webhook_in_verifiers.yaml ├── crlConfig.go ├── default │ ├── kustomization.yaml │ ├── manager_auth_proxy_patch.yaml │ └── manager_config_patch.yaml ├── manager │ ├── controller_manager_config.yaml │ ├── kustomization.yaml │ └── manager.yaml ├── rbac │ ├── auth_proxy_client_clusterrole.yaml │ ├── auth_proxy_role.yaml │ ├── auth_proxy_role_binding.yaml │ ├── auth_proxy_service.yaml │ ├── certificatestore_editor_role.yaml │ ├── certificatestore_viewer_role.yaml │ ├── keymanagementprovider_editor_role.yaml │ ├── keymanagementprovider_viewer_role.yaml │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── namespacedkeymanagementprovider_editor_role.yaml │ ├── namespacedkeymanagementprovider_viewer_role.yaml │ ├── namespacedpolicy_editor_role.yaml │ ├── namespacedpolicy_viewer_role.yaml │ ├── namespacedstore_editor_role.yaml │ ├── namespacedstore_viewer_role.yaml │ ├── namespacedverifier_editor_role.yaml │ ├── namespacedverifier_viewer_role.yaml │ ├── role.yaml │ ├── role_binding.yaml │ ├── service_account.yaml │ ├── store_editor_role.yaml │ ├── store_viewer_role.yaml │ ├── verifier_editor_role.yaml │ └── verifier_viewer_role.yaml └── samples │ ├── clustered │ ├── kmp │ │ ├── config_v1beta1_keymanagementprovider_akv.yaml │ │ ├── config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml │ │ └── config_v1beta1_keymanagementprovider_inline.yaml │ ├── policy │ │ ├── config_v1alpha1_policy_json.yaml │ │ ├── config_v1alpha1_policy_rego.yaml │ │ ├── config_v1beta1_policy_json.yaml │ │ └── config_v1beta1_policy_rego.yaml │ ├── store │ │ ├── config_v1beta1_store_dynamic.yaml │ │ ├── config_v1beta1_store_oras.yaml │ │ ├── config_v1beta1_store_oras_http.yaml │ │ └── config_v1beta1_store_oras_k8secretAuth.yaml │ └── verifier │ │ ├── config_v1alpha1_store_oras_http.yaml │ │ ├── config_v1alpha1_verifier_notation.yaml │ │ ├── config_v1beta1_verifier_complete_licensechecker.yaml │ │ ├── config_v1beta1_verifier_cosign.yaml │ │ ├── config_v1beta1_verifier_cosign_keyless_legacy.yaml │ │ ├── config_v1beta1_verifier_cosign_legacy.yaml │ │ ├── config_v1beta1_verifier_dynamic.yaml │ │ ├── config_v1beta1_verifier_notation.yaml │ │ ├── config_v1beta1_verifier_notation_kmprovider.yaml │ │ ├── config_v1beta1_verifier_notation_specificnskmprovider.yaml │ │ ├── config_v1beta1_verifier_partial_licensechecker.yaml │ │ ├── config_v1beta1_verifier_sbom.yaml │ │ ├── config_v1beta1_verifier_sbom_deny.yaml │ │ ├── config_v1beta1_verifier_schemavalidator.yaml │ │ ├── config_v1beta1_verifier_schemavalidator_bad.yaml │ │ ├── config_v1beta1_verifier_vulnerabilityreport.yaml │ │ └── config_v1beta1_verifier_vulnerabilityreport2.yaml │ ├── config_v1beta1_certstore_akv.yaml │ ├── config_v1beta1_certstore_inline.yaml │ └── namespaced │ ├── kmp │ ├── config_v1beta1_keymanagementprovider_akv.yaml │ ├── config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml │ └── config_v1beta1_keymanagementprovider_inline.yaml │ ├── policy │ ├── config_v1beta1_policy_json.yaml │ └── config_v1beta1_policy_rego.yaml │ ├── store │ ├── config_v1beta1_store_dynamic.yaml │ ├── config_v1beta1_store_oras.yaml │ ├── config_v1beta1_store_oras_http.yaml │ └── config_v1beta1_store_oras_k8secretAuth.yaml │ └── verifier │ ├── config_v1beta1_verifier_complete_licensechecker.yaml │ ├── config_v1beta1_verifier_cosign.yaml │ ├── config_v1beta1_verifier_cosign_keyless.yaml │ ├── config_v1beta1_verifier_cosign_legacy.yaml │ ├── config_v1beta1_verifier_dynamic.yaml │ ├── config_v1beta1_verifier_notation.yaml │ ├── config_v1beta1_verifier_notation_kmprovider.yaml │ ├── config_v1beta1_verifier_notation_specificnskmprovider.yaml │ ├── config_v1beta1_verifier_partial_licensechecker.yaml │ ├── config_v1beta1_verifier_sbom.yaml │ ├── config_v1beta1_verifier_sbom_deny.yaml │ ├── config_v1beta1_verifier_schemavalidator.yaml │ ├── config_v1beta1_verifier_schemavalidator_bad.yaml │ ├── config_v1beta1_verifier_vulnerabilityreport.yaml │ └── config_v1beta1_verifier_vulnerabilityreport2.yaml ├── configs ├── config.json └── constrainttemplates │ └── default │ ├── constraint.yaml │ └── template.yaml ├── crd.Dockerfile ├── deployments └── ratify-gatekeeper-provider │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── templates │ ├── _helper.tpl │ ├── assign.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── provider.yaml │ ├── ratify-manager-role-clusterrole.yaml │ ├── ratify-manager-role-role.yaml │ ├── ratify-manager-rolebinding-clusterrolebinding.yaml │ ├── ratify-manager-rolebinding-rolebinding.yaml │ ├── secret.yaml │ ├── service.yaml │ └── serviceaccount.yaml │ └── values.yaml ├── dev.helmfile.yaml.gotmpl ├── dev.high-availability.helmfile.yaml.gotmpl ├── docs ├── README.md ├── design │ ├── Authentication Provider Support For ORAS Store.md │ ├── Azure Kubernetes Workload Identity AuthProvider.md │ ├── Cache Unification.md │ ├── Certificate Revocation Lists.md │ ├── Concurrency.md │ ├── Config Policy Provider Refactor.md │ ├── Cosign Refactor.md │ ├── Cosign Upgrade 2024.md │ ├── K8s Secrets AuthProvider.md │ ├── Load Testing Pipeline.md │ ├── Metrics.md │ ├── Policy Provider refactor (deprecated).md │ ├── Ratify Error Refactor.md │ ├── Ratify Vulnerability Report Verifier.md │ ├── Ratify v2 Architecture Proposal.md │ ├── Registry Credential Caching.md │ ├── TLS Certificate Rotation.md │ ├── Tag to Digest Mutation.md │ ├── Verification Result Cache at Executor Level.md │ ├── kmp-nversions.md │ └── kmp-periodic-retrieval.md ├── discussion │ ├── Cosign Upgrade Discussion 2024.md │ ├── Gatekeeper Timeout Constraint.md │ ├── Image Platform Selection.md │ ├── Multi-Tenancy Support.md │ ├── Negative test cases for Ratify.md │ ├── Ratify Error Handling Scenarios.md │ └── Ratify v2 design scope.md ├── img │ ├── CRL │ │ └── CRL-workflow.png │ ├── architecture │ │ ├── ratify-v1.png │ │ └── ratify-v2.png │ ├── deployment-per-cluster.svg │ ├── deployment-per-namespace.svg │ └── ratify-errors │ │ ├── B12iZKE_C.png │ │ ├── Byrwl2zuC.png │ │ ├── H1KYhmnDA.png │ │ ├── HJHWNwfuC.png │ │ ├── SJTOOXhDA.png │ │ ├── SJqHDNL_A.png │ │ ├── SkUQfOr_0.png │ │ ├── SkubOnMuA.png │ │ ├── Sy6OtPVuC.png │ │ ├── SyfhDP4dC.png │ │ ├── r1vemTRwC.png │ │ ├── rJtithG_0.png │ │ ├── rJvv5_N_0.png │ │ ├── rkrEZvfd0.png │ │ ├── ryMGu8L_C.png │ │ ├── rym_MFHOC.png │ │ └── rys__uEOA.png └── proposals │ ├── Automated-Certificate-and-Key-Updates.md │ ├── Enhancement-Proposal-Template.md │ ├── Error-Messages-Improvements.md │ ├── Release-Supply-Chain-Metadata.md │ ├── Tag-Digest-CoExist.md │ └── Verify-Latest-N-Artifacts.md ├── errors ├── azure.go ├── errors.go ├── pluginerrors.go ├── types.go └── types_test.go ├── go.mod ├── go.sum ├── hack └── boilerplate.go.txt ├── helmfile.yaml.gotmpl ├── high-availability.helmfile.yaml ├── instrumentation ├── additional-scrape-configs.yaml ├── grafana_configMap.yaml ├── grafana_namespaced_configMap.yaml └── prometheus-additional.yaml ├── internal ├── cache │ ├── api.go │ └── ristretto │ │ ├── ristretto.go │ │ └── ristretto_test.go ├── constants │ └── constants.go ├── context │ ├── utils.go │ └── utils_test.go ├── executor │ ├── executor.go │ └── executor_test.go ├── httpserver │ ├── config │ │ ├── config.go │ │ ├── config_test.go │ │ ├── homedir_unix.go │ │ ├── homedir_unix_test.go │ │ ├── homedir_windows.go │ │ └── homedir_windows_test.go │ ├── handlers.go │ ├── handlers_test.go │ ├── response.go │ ├── response_test.go │ ├── server.go │ ├── server_test.go │ └── tlssecret │ │ ├── certwatcher.go │ │ └── certwatcher_test.go ├── logger │ ├── logger.go │ └── logger_test.go ├── manager │ └── manager.go ├── pod │ ├── podinfo.go │ └── podinfo_test.go ├── policyenforcer │ ├── factory │ │ ├── factory.go │ │ ├── factory_test.go │ │ └── thresholdpolicy │ │ │ ├── register.go │ │ │ └── register_test.go │ ├── policyenforcer.go │ └── policyenforcer_test.go ├── store │ ├── factory │ │ ├── factory.go │ │ ├── factory_test.go │ │ ├── filesystemocistore │ │ │ ├── register.go │ │ │ └── register_test.go │ │ └── registrystore │ │ │ ├── register.go │ │ │ └── register_test.go │ ├── storemux.go │ └── storemux_test.go ├── verifier │ ├── factory │ │ ├── factory.go │ │ ├── factory_test.go │ │ └── notation │ │ │ ├── register.go │ │ │ ├── register_test.go │ │ │ ├── truststore.go │ │ │ └── truststore_test.go │ ├── keyprovider │ │ ├── api.go │ │ ├── api_test.go │ │ └── filesystemprovider │ │ │ ├── register.go │ │ │ └── register_test.go │ ├── verifier.go │ └── verifier_test.go └── version │ ├── version.go │ └── version_test.go ├── library ├── default │ ├── customazurepolicy.json │ ├── samples │ │ └── constraint.yaml │ └── template.yaml ├── multi-tenancy-validation │ ├── samples │ │ └── constraint.yaml │ └── template.yaml ├── notation-issuer-validation │ ├── samples │ │ └── constraint.yaml │ └── template.yaml ├── notation-nested-validation │ ├── samples │ │ └── constraint.yaml │ └── template.yaml ├── notation-validation │ ├── samples │ │ └── constraint.yaml │ └── template.yml ├── rego │ ├── README.md │ ├── sbom-validation.rego │ └── vulnerability-report-validation.rego ├── sbom-validation │ ├── samples │ │ └── constraint.yaml │ └── template.yaml └── vulnerability-report-validation │ ├── samples │ └── constraint.yaml │ └── template.yaml ├── pkg ├── certificateprovider │ ├── azurekeyvault │ │ ├── auth.go │ │ ├── auth_test.go │ │ ├── provider.go │ │ ├── provider_test.go │ │ └── types │ │ │ ├── parameters.go │ │ │ ├── parameters_test.go │ │ │ └── types.go │ ├── certificate_provider.go │ ├── certificate_provider_test.go │ └── inline │ │ ├── provider.go │ │ └── provider_test.go ├── common │ ├── logging.go │ ├── logging_test.go │ ├── oras │ │ └── authprovider │ │ │ ├── alibabacloud │ │ │ ├── alibabacloudacrbasic.go │ │ │ ├── alibabacloudacrbasic_test.go │ │ │ ├── helper.go │ │ │ └── helper_test.go │ │ │ ├── authprovider.go │ │ │ ├── authprovider_test.go │ │ │ ├── authproviderconfig.go │ │ │ ├── authproviderfactory.go │ │ │ ├── authproviderfactory_test.go │ │ │ ├── aws │ │ │ ├── awsecrbasic.go │ │ │ ├── awsecrbasic_test.go │ │ │ └── ecrauthtypes.go │ │ │ ├── azure │ │ │ ├── azureidentity.go │ │ │ ├── azureidentity_test.go │ │ │ ├── azureworkloadidentity.go │ │ │ ├── azureworkloadidentity_test.go │ │ │ ├── const.go │ │ │ ├── helper.go │ │ │ └── helper_test.go │ │ │ ├── k8secret_authprovider.go │ │ │ └── k8secret_authprovider_test.go │ ├── plugin │ │ ├── args.go │ │ ├── args_test.go │ │ ├── download.go │ │ ├── download_test.go │ │ ├── exec.go │ │ ├── exec_test.go │ │ ├── find.go │ │ ├── find_test.go │ │ ├── logger │ │ │ └── logger.go │ │ ├── os_unix.go │ │ ├── os_windows.go │ │ ├── types.go │ │ └── types_test.go │ ├── reference.go │ └── utils │ │ ├── utils.go │ │ └── utils_test.go ├── controllers │ ├── clusterresource │ │ ├── keymanagementprovider_controller.go │ │ ├── keymanagementprovider_controller_test.go │ │ ├── policy_controller.go │ │ ├── policy_controller_test.go │ │ ├── store_controller.go │ │ ├── store_controller_test.go │ │ ├── verifier_controller.go │ │ └── verifier_controller_test.go │ ├── logging.go │ ├── logging_test.go │ ├── namespaceresource │ │ ├── certificatestore_controller.go │ │ ├── certificatestore_controller_test.go │ │ ├── keymanagementprovider_controller.go │ │ ├── keymanagementprovider_controller_test.go │ │ ├── policy_controller.go │ │ ├── policy_controller_test.go │ │ ├── store_controller.go │ │ ├── store_controller_test.go │ │ ├── verifier_controller.go │ │ └── verifier_controller_test.go │ ├── resource_map.go │ └── utils │ │ ├── kmp.go │ │ ├── kmp_test.go │ │ ├── policy.go │ │ ├── policy_test.go │ │ ├── store.go │ │ ├── store_test.go │ │ ├── verifier.go │ │ └── verifier_test.go ├── customresources │ ├── certificatestores │ │ ├── api.go │ │ ├── certificatestores.go │ │ └── certificatestores_test.go │ ├── policies │ │ ├── api.go │ │ ├── policies.go │ │ └── policies_test.go │ ├── referrerstores │ │ ├── api.go │ │ ├── stores.go │ │ └── stores_test.go │ └── verifiers │ │ ├── api.go │ │ ├── verifiers.go │ │ └── verifiers_test.go ├── featureflag │ ├── featureflag.go │ └── featureflag_test.go ├── homedir │ ├── homedir_unix.go │ └── homedir_windows.go ├── keymanagementprovider │ ├── azurekeyvault │ │ ├── auth.go │ │ ├── auth_test.go │ │ ├── provider.go │ │ ├── provider_test.go │ │ └── types │ │ │ └── types.go │ ├── config │ │ └── config.go │ ├── factory │ │ ├── factory.go │ │ └── factory_test.go │ ├── inline │ │ ├── provider.go │ │ └── provider_test.go │ ├── keymanagementprovider.go │ ├── keymanagementprovider_test.go │ ├── mocks │ │ ├── client.go │ │ ├── factory.go │ │ └── types.go │ ├── refresh │ │ ├── factory.go │ │ ├── factory_test.go │ │ ├── refresh.go │ │ └── test_helper_test.go │ └── types │ │ └── types.go ├── metrics │ ├── exporter.go │ ├── exporter_test.go │ ├── prometheus_exporter.go │ ├── prometheus_exporter_test.go │ ├── stats_reporter.go │ └── stats_reporter_test.go ├── ocispecs │ └── descriptor.go ├── policyprovider │ ├── api.go │ ├── config │ │ └── config.go │ ├── factory │ │ ├── factory.go │ │ └── factory_test.go │ ├── mocks │ │ └── types.go │ ├── policyengine │ │ ├── api.go │ │ ├── factory.go │ │ ├── factory_test.go │ │ └── opaengine │ │ │ ├── opa_engine.go │ │ │ └── opa_engine_test.go │ ├── policyquery │ │ ├── api.go │ │ ├── factory.go │ │ ├── factory_test.go │ │ └── rego │ │ │ ├── query.go │ │ │ └── query_test.go │ ├── regopolicy │ │ ├── regopolicy.go │ │ └── regopolicy_test.go │ └── types │ │ └── types.go ├── utils │ ├── awsauth │ │ ├── utils.go │ │ └── utils_test.go │ ├── azureauth │ │ └── authenticationUtils.go │ ├── certificateUtil_test.go │ ├── certificateUtils.go │ ├── testCert1.crt │ ├── test_utils.go │ ├── utils.go │ └── utils_test.go ├── verifier │ ├── api.go │ ├── config │ │ └── config.go │ ├── cosign │ │ ├── cosign.go │ │ ├── cosign_test.go │ │ ├── trustpolicies.go │ │ ├── trustpolicies_test.go │ │ ├── trustpolicy.go │ │ └── trustpolicy_test.go │ ├── factory │ │ ├── factory.go │ │ └── factory_test.go │ ├── mocks │ │ └── types.go │ ├── plugin │ │ ├── args.go │ │ ├── args_test.go │ │ ├── const.go │ │ ├── plugin.go │ │ ├── plugin_test.go │ │ └── skel │ │ │ ├── skel.go │ │ │ └── skel_test.go │ ├── result.go │ ├── result_test.go │ ├── types │ │ ├── types.go │ │ └── types_test.go │ └── utils │ │ └── utils.go └── verifiercache │ ├── api.go │ └── memory │ ├── memorycache.go │ └── syncmap.go ├── plugins ├── referrerstore │ └── sample │ │ └── sample.go └── verifier │ ├── licensechecker │ ├── licensechecker.go │ └── utils │ │ ├── spdxutils.go │ │ ├── spdxutils_test.go │ │ └── types.go │ ├── sample │ └── sample.go │ ├── sbom │ ├── sbom.go │ ├── sbom_test.go │ ├── testdata │ │ ├── bom.json │ │ ├── invalid-bom.json │ │ ├── osv-scanner.toml │ │ └── syftbom.spdx.json │ └── utils │ │ ├── spdxutils.go │ │ ├── spdxutils_test.go │ │ └── types.go │ ├── schemavalidator │ ├── README.md │ ├── schema_validator.go │ ├── schema_validator_test.go │ └── schemavalidation │ │ ├── schemas │ │ └── sarif-2.1.0-rtm.5.json │ │ ├── schemavalidation_test.go │ │ ├── schemavalidator.go │ │ └── testdata │ │ ├── bad_schema.json │ │ ├── mismatch_schema.json │ │ ├── osv-scanner.toml │ │ └── trivy_scan_report.json │ └── vulnerabilityreport │ ├── schemavalidation │ ├── schemas │ │ └── sarif-2.1.0.json │ ├── schemavalidation_test.go │ ├── schemavalidator.go │ └── testdata │ │ ├── bad_schema.json │ │ ├── mismatch_schema.json │ │ ├── osv-scanner.toml │ │ └── trivy_scan_report.json │ ├── vulnerability_report.go │ └── vulnerability_report_test.go ├── scripts ├── azure-ci-test-cleanup.sh ├── azure-ci-test.sh ├── create-azure-resources.sh ├── crl_server.py ├── generate-cert-chain.sh ├── generate-crl-testing-certs.sh ├── generate-gk-tls-certs.sh └── generate-tls-certs.sh ├── terraform └── azure │ ├── README.md │ ├── main.tf │ ├── output.tf │ ├── terraform.tfvars │ └── variables.tf ├── test ├── bats │ ├── azure-test.bats │ ├── base-test.bats │ ├── cli-test.bats │ ├── helpers.bash │ ├── high-availability.bats │ ├── plugin-test.bats │ ├── quickstart-test.bats │ └── tests │ │ ├── certificates │ │ ├── cosign.pub │ │ ├── tsarootca.cer │ │ └── wabbit-networks.io.crt │ │ ├── config │ │ ├── akvpolicy.json │ │ ├── complete_licensechecker_config.json │ │ ├── config.json │ │ ├── config_external_verifier_with_type.json │ │ ├── config_multiple_notation_verifiers.json │ │ ├── config_notation_crl.json │ │ ├── config_notation_crl_cache_disabled.json │ │ ├── config_notation_leaf_cert.json │ │ ├── config_notation_root_cert.json │ │ ├── config_notation_verifier_with_type.json │ │ ├── config_rego_policy_notation_leaf_cert.json │ │ ├── config_rego_policy_notation_root_cert.json │ │ ├── config_tsa.json │ │ ├── config_v1beta1_certstore_inline.yaml │ │ ├── config_v1beta1_certstore_inline_invalid.yaml │ │ ├── config_v1beta1_keymanagementprovider_inline.yaml │ │ ├── config_v1beta1_verifier_cosign_akv.yaml │ │ ├── config_v1beta1_verifier_cosign_keyless.yaml │ │ ├── config_v1beta1_verifier_notation.yaml │ │ ├── config_v1beta1_verifier_notation_akv.yaml │ │ ├── config_v1beta1_verifier_notation_audit_crl.yaml │ │ ├── config_v1beta1_verifier_notation_kmprovider.yaml │ │ ├── config_v1beta1_verifier_notation_tsa.yaml │ │ ├── cosign_keyless_config.json │ │ ├── dynamic_plugins_config.json │ │ ├── partial_licensechecker_config.json │ │ ├── sbom_denylist_config_licensematch.json │ │ ├── sbom_denylist_config_nomatch.json │ │ ├── sbom_denylist_config_packagematch.json │ │ ├── sbom_version_mismatch.json │ │ ├── schemavalidator_config.json │ │ ├── vulnerabilityreport_config.json │ │ └── zot-config.json │ │ ├── configmap │ │ └── invalidconfigmap.yaml │ │ └── schemas │ │ └── sarif-2.1.0-rtm.5.json ├── testdata │ ├── cosign.pub │ ├── dapr │ │ ├── dapr-redis-secret.yaml │ │ └── dapr-redis.yaml │ ├── invalid_json.json │ ├── invalid_trust_policy.json │ ├── notation.crt │ ├── osv-scanner.toml │ ├── pod_initContainers_signed.yaml │ ├── pod_initContainers_unsigned.yaml │ ├── sarif-2.1.0-rtm.5.json │ ├── sourcehut-build-0.65.0.json │ ├── trivy_scan_report.json │ └── valid_trust_policy.json └── validation.md └── utils └── utils.go /.github/actions/restore_trivy_cache/action.yml: -------------------------------------------------------------------------------- 1 | name: "Steps to restore trivy cache" 2 | description: "Steps to restore Trivy cache under ~/.cache/trivy" 3 | 4 | runs: 5 | using: "composite" 6 | steps: 7 | - name: Get current date 8 | id: date 9 | run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT 10 | shell: bash 11 | - name: Restore trivy cache directory 12 | uses: actions/cache/restore@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1 13 | with: 14 | path: ${{ github.workspace }}/.cache/trivy 15 | key: cache-trivy-${{ steps.date.outputs.date }} 16 | - name: Set up trivy cache directory 17 | run: | 18 | mkdir -p ~/.cache/trivy 19 | cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy 20 | shell: bash 21 | -------------------------------------------------------------------------------- /.github/codecov.yml: -------------------------------------------------------------------------------- 1 | ignore: 2 | - "./api" # ignore folders and all its contents 3 | - "./experimental/proto/v1" 4 | coverage: 5 | status: 6 | patch: 7 | default: 8 | target: 80% 9 | -------------------------------------------------------------------------------- /.github/crd.trivyignore.yaml: -------------------------------------------------------------------------------- 1 | vulnerabilities: 2 | - id: CVE-2024-45338 3 | statement: kubectl is not vulnerable to this and is reason for being flagged -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: "github-actions" 5 | directory: "/" 6 | schedule: 7 | interval: "daily" 8 | commit-message: 9 | prefix: "chore" 10 | 11 | - package-ecosystem: "gomod" 12 | directory: "/" 13 | schedule: 14 | interval: "weekly" 15 | commit-message: 16 | prefix: "chore" 17 | ignore: 18 | - dependency-name: "*" 19 | update-types: 20 | - "version-update:semver-major" 21 | - "version-update:semver-minor" 22 | 23 | - package-ecosystem: "docker" 24 | directory: "/" 25 | schedule: 26 | interval: "weekly" 27 | commit-message: 28 | prefix: "chore" 29 | 30 | - package-ecosystem: "docker" 31 | directory: "/httpserver" 32 | schedule: 33 | interval: "weekly" 34 | ignore: 35 | - dependency-name: "golang" 36 | versions: '> 1.22' 37 | commit-message: 38 | prefix: "chore" 39 | 40 | - package-ecosystem: "docker" 41 | directory: "/.devcontainer" 42 | schedule: 43 | interval: "weekly" 44 | ignore: 45 | - dependency-name: "vscode/devcontainers/go" 46 | versions: '> 1.22' 47 | commit-message: 48 | prefix: "chore" 49 | -------------------------------------------------------------------------------- /.github/semantic.yml: -------------------------------------------------------------------------------- 1 | titleOnly: true 2 | types: 3 | - build 4 | - chore 5 | - ci 6 | - docs 7 | - feat 8 | - fix 9 | - perf 10 | - refactor 11 | - release 12 | - revert 13 | - security 14 | - style 15 | - test 16 | -------------------------------------------------------------------------------- /.github/workflows/cache-cleanup.yml: -------------------------------------------------------------------------------- 1 | name: cleanup feature branch caches after merge 2 | on: 3 | pull_request: 4 | types: 5 | - closed 6 | 7 | permissions: 8 | contents: read 9 | 10 | jobs: 11 | cleanup: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Harden Runner 15 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 16 | with: 17 | egress-policy: audit 18 | 19 | - name: Cleanup 20 | run: | 21 | gh extension install actions/gh-actions-cache 22 | 23 | echo "Fetching list of cache key" 24 | cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 ) 25 | 26 | ## Setting this to not fail the workflow while deleting cache keys. 27 | set +e 28 | echo "Deleting caches..." 29 | for cacheKey in $cacheKeysForPR 30 | do 31 | gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm 32 | done 33 | echo "Done" 34 | env: 35 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 36 | REPO: ${{ github.repository }} 37 | BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge 38 | -------------------------------------------------------------------------------- /.github/workflows/clean-dev-package.yml: -------------------------------------------------------------------------------- 1 | name: clean-dev-package 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | permissions: 7 | contents: read 8 | 9 | jobs: 10 | cleanup-packages: 11 | runs-on: ubuntu-latest 12 | permissions: 13 | packages: write 14 | steps: 15 | - name: Harden Runner 16 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 17 | with: 18 | egress-policy: audit 19 | 20 | - name: Clean up ratify-crds-dev 21 | uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 22 | with: 23 | package-name: "ratify-crds-dev" 24 | package-type: "container" 25 | min-versions-to-keep: 7 26 | delete-only-pre-release-versions: "true" 27 | - name: Clean up ratify-dev 28 | uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 29 | with: 30 | package-name: "ratify-dev" 31 | package-type: "container" 32 | min-versions-to-keep: 7 33 | delete-only-pre-release-versions: "true" 34 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL Scan" 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | - v1-dev 8 | - v1 9 | - 1.0.0* 10 | pull_request: 11 | branches: 12 | - main 13 | - v1-dev 14 | - v1 15 | - 1.0.0* 16 | schedule: 17 | - cron: "30 1 * * 0" 18 | workflow_dispatch: 19 | 20 | permissions: read-all 21 | 22 | jobs: 23 | CodeQL-Build: 24 | runs-on: ubuntu-latest 25 | 26 | permissions: 27 | security-events: write 28 | 29 | steps: 30 | - name: Harden Runner 31 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 32 | with: 33 | egress-policy: audit 34 | 35 | - name: Checkout repository 36 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2 37 | - name: setup go environment 38 | uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 39 | with: 40 | go-version: "1.22" 41 | - name: Initialize CodeQL 42 | uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # tag=v3.28.18 43 | with: 44 | languages: go 45 | - name: Perform CodeQL Analysis 46 | uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # tag=v3.28.18 47 | -------------------------------------------------------------------------------- /.github/workflows/golangci-lint.yml: -------------------------------------------------------------------------------- 1 | name: golangci-lint 2 | on: 3 | push: 4 | branches: 5 | - main 6 | - v1-dev 7 | - v1 8 | - 1.0.0* 9 | pull_request: 10 | workflow_dispatch: 11 | permissions: 12 | contents: read 13 | jobs: 14 | golangci: 15 | name: lint 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Harden Runner 19 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 20 | with: 21 | egress-policy: audit 22 | 23 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 24 | with: 25 | go-version: "1.22" 26 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 27 | - name: golangci-lint 28 | uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 29 | with: 30 | version: v2.1.0 31 | args: --timeout=10m 32 | -------------------------------------------------------------------------------- /.github/workflows/markdown.links.config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "archive" 5 | }, 6 | { 7 | "pattern": "https://github.com/GoogleChrome/lighthouse/workflows/\uD83D\uDCA1\uD83C\uDFE0/badge.svg" 8 | } 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /.github/workflows/pr-to-main.yml: -------------------------------------------------------------------------------- 1 | name: pr_to_main 2 | 3 | on: 4 | schedule: 5 | - cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday 6 | workflow_dispatch: 7 | 8 | permissions: 9 | pull-requests: write 10 | 11 | jobs: 12 | pull-request: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Harden Runner 16 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 17 | with: 18 | egress-policy: audit 19 | 20 | - name: git checkout 21 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 22 | - name: Get current date 23 | id: date 24 | run: echo "::set-output name=date::$(date +'%Y-%m-%d')" 25 | - name: create pull request with reposync action 26 | id: open-pr 27 | uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 #v2.12.1 28 | with: 29 | source_branch: v1-dev 30 | destination_branch: v1 31 | pr_title: "chore: automated PR to v1 ${{ steps.date.outputs.date }}" 32 | pr_body: "Automated Pull Request to v1 branch" 33 | -------------------------------------------------------------------------------- /.github/workflows/publish-charts.yml: -------------------------------------------------------------------------------- 1 | name: publishChart 2 | on: 3 | push: 4 | tags: 5 | - v* 6 | 7 | permissions: read-all 8 | 9 | jobs: 10 | release: 11 | runs-on: ubuntu-latest 12 | permissions: 13 | contents: write 14 | steps: 15 | - name: Harden Runner 16 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 17 | with: 18 | egress-policy: audit 19 | 20 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 21 | - name: Publish Helm charts 22 | uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 23 | with: 24 | token: ${{ secrets.GITHUB_TOKEN }} 25 | charts_dir: deployments 26 | -------------------------------------------------------------------------------- /.github/workflows/publish-sample.yml: -------------------------------------------------------------------------------- 1 | name: publish-sample 2 | 3 | on: 4 | workflow_dispatch: 5 | 6 | env: 7 | REGISTRY: ghcr.io 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | build-publish-release: 14 | name: "release" 15 | runs-on: ubuntu-latest 16 | timeout-minutes: 60 17 | permissions: 18 | contents: write 19 | packages: write 20 | steps: 21 | - name: Harden Runner 22 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 23 | with: 24 | egress-policy: audit 25 | 26 | - name: Get repo 27 | run: | 28 | echo "REPOSITORY=${{ env.REGISTRY }}/${{ github.repository }}" >> $GITHUB_ENV 29 | 30 | - name: Log in to the GHCR 31 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 32 | with: 33 | registry: ${{ env.REGISTRY }} 34 | username: ${{ github.actor }} 35 | password: ${{ secrets.GITHUB_TOKEN }} 36 | 37 | - name: Copy signed sample test image 38 | run: oras cp -r wabbitnetworks.azurecr.io/ratify/notary-image:signed ${REPOSITORY}/notary-image:signed 39 | 40 | - name: Copy unsigned sample test image 41 | run: oras cp wabbitnetworks.azurecr.io/ratify/notary-image:unsigned ${REPOSITORY}/notary-image:unsigned 42 | -------------------------------------------------------------------------------- /.github/workflows/sync-gh-pages.yml: -------------------------------------------------------------------------------- 1 | name: Sync GH Pages 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - library/** 8 | 9 | permissions: read-all 10 | 11 | jobs: 12 | merge-branch: 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: read 16 | pull-requests: write 17 | repository-projects: write 18 | steps: 19 | - name: Harden Runner 20 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 21 | with: 22 | egress-policy: audit 23 | 24 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 25 | - uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 26 | with: 27 | github_token: ${{ github.token }} 28 | source_ref: ${{ github.ref }} 29 | target_branch: "gh-pages" 30 | commit_message_template: "[Automated] Merged {source_ref} into target {target_branch}" 31 | -------------------------------------------------------------------------------- /.github/workflows/update-trivy-cache.yml: -------------------------------------------------------------------------------- 1 | name: Update Trivy Cache 2 | 3 | on: 4 | schedule: 5 | - cron: '0 0 * * *' # Run daily at midnight UTC 6 | workflow_dispatch: 7 | 8 | permissions: read-all 9 | 10 | jobs: 11 | update-trivy-db: 12 | runs-on: ubuntu-latest 13 | if: ${{ github.ref_name == github.event.repository.default_branch }} 14 | steps: 15 | - name: Setup oras 16 | uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3 17 | 18 | - name: Get current date 19 | id: date 20 | run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT 21 | 22 | - name: Prepare DB directory 23 | run: | 24 | mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db 25 | 26 | - name: Download vulnerability database 27 | uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 28 | with: 29 | max_attempts: 60 30 | retry_on: error 31 | timeout_seconds: 30 32 | retry_wait_seconds: 60 33 | command: | 34 | oras pull ghcr.io/aquasecurity/trivy-db:2 35 | tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db 36 | rm db.tar.gz 37 | 38 | - name: Cache DBs 39 | uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 40 | with: 41 | path: ${{ github.workspace }}/.cache/trivy 42 | key: cache-trivy-${{ steps.date.outputs.date }} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | bin 2 | dist/ 3 | local_oras_cache/ 4 | .idea 5 | __debug_bin 6 | coverage.txt 7 | test/e2e/coverage.txt 8 | 9 | # generated directories 10 | certs/ 11 | .staging 12 | 13 | # symlink to ~/.ratify folder 14 | /.ratify 15 | 16 | # IDE files 17 | .vscode 18 | 19 | pkg/referrerstore/factory/plugin-store 20 | 21 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | linters: 3 | default: none 4 | enable: 5 | - errcheck 6 | - errorlint 7 | - goconst 8 | - gocyclo 9 | - gosec 10 | - govet 11 | - ineffassign 12 | - misspell 13 | - nakedret 14 | - nilerr 15 | - prealloc 16 | - revive 17 | - staticcheck 18 | - unconvert 19 | - unused 20 | - whitespace 21 | exclusions: 22 | generated: lax 23 | presets: 24 | - comments 25 | - common-false-positives 26 | - legacy 27 | - std-error-handling 28 | paths: 29 | - third_party$ 30 | - builtin$ 31 | - examples$ 32 | formatters: 33 | enable: 34 | - gofmt 35 | - goimports 36 | exclusions: 37 | generated: lax 38 | paths: 39 | - third_party$ 40 | - builtin$ 41 | - examples$ 42 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # Check the documentation at https://goreleaser.com for more options 2 | version: 2 3 | before: 4 | hooks: 5 | - go mod tidy 6 | builds: 7 | - id: ratify-gatekeeper-provider 8 | dir: cmd/ratify-gatekeeper-provider 9 | binary: ratify-gatekeeper-provider 10 | env: 11 | - CGO_ENABLED=0 12 | goos: 13 | - darwin 14 | - linux 15 | - windows 16 | goarch: 17 | - amd64 18 | - arm64 19 | ignore: 20 | - goos: windows 21 | goarch: arm64 22 | ldflags: 23 | 24 | release: 25 | prerelease: auto 26 | draft: true 27 | archives: 28 | - format_overrides: 29 | - goos: windows 30 | format: zip 31 | checksum: 32 | name_template: 'checksums.txt' 33 | sboms: 34 | - artifacts: archive 35 | - id: source 36 | artifacts: source 37 | snapshot: 38 | name_template: '{{ incpatch .Version }}-next' 39 | changelog: 40 | sort: asc 41 | filters: 42 | exclude: 43 | - '^docs:' 44 | - '^test:' 45 | -------------------------------------------------------------------------------- /.well-known/pki-validation/trustpolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "trustPolicies": [ 4 | { 5 | "name": "ratify-images", 6 | "registryScopes": [ 7 | "ghcr.io/ratify-project/ratify", 8 | "ghcr.io/ratify-project/ratify-base", 9 | "ghcr.io/ratify-project/ratify-crds", 10 | "ghcr.io/ratify-project/ratify-dev", 11 | "ghcr.io/ratify-project/ratify-base-dev", 12 | "ghcr.io/ratify-project/ratify-crds-dev", 13 | "ghcr.io/ratify-project/ratify-chart-dev/ratify" 14 | ], 15 | "signatureVerification": { 16 | "level" : "strict" 17 | }, 18 | "trustStores": [ "ca:ratify-verify" ], 19 | "trustedIdentities": [ 20 | "x509.subject: CN=ratify.dev,O=ratify-project,L=Seattle,ST=WA,C=US" 21 | ] 22 | } 23 | ] 24 | } -------------------------------------------------------------------------------- /ADOPTERS.md: -------------------------------------------------------------------------------- 1 | The following organizations are known adopters who use Ratify in production or integrate Ratify into their products and services. 2 | 3 | We are happy and proud to have you all as part of the Ratify community! To add your use case and organization to this list, please raise a pull request. 4 | 5 | All organizations are sorted alphabetically below. 6 | 7 | | Adopter name | Adopter Type | Scenario | 8 | |---------------------|------------------|-------------------------------------------| 9 | | Alibaba Cloud | Service provider | [Alibaba Cloud Container Service for Kubernetes (ACK)](https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/security-and-compliance/use-notation-and-ratify-to-sign-and-verify-oci-artifacts) uses Ratify to validate image signatures before deploying them to cluster. | 10 | | Amazon | Service provider | [AWS Signer](https://ratify.dev/docs/quickstarts/ratify-with-aws-signer) uses Ratify to verify signature | 11 | | Microsoft | Service Provider | [Image Integrity](https://learn.microsoft.com/en-us/azure/aks/image-integrity) is built on Ratify to enable users to validate image signature and supply chain attestations before deploying them to your Azure Kubernetes Service (AKS) | 12 | | Venafi | Service Provider | [CodeSign Protect](https://venafi.com/codesign-protect/) uses Ratify to help developers maintain visibility into enterprise code signing operations | 13 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @akashsinghal @binbin-li @jimmyraywv @luisdlp @susanshi @toddysm -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | Ratify follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). 4 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | FROM --platform=$BUILDPLATFORM golang:1.24-alpine@sha256:ef18ee7117463ac1055f5a370ed18b8750f01589f13ea0b48642f5792b234044 AS builder 15 | 16 | WORKDIR /app 17 | 18 | COPY . . 19 | 20 | RUN go build -o /app/out/ /app/cmd/ratify-gatekeeper-provider 21 | 22 | FROM gcr.io/distroless/static:nonroot@sha256:188ddfb9e497f861177352057cb21913d840ecae6c843d39e00d44fa64daa51c 23 | 24 | WORKDIR /app 25 | 26 | COPY --from=builder /app/out/ratify-gatekeeper-provider ./ 27 | 28 | EXPOSE 6001 29 | 30 | USER 65532:65532 31 | 32 | ENTRYPOINT ["/app/ratify-gatekeeper-provider"] -------------------------------------------------------------------------------- /KubernetesLocalProcessConfig.yaml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | env: 3 | - name: azure-identity-token # REMOVE if not using Azure Workload Identity 4 | value: $(volumeMounts:azure-identity-token) # REMOVE if not using Azure Workload Identity 5 | - name: client-ca-cert 6 | value: $(volumeMounts:client-ca-cert) 7 | - name: AZURE_FEDERATED_TOKEN_FILE # REMOVE if not using Azure Workload Identity 8 | value: /azure-identity-token # REMOVE if not using Azure Workload Identity 9 | - name: RATIFY_NAMESPACE 10 | value: gatekeeper-system 11 | volumeMounts: 12 | - name: client-ca-cert 13 | localPath: 14 | - name: azure-identity-token # REMOVE if not using Azure Workload Identity 15 | localPath: # REMOVE if not using Azure Workload Identity -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | Akash Singhal (@akashsinghal) 2 | Binbin Li (@binbin-li) 3 | Luis Dieguez (@luisdlp) 4 | Jimmy Ray (@jimmyraywv) 5 | Susan Shi (@susanshi) 6 | Toddy Memlanden (@toddysm) 7 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | NOTICES 2 | 3 | This repository incorporates material as listed below or described in the code. 4 | 5 | The initial concepts and development of some of the framework's plugin common modules under pkg/common/plugin are derived from, or 6 | inspired by the project Container Network Interface - networking for Linux containers (https://github.com/containernetworking/cni). 7 | It is licensed under the Apache License, Version 2.0. 8 | 9 | The loading of framework's configuration from a home directory is derived from or inspired by the project Docker CLI (https://github.com/docker/cli) 10 | It is licensed under the Apache License, Version 2.0. 11 | 12 | We thank everyone who has contributed to the above projects and enabled this project to build on those concepts and models. -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Ratify Project Security Process and Policy 2 | This document provide details on the Ratify Project security policy and details the process on how to report a security vulnerability within the Ratify Project organization. 3 | 4 | ## Reporting a Vulnerability 5 | 6 | We're extremely grateful for security researchers and users who report vulnerabilities to the Ratify Project community. All reports are thouroughly investigated by a set of Project maintainers. 7 | 8 | To make a report plese use the GitHub Security Vulnerability Disclosure process for each one of the Ratify Project repositories. 9 | - [Ratify Vulnerability Report](https://github.com/notaryproject/ratify/security/advisories/new) 10 | 11 | ## Credits 12 | We would like to give credit to the [Helm Community](https://github.com/helm/community) for using their security process and policy as an example. 13 | -------------------------------------------------------------------------------- /api/group.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | package apis 17 | -------------------------------------------------------------------------------- /api/unversioned/common.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package unversioned 18 | 19 | import runtime "k8s.io/apimachinery/pkg/runtime" 20 | 21 | // PluginSource defines the fields needed to download a plugin from an OCI Artifact source 22 | type PluginSource struct { 23 | // Important: Run "make" to regenerate code after modifying this file 24 | 25 | // OCI Artifact source to download the plugin from 26 | Artifact string `json:"artifact,omitempty"` 27 | 28 | // +kubebuilder:pruning:PreserveUnknownFields 29 | // AuthProvider to use to authenticate to the OCI Artifact source, optional 30 | AuthProvider runtime.RawExtension `json:"authProvider,omitempty"` 31 | } 32 | -------------------------------------------------------------------------------- /api/unversioned/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package unversioned 18 | 19 | // +kubebuilder:object:generate=true 20 | -------------------------------------------------------------------------------- /api/v1alpha1/certificatestore_conversion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | unversioned "github.com/ratify-project/ratify/api/unversioned" 21 | conversion "k8s.io/apimachinery/pkg/conversion" 22 | ) 23 | 24 | // Convert_unversioned_CertificateStoreStatus_To_v1alpha1_CertificateStoreStatus is an autogenerated conversion function. 25 | func Convert_unversioned_CertificateStoreStatus_To_v1alpha1_CertificateStoreStatus(in *unversioned.CertificateStoreStatus, out *CertificateStoreStatus, s conversion.Scope) error { //nolint:revive // ignore linter for autogenerated code 26 | return nil 27 | } 28 | -------------------------------------------------------------------------------- /api/v1alpha1/common.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import runtime "k8s.io/apimachinery/pkg/runtime" 20 | 21 | // PluginSource defines the fields needed to download a plugin from an OCI Artifact source 22 | type PluginSource struct { 23 | // Important: Run "make" to regenerate code after modifying this file 24 | 25 | // OCI Artifact source to download the plugin from 26 | Artifact string `json:"artifact,omitempty"` 27 | 28 | // +kubebuilder:pruning:PreserveUnknownFields 29 | // AuthProvider to use to authenticate to the OCI Artifact source, optional 30 | AuthProvider runtime.RawExtension `json:"authProvider,omitempty"` 31 | } 32 | -------------------------------------------------------------------------------- /api/v1alpha1/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // +k8s:conversion-gen=github.com/ratify-project/ratify/api/unversioned 18 | package v1alpha1 19 | -------------------------------------------------------------------------------- /api/v1alpha1/store_conversion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | unversioned "github.com/ratify-project/ratify/api/unversioned" 21 | conversion "k8s.io/apimachinery/pkg/conversion" 22 | ) 23 | 24 | // Convert unversioned StoreStatus to StoreStatus of v1alpha1. 25 | // 26 | //nolint:revive 27 | func Convert_unversioned_StoreStatus_To_v1alpha1_StoreStatus(in *unversioned.StoreStatus, out *StoreStatus, _ conversion.Scope) error { 28 | return nil 29 | } 30 | 31 | // Convert unversioned StoreSpec to VerifieStoreSpecrSpec of v1alpha1. 32 | // 33 | //nolint:revive 34 | func Convert_unversioned_StoreSpec_To_v1alpha1_StoreSpec(spec *unversioned.StoreSpec, out *StoreSpec, _ conversion.Scope) error { 35 | out.Parameters = spec.Parameters 36 | return nil 37 | } 38 | -------------------------------------------------------------------------------- /api/v1alpha1/verifier_conversion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1alpha1 18 | 19 | import ( 20 | unversioned "github.com/ratify-project/ratify/api/unversioned" 21 | conversion "k8s.io/apimachinery/pkg/conversion" 22 | ) 23 | 24 | // Convert unversioned VerifierStatus to VerifierStatus of v1alpha1. 25 | // 26 | //nolint:revive 27 | func Convert_unversioned_VerifierStatus_To_v1alpha1_VerifierStatus(status *unversioned.VerifierStatus, out *VerifierStatus, _ conversion.Scope) error { 28 | return nil 29 | } 30 | 31 | // Convert unversioned VerifierSpec to VerifierSpec of v1alpha1. 32 | // 33 | //nolint:revive 34 | func Convert_unversioned_VerifierSpec_To_v1alpha1_VerifierSpec(spec *unversioned.VerifierSpec, out *VerifierSpec, _ conversion.Scope) error { 35 | out.Parameters = spec.Parameters 36 | return nil 37 | } 38 | -------------------------------------------------------------------------------- /api/v1beta1/common.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | package v1beta1 17 | 18 | import runtime "k8s.io/apimachinery/pkg/runtime" 19 | 20 | // PluginSource defines the fields needed to download a plugin from an OCI Artifact source 21 | type PluginSource struct { 22 | // Important: Run "make" to regenerate code after modifying this file 23 | 24 | // OCI Artifact source to download the plugin from 25 | Artifact string `json:"artifact,omitempty"` 26 | 27 | // +kubebuilder:pruning:PreserveUnknownFields 28 | // AuthProvider to use to authenticate to the OCI Artifact source, optional 29 | AuthProvider runtime.RawExtension `json:"authProvider,omitempty"` 30 | } 31 | -------------------------------------------------------------------------------- /api/v1beta1/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // +k8s:conversion-gen=github.com/ratify-project/ratify/api/unversioned 18 | package v1beta1 19 | -------------------------------------------------------------------------------- /charts/ratify/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/ratify/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ratify 3 | description: A Helm chart for Ratify 4 | version: 1.15.0 5 | appVersion: v1.4.0 6 | home: https://github.com/notaryproject/ratify 7 | icon: https://raw.githubusercontent.com/notaryproject/ratify/main/assets/logo.svg 8 | -------------------------------------------------------------------------------- /charts/ratify/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if not (or .Values.notation.enabled .Values.cosign.enabled .Values.sbom.enabled .Values.vulnerabilityreport.enabled) }} 2 | *********************************************************** 3 | WARNING: All verifiers are disabled. 4 | It's recommended that at least one is enabled for proper functionality. 5 | *********************************************************** 6 | {{- end }} -------------------------------------------------------------------------------- /charts/ratify/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "ratify.fullname" . }}-configuration 5 | data: 6 | config.json: | 7 | { 8 | "logger": { 9 | "formatter": {{ .Values.logger.formatter | quote }}, 10 | "requestHeaders": { 11 | "traceIDHeaderName": {{ .Values.logger.requestHeaders.traceIDHeaderName | quote }} 12 | } 13 | }, 14 | "executor": { 15 | "verificationRequestTimeout": {{ .Values.provider.timeout.validationTimeoutSeconds | int | mul 1000 | add -100 }}, 16 | "mutationRequestTimeout": {{ .Values.provider.timeout.mutationTimeoutSeconds | int | mul 1000 | add -50 }} 17 | }, 18 | "crl": { 19 | "cache":{ 20 | "enabled": {{ .Values.crl.cache.enabled }} 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /charts/ratify/templates/dockerconfigsecret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dockerConfig }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "ratify.fullname" . }}-dockerconfig 6 | data: 7 | .dockerconfigjson: {{ .Values.dockerConfig | b64enc | quote }} 8 | type: kubernetes.io/dockerconfigjson 9 | {{ end }} -------------------------------------------------------------------------------- /charts/ratify/templates/inline-key-management-provider.yaml: -------------------------------------------------------------------------------- 1 | {{- $fullname := include "ratify.fullname" . -}} 2 | --- 3 | {{- if .Values.notationCert }} 4 | apiVersion: config.ratify.deislabs.io/v1beta1 5 | kind: KeyManagementProvider 6 | metadata: 7 | name: {{$fullname}}-notation-inline-cert 8 | annotations: 9 | helm.sh/hook: pre-install,pre-upgrade 10 | helm.sh/hook-weight: "5" 11 | spec: 12 | type: inline 13 | parameters: 14 | contentType: certificate 15 | value: {{ .Values.notationCert | quote }} 16 | {{- end }} 17 | --- 18 | {{- range $i, $cert := .Values.notationCerts }} 19 | apiVersion: config.ratify.deislabs.io/v1beta1 20 | kind: KeyManagementProvider 21 | metadata: 22 | name: {{$fullname}}-notation-inline-cert-{{$i}} 23 | annotations: 24 | helm.sh/hook: pre-install,pre-upgrade 25 | helm.sh/hook-weight: "5" 26 | spec: 27 | type: inline 28 | parameters: 29 | contentType: certificate 30 | value: {{ $cert | quote }} 31 | --- 32 | {{- end }} 33 | {{- range $i, $key := .Values.cosignKeys }} 34 | apiVersion: config.ratify.deislabs.io/v1beta1 35 | kind: KeyManagementProvider 36 | metadata: 37 | name: {{$fullname}}-cosign-inline-key-{{$i}} 38 | annotations: 39 | helm.sh/hook: pre-install,pre-upgrade 40 | helm.sh/hook-weight: "5" 41 | spec: 42 | type: inline 43 | parameters: 44 | contentType: key 45 | value: {{ $key | quote }} 46 | --- 47 | {{- end }} -------------------------------------------------------------------------------- /charts/ratify/templates/policy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.policy.useRego }} 2 | apiVersion: config.ratify.deislabs.io/v1beta1 3 | kind: Policy 4 | metadata: 5 | name: "ratify-policy" 6 | spec: 7 | type: "rego-policy" 8 | parameters: 9 | passthroughEnabled: false 10 | policy: | 11 | package ratify.policy 12 | 13 | default valid := false 14 | 15 | # all artifacts MUST be valid 16 | valid { 17 | not failed_verify(input) 18 | } 19 | 20 | # all reports MUST pass the verification 21 | failed_verify(reports) { 22 | [path, value] := walk(reports) 23 | value == false 24 | path[count(path) - 1] == "isSuccess" 25 | } 26 | 27 | # each artifact MUST have at least one report 28 | failed_verify(reports) { 29 | [path, value] := walk(reports) 30 | path[count(path) - 1] == "verifierReports" 31 | count(value) == 0 32 | } 33 | {{- else }} 34 | apiVersion: config.ratify.deislabs.io/v1beta1 35 | kind: Policy 36 | metadata: 37 | name: "ratify-policy" 38 | spec: 39 | type: "config-policy" 40 | parameters: 41 | artifactVerificationPolicies: 42 | default: "all" 43 | {{- end }} -------------------------------------------------------------------------------- /charts/ratify/templates/ratify-manager-role-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | creationTimestamp: null 6 | name: ratify-manager-role 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - serviceaccounts 12 | verbs: 13 | - get 14 | # Secrets access is used by cert-controller to manipulate TLS related secrets. 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - create 21 | - list 22 | - update 23 | - watch 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/ratify/templates/ratify-manager-rolebinding-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | heritage: '{{ .Release.Service }}' 7 | release: '{{ .Release.Name }}' 8 | name: ratify-manager-cluster-rolebinding 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "ratify.serviceAccountName" . }} 12 | namespace: '{{ .Release.Namespace }}' 13 | roleRef: 14 | kind: ClusterRole 15 | name: ratify-manager-cluster-role 16 | apiGroup: rbac.authorization.k8s.io 17 | {{- end }} -------------------------------------------------------------------------------- /charts/ratify/templates/ratify-manager-rolebinding-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | labels: 6 | heritage: '{{ .Release.Service }}' 7 | release: '{{ .Release.Name }}' 8 | name: ratify-manager-rolebinding 9 | namespace: {{ .Release.Namespace }} 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "ratify.serviceAccountName" . }} 13 | namespace: '{{ .Release.Namespace }}' 14 | roleRef: 15 | kind: Role 16 | name: ratify-manager-role 17 | apiGroup: rbac.authorization.k8s.io 18 | {{- end }} 19 | 20 | -------------------------------------------------------------------------------- /charts/ratify/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cosign.enabled .Values.cosign.key}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "ratify.fullname" . }}-cosign-certificate 6 | data: 7 | cosign.pub: {{ .Values.cosign.key | b64enc | quote }} 8 | {{- end }} 9 | 10 | --- 11 | {{- if and (eq (include "ratify.tlsCertsProvided" .) "false") (not (lookup "v1" "Secret" .Release.Namespace (include "ratify.tlsSecretName" .))) (not .Values.featureFlags.RATIFY_CERT_ROTATION) }} 12 | {{- fail "You must provide a TLS certificate for Ratify to use or enable RATIFY_CERT_ROTATION to make Ratify generate its certificates."}} 13 | {{- else if or (eq (include "ratify.tlsCertsProvided" .) "true") (and (eq (include "ratify.tlsCertsProvided" .) "false") (not (lookup "v1" "Secret" .Release.Namespace (include "ratify.tlsSecretName" .))) (.Values.featureFlags.RATIFY_CERT_ROTATION))}} 14 | apiVersion: v1 15 | kind: Secret 16 | metadata: 17 | name: {{ include "ratify.fullname" . }}-tls 18 | annotations: 19 | helm.sh/hook: pre-install,pre-upgrade 20 | helm.sh/hook-weight: "5" 21 | data: 22 | {{ include "ratify.tlsSecret" . | nindent 2 }} 23 | {{- end }} -------------------------------------------------------------------------------- /charts/ratify/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "ratify.fullname" . }} 5 | labels: 6 | {{- include "ratify.labels" . | nindent 4 }} 7 | spec: 8 | type: ClusterIP 9 | ports: 10 | - port: 6001 11 | targetPort: 6001 12 | selector: 13 | {{- include "ratify.selectorLabels" . | nindent 4 }} 14 | -------------------------------------------------------------------------------- /charts/ratify/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.azureWorkloadIdentity.clientId .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "ratify.labels" . | nindent 4 }} 7 | {{- if .Values.azureWorkloadIdentity.clientId }} 8 | azure.workload.identity/use: "true" 9 | {{- end }} 10 | {{- with .Values.serviceAccount.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | name: {{ include "ratify.serviceAccountName" . }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/ratify/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "ratify.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "ratify.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "ratify.fullname" . }}:6001'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | version: v1 8 | group: apiextensions.k8s.io 9 | path: spec/conversion/webhook/clientConfig/service/name 10 | 11 | namespace: 12 | - kind: CustomResourceDefinition 13 | version: v1 14 | group: apiextensions.k8s.io 15 | path: spec/conversion/webhook/clientConfig/service/namespace 16 | create: false 17 | 18 | varReference: 19 | - path: metadata/annotations 20 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_certificatestores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: certificatestores.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_clusterpolicies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: clusterpolicies.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_keymanagementproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: keymanagementproviders.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_namespacedkeymanagementproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: namespacedkeymanagementproviders.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_namespacedpolicies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: namespacedpolicies.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_namespacedstores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: namespacedstores.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_namespacedverifiers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: namespacedverifiers.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_policies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: policies.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_stores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: stores.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_verifiers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: verifiers.config.ratify.deislabs.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_certificatestores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: certificatestores.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_clusterpolicies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: clusterpolicies.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_keymanagementproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: keymanagementproviders.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_namespacedkeymanagementproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: namespacedkeymanagementproviders.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_namespacedpolicies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: namespacedpolicies.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_namespacedstores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: namespacedstores.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_namespacedverifiers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: namespacedverifiers.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_policies.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: policies.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_stores.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: stores.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_verifiers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: verifiers.config.ratify.deislabs.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crlConfig.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package config 17 | 18 | type CRLConfig struct { 19 | Cache Cache `json:"cache,omitempty"` 20 | } 21 | 22 | type Cache struct { 23 | Enabled bool `json:"enabled,omitempty"` 24 | } 25 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the 2 | # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | securityContext: 14 | allowPrivilegeEscalation: false 15 | capabilities: 16 | drop: 17 | - "ALL" 18 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 19 | args: 20 | - "--secure-listen-address=0.0.0.0:8443" 21 | - "--upstream=http://127.0.0.1:8080/" 22 | - "--logtostderr=true" 23 | - "--v=0" 24 | ports: 25 | - containerPort: 8443 26 | protocol: TCP 27 | name: https 28 | resources: 29 | limits: 30 | cpu: 500m 31 | memory: 128Mi 32 | requests: 33 | cpu: 5m 34 | memory: 64Mi 35 | - name: manager 36 | args: 37 | - "--health-probe-bind-address=:8081" 38 | - "--metrics-bind-address=127.0.0.1:8080" 39 | - "--leader-elect" 40 | -------------------------------------------------------------------------------- /config/default/manager_config_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | args: 12 | - "--config=controller_manager_config.yaml" 13 | volumeMounts: 14 | - name: manager-config 15 | mountPath: /controller_manager_config.yaml 16 | subPath: controller_manager_config.yaml 17 | volumes: 18 | - name: manager-config 19 | configMap: 20 | name: manager-config 21 | -------------------------------------------------------------------------------- /config/manager/controller_manager_config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 2 | kind: ControllerManagerConfig 3 | health: 4 | healthProbeBindAddress: :8081 5 | metrics: 6 | bindAddress: 127.0.0.1:8080 7 | webhook: 8 | port: 9443 9 | leaderElection: 10 | leaderElect: true 11 | resourceName: 909057b5.ratify.deislabs.io 12 | # leaderElectionReleaseOnCancel defines if the leader should step down volume 13 | # when the Manager ends. This requires the binary to immediately end when the 14 | # Manager is stopped, otherwise, this setting is unsafe. Setting this significantly 15 | # speeds up voluntary leader transitions as the new leader don't have to wait 16 | # LeaseDuration time first. 17 | # In the default scaffold provided, the program ends immediately after 18 | # the manager stops, so would be fine to enable this option. However, 19 | # if you are doing or is intended to do any operation such as perform cleanups 20 | # after the manager stops then its usage might be unsafe. 21 | # leaderElectionReleaseOnCancel: true 22 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | 4 | generatorOptions: 5 | disableNameSuffixHash: true 6 | 7 | configMapGenerator: 8 | - name: manager-config 9 | files: 10 | - controller_manager_config.yaml 11 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_client_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: 7 | - "/metrics" 8 | verbs: 9 | - get 10 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: 7 | - authentication.k8s.io 8 | resources: 9 | - tokenreviews 10 | verbs: 11 | - create 12 | - apiGroups: 13 | - authorization.k8s.io 14 | resources: 15 | - subjectaccessreviews 16 | verbs: 17 | - create 18 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: controller-manager-metrics-service 7 | namespace: system 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | protocol: TCP 13 | targetPort: https 14 | selector: 15 | control-plane: controller-manager 16 | -------------------------------------------------------------------------------- /config/rbac/certificatestore_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit certificatestores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificatestore-editor-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - certificatestores 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - config.ratify.deislabs.io 21 | resources: 22 | - certificatestores/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/certificatestore_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view certificatestores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificatestore-viewer-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - certificatestores 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - config.ratify.deislabs.io 17 | resources: 18 | - certificatestores/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/keymanagementprovider_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit keymanagementproviders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: keymanagementprovider-editor-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: keymanagementprovider-editor-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - keymanagementproviders 18 | verbs: 19 | - create 20 | - delete 21 | - get 22 | - list 23 | - patch 24 | - update 25 | - watch 26 | - apiGroups: 27 | - config.ratify.deislabs.io 28 | resources: 29 | - keymanagementproviders/status 30 | verbs: 31 | - get 32 | -------------------------------------------------------------------------------- /config/rbac/keymanagementprovider_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view keymanagementproviders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: keymanagementprovider-viewer-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: keymanagementprovider-viewer-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - keymanagementproviders 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - config.ratify.deislabs.io 24 | resources: 25 | - keymanagementproviders/status 26 | verbs: 27 | - get 28 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | # All RBAC will be applied under this service account in 3 | # the deployment namespace. You may comment out this resource 4 | # if your manager will use a service account that exists at 5 | # runtime. Be sure to update RoleBinding and ClusterRoleBinding 6 | # subjects if changing service account names. 7 | - service_account.yaml 8 | - role.yaml 9 | - role_binding.yaml 10 | - leader_election_role.yaml 11 | - leader_election_role_binding.yaml 12 | # Comment the following 4 lines if you want to disable 13 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 14 | # which protects your /metrics endpoint. 15 | - auth_proxy_service.yaml 16 | - auth_proxy_role.yaml 17 | - auth_proxy_role_binding.yaml 18 | - auth_proxy_client_clusterrole.yaml 19 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - coordination.k8s.io 21 | resources: 22 | - leases 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - create 28 | - update 29 | - patch 30 | - delete 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - events 35 | verbs: 36 | - create 37 | - patch 38 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/namespacedkeymanagementprovider_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit namespacedkeymanagementproviders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedkeymanagementprovider-editor-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedkeymanagementprovider-editor-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedkeymanagementproviders 18 | verbs: 19 | - create 20 | - delete 21 | - get 22 | - list 23 | - patch 24 | - update 25 | - watch 26 | - apiGroups: 27 | - config.ratify.deislabs.io 28 | resources: 29 | - namespacedkeymanagementproviders/status 30 | verbs: 31 | - get 32 | -------------------------------------------------------------------------------- /config/rbac/namespacedkeymanagementprovider_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view namespacedkeymanagementproviders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedkeymanagementprovider-viewer-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedkeymanagementprovider-viewer-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedkeymanagementproviders 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - config.ratify.deislabs.io 24 | resources: 25 | - namespacedkeymanagementproviders/status 26 | verbs: 27 | - get 28 | -------------------------------------------------------------------------------- /config/rbac/namespacedpolicy_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit namespacedpolicies. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedpolicy-editor-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedpolicy-editor-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedpolicies 18 | verbs: 19 | - create 20 | - delete 21 | - get 22 | - list 23 | - patch 24 | - update 25 | - watch 26 | - apiGroups: 27 | - config.ratify.deislabs.io 28 | resources: 29 | - namespacedpolicies/status 30 | verbs: 31 | - get 32 | -------------------------------------------------------------------------------- /config/rbac/namespacedpolicy_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view namespacedpolicies. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedpolicy-viewer-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedpolicy-viewer-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedpolicies 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - config.ratify.deislabs.io 24 | resources: 25 | - namespacedpolicies/status 26 | verbs: 27 | - get 28 | -------------------------------------------------------------------------------- /config/rbac/namespacedstore_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit namespacedstores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedstore-editor-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedstore-editor-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedstores 18 | verbs: 19 | - create 20 | - delete 21 | - get 22 | - list 23 | - patch 24 | - update 25 | - watch 26 | - apiGroups: 27 | - config.ratify.deislabs.io 28 | resources: 29 | - namespacedstores/status 30 | verbs: 31 | - get 32 | -------------------------------------------------------------------------------- /config/rbac/namespacedstore_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view namespacedstores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedstore-viewer-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedstore-viewer-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedstores 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - config.ratify.deislabs.io 24 | resources: 25 | - namespacedstores/status 26 | verbs: 27 | - get 28 | -------------------------------------------------------------------------------- /config/rbac/namespacedverifier_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit namespacedverifiers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedverifier-editor-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedverifier-editor-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedverifiers 18 | verbs: 19 | - create 20 | - delete 21 | - get 22 | - list 23 | - patch 24 | - update 25 | - watch 26 | - apiGroups: 27 | - config.ratify.deislabs.io 28 | resources: 29 | - namespacedverifiers/status 30 | verbs: 31 | - get 32 | -------------------------------------------------------------------------------- /config/rbac/namespacedverifier_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view namespacedverifiers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: clusterrole 7 | app.kubernetes.io/instance: namespacedverifier-viewer-role 8 | app.kubernetes.io/component: rbac 9 | app.kubernetes.io/created-by: ratify 10 | app.kubernetes.io/part-of: ratify 11 | app.kubernetes.io/managed-by: kustomize 12 | name: namespacedverifier-viewer-role 13 | rules: 14 | - apiGroups: 15 | - config.ratify.deislabs.io 16 | resources: 17 | - namespacedverifiers 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - config.ratify.deislabs.io 24 | resources: 25 | - namespacedverifiers/status 26 | verbs: 27 | - get 28 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | -------------------------------------------------------------------------------- /config/rbac/store_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit stores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: store-editor-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - stores 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - config.ratify.deislabs.io 21 | resources: 22 | - stores/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/store_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view stores. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: store-viewer-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - stores 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - config.ratify.deislabs.io 17 | resources: 18 | - stores/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/verifier_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit verifiers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: verifier-editor-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - verifiers 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - config.ratify.deislabs.io 21 | resources: 22 | - verifiers/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/verifier_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view verifiers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: verifier-viewer-role 6 | rules: 7 | - apiGroups: 8 | - config.ratify.deislabs.io 9 | resources: 10 | - verifiers 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - config.ratify.deislabs.io 17 | resources: 18 | - verifiers/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: KeyManagementProvider 3 | metadata: 4 | name: keymanagementprovider-akv 5 | spec: 6 | type: azurekeyvault 7 | parameters: 8 | vaultURI: https://yourkeyvault.vault.azure.net/ 9 | certificates: 10 | - name: yourCertName 11 | version: yourCertVersion # Optional, fetch latest version if empty 12 | tenantID: 13 | clientID: 14 | -------------------------------------------------------------------------------- /config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: KeyManagementProvider 3 | metadata: 4 | name: keymanagementprovider-akv 5 | spec: 6 | type: azurekeyvault 7 | refreshInterval: 1m 8 | parameters: 9 | vaultURI: https://yourkeyvault.vault.azure.net/ 10 | certificates: 11 | - name: yourCertName 12 | version: yourCertVersion # Optional, fetch latest version if empty 13 | tenantID: 14 | clientID: 15 | -------------------------------------------------------------------------------- /config/samples/clustered/policy/config_v1alpha1_policy_json.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1alpha1 2 | kind: Policy # Policy applies to the cluster. 3 | metadata: 4 | name: "configpolicy" # Ensure that metadata.name is either 'regopolicy' or 'configpolicy' 5 | spec: 6 | parameters: 7 | artifactVerificationPolicies: 8 | default: "all" 9 | -------------------------------------------------------------------------------- /config/samples/clustered/policy/config_v1alpha1_policy_rego.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1alpha1 2 | kind: Policy # Policy applies to the cluster. 3 | metadata: 4 | name: "regopolicy" # Ensure that metadata.name is either 'regopolicy' or 'configpolicy' 5 | spec: 6 | parameters: 7 | passthroughEnabled: false 8 | policy: | 9 | package ratify.policy 10 | 11 | default valid := false 12 | 13 | # all artifacts MUST be valid 14 | valid { 15 | not failed_verify(input) 16 | } 17 | 18 | # all reports MUST pass the verification 19 | failed_verify(reports) { 20 | [path, value] := walk(reports) 21 | value == false 22 | path[count(path) - 1] == "isSuccess" 23 | } 24 | 25 | # each artifact MUST have at least one report 26 | failed_verify(reports) { 27 | [path, value] := walk(reports) 28 | path[count(path) - 1] == "verifierReports" 29 | count(value) == 0 30 | } 31 | 32 | -------------------------------------------------------------------------------- /config/samples/clustered/policy/config_v1beta1_policy_json.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Policy # Policy applies to the cluster. 3 | metadata: 4 | name: "ratify-policy" # metadata.name MUST be set to ratify-policy since v1beta1. 5 | spec: 6 | type: "config-policy" # Ensure that spec.type is either 'rego-policy' or 'config-policy' in v1beta1. 7 | parameters: 8 | artifactVerificationPolicies: 9 | default: "all" 10 | -------------------------------------------------------------------------------- /config/samples/clustered/policy/config_v1beta1_policy_rego.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Policy # Policy applies to the cluster. 3 | metadata: 4 | name: "ratify-policy" # metadata.name MUST be set to ratify-policy since v1beta1. 5 | spec: 6 | type: "rego-policy" # Ensure that spec.type is either 'rego-policy' or 'config-policy' in v1beta1. 7 | parameters: 8 | passthroughEnabled: false 9 | policy: | 10 | package ratify.policy 11 | 12 | default valid := false 13 | 14 | # all artifacts MUST be valid 15 | valid { 16 | not failed_verify(input) 17 | } 18 | 19 | # all reports MUST pass the verification 20 | failed_verify(reports) { 21 | [path, value] := walk(reports) 22 | value == false 23 | path[count(path) - 1] == "isSuccess" 24 | } 25 | 26 | # each artifact MUST have at least one report 27 | failed_verify(reports) { 28 | [path, value] := walk(reports) 29 | path[count(path) - 1] == "verifierReports" 30 | count(value) == 0 31 | } 32 | -------------------------------------------------------------------------------- /config/samples/clustered/store/config_v1beta1_store_dynamic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Store 3 | metadata: 4 | name: store-dynamic 5 | spec: 6 | name: dynamic 7 | source: 8 | artifact: wabbitnetworks.azurecr.io/test/sample-store-plugin:v1 9 | -------------------------------------------------------------------------------- /config/samples/clustered/store/config_v1beta1_store_oras.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Store 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | cosignEnabled: true 10 | ttl: 10 11 | -------------------------------------------------------------------------------- /config/samples/clustered/store/config_v1beta1_store_oras_http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Store 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | cosignEnabled: true 10 | ttl: 10 11 | useHttp: true -------------------------------------------------------------------------------- /config/samples/clustered/store/config_v1beta1_store_oras_k8secretAuth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Store 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | ttl: 10 10 | useHttp: true 11 | authProvider: 12 | name: k8Secrets 13 | secrets: 14 | - secretName: ratify-dockerconfig -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1alpha1_store_oras_http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1alpha1 2 | kind: Store 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | cosignEnabled: true 10 | ttl: 10 11 | useHttp: true 12 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1alpha1_verifier_notation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1alpha1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | certs: 11 | - ratify-notation-inline-cert-0 12 | trustPolicyDoc: 13 | version: "1.0" 14 | trustPolicies: 15 | - name: default 16 | registryScopes: 17 | - "*" 18 | signatureVerification: 19 | level: strict 20 | trustStores: 21 | - ca:certs 22 | trustedIdentities: 23 | - "*" 24 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_complete_licensechecker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-license-checker 5 | spec: 6 | name: licensechecker 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | parameters: 9 | allowedLicenses: 10 | - MIT 11 | - GPL-2.0-only 12 | - OpenSSL 13 | - BSD-2-Clause AND BSD-3-Clause 14 | - Zlib 15 | - MPL-2.0 AND MIT 16 | - ISC 17 | - Apache-2.0 18 | - MIT AND BSD-2-Clause AND GPL-2.0-or-later, 19 | - MIT AND LicenseRef-AND AND BSD-2-Clause AND LicenseRef-AND AND GPL-2.0-or-later 20 | - MPL-2.0 AND LicenseRef-AND AND MIT 21 | - BSD-2-Clause AND LicenseRef-AND AND BSD-3-Clause 22 | - NONE 23 | - NOASSERTION 24 | - "" -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | trustPolicies: 10 | - name: default 11 | scopes: 12 | - "*" 13 | keys: 14 | - provider: ratify-cosign-inline-key-0 15 | tLogVerify: false -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_cosign_keyless_legacy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | rekorURL: https://rekor.sigstore.dev -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_cosign_legacy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | key: /usr/local/ratify-certs/cosign/cosign.pub -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_dynamic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-dynamic 5 | spec: 6 | name: dynamic 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | source: 9 | artifact: wabbitnetworks.azurecr.io/test/sample-verifier-plugin:v1 10 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - ratify-notation-inline-cert-0 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_notation_kmprovider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - kmprovider-akv 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_notation_specificnskmprovider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - default/ratify-notation-inline-cert-0 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_partial_licensechecker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-license-checker 5 | spec: 6 | name: licensechecker 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | parameters: 9 | allowedLicenses: 10 | - MIT 11 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_sbom.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-sbom 5 | spec: 6 | name: sbom 7 | artifactTypes: application/spdx+json 8 | parameters: 9 | nestedReferences: application/vnd.cncf.notary.signature -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_sbom_deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-sbom 5 | spec: 6 | name: sbom 7 | version: 2.0.0-alpha.1 8 | artifactTypes: application/spdx+json 9 | parameters: 10 | disallowedLicenses: 11 | - Zlib 12 | disallowedPackages: 13 | - name: musl-utils 14 | version: 1.2.3-r4 15 | nestedReferences: application/vnd.cncf.notary.signature -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_schemavalidator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-schemavalidator 5 | spec: 6 | name: schemavalidator 7 | artifactTypes: application/vnd.aquasecurity.trivy.report.sarif.v1 8 | parameters: 9 | schemas: 10 | application/sarif+json: https://json.schemastore.org/sarif-2.1.0-rtm.5.json 11 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_schemavalidator_bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-schemavalidator 5 | spec: 6 | name: schemavalidator 7 | artifactTypes: application/vnd.aquasecurity.trivy.report.sarif.v1 8 | parameters: 9 | schemas: 10 | application/sarif+json: https://json.schemastore.org/sourcehut-build-0.65.0.json 11 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_vulnerabilityreport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-vulnerabilityreport 5 | spec: 6 | name: vulnerabilityreport 7 | artifactTypes: application/sarif+json 8 | parameters: 9 | maximumAge: 24h 10 | disallowedSeverities: 11 | - high 12 | - critical 13 | denylistCVEs: 14 | - CVE-2021-44228 # Log4Shell 15 | -------------------------------------------------------------------------------- /config/samples/clustered/verifier/config_v1beta1_verifier_vulnerabilityreport2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-vulnerabilityreport 5 | spec: 6 | name: vulnerabilityreport 7 | artifactTypes: application/sarif+json 8 | parameters: 9 | maximumAge: 24h 10 | denylistCVEs: 11 | - CVE-2021-44228 # Log4Shell 12 | -------------------------------------------------------------------------------- /config/samples/config_v1beta1_certstore_akv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: CertificateStore 3 | metadata: 4 | name: certstore-akv 5 | spec: 6 | provider: azurekeyvault 7 | parameters: 8 | vaultURI: https://yourkeyvault.vault.azure.net/ 9 | certificates: | 10 | array: 11 | - | 12 | certificateName: yourCertName 13 | #Optional, fetch latest version if empty 14 | certificateVersion: yourCertVersion 15 | tenantID: 16 | clientID: -------------------------------------------------------------------------------- /config/samples/namespaced/kmp/config_v1beta1_keymanagementprovider_akv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedKeyManagementProvider 3 | metadata: 4 | name: keymanagementprovider-akv 5 | spec: 6 | type: azurekeyvault 7 | parameters: 8 | vaultURI: https://yourkeyvault.vault.azure.net/ 9 | certificates: 10 | - name: yourCertName 11 | version: yourCertVersion # Optional, fetch latest version if empty 12 | tenantID: 13 | clientID: 14 | -------------------------------------------------------------------------------- /config/samples/namespaced/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedKeyManagementProvider 3 | metadata: 4 | name: keymanagementprovider-akv 5 | spec: 6 | type: azurekeyvault 7 | refreshInterval: 1m 8 | parameters: 9 | vaultURI: https://yourkeyvault.vault.azure.net/ 10 | certificates: 11 | - name: yourCertName 12 | version: yourCertVersion # Optional, fetch latest version if empty 13 | tenantID: 14 | clientID: 15 | -------------------------------------------------------------------------------- /config/samples/namespaced/policy/config_v1beta1_policy_json.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedPolicy # NamespacedPolicy only applies to specified namespace. 3 | metadata: 4 | name: "ratify-policy" # metadata.name MUST be set to ratify-policy since v1beta1. 5 | spec: 6 | type: "config-policy" # Ensure that spec.type is either 'rego-policy' or 'config-policy' in v1beta1. 7 | parameters: 8 | artifactVerificationPolicies: 9 | default: "all" 10 | -------------------------------------------------------------------------------- /config/samples/namespaced/policy/config_v1beta1_policy_rego.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedPolicy # NamespacedPolicy only applies to specified namespace. 3 | metadata: 4 | name: "ratify-policy" # metadata.name MUST be set to ratify-policy since v1beta1. 5 | spec: 6 | type: "rego-policy" # Ensure that spec.type is either 'rego-policy' or 'config-policy' in v1beta1. 7 | parameters: 8 | passthroughEnabled: false 9 | policy: | 10 | package ratify.policy 11 | 12 | default valid := false 13 | 14 | # all artifacts MUST be valid 15 | valid { 16 | not failed_verify(input) 17 | } 18 | 19 | # all reports MUST pass the verification 20 | failed_verify(reports) { 21 | [path, value] := walk(reports) 22 | value == false 23 | path[count(path) - 1] == "isSuccess" 24 | } 25 | 26 | # each artifact MUST have at least one report 27 | failed_verify(reports) { 28 | [path, value] := walk(reports) 29 | path[count(path) - 1] == "verifierReports" 30 | count(value) == 0 31 | } 32 | -------------------------------------------------------------------------------- /config/samples/namespaced/store/config_v1beta1_store_dynamic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedStore 3 | metadata: 4 | name: store-dynamic 5 | spec: 6 | name: dynamic 7 | source: 8 | artifact: wabbitnetworks.azurecr.io/test/sample-store-plugin:v1 9 | -------------------------------------------------------------------------------- /config/samples/namespaced/store/config_v1beta1_store_oras.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedStore 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | cosignEnabled: true 10 | ttl: 10 11 | -------------------------------------------------------------------------------- /config/samples/namespaced/store/config_v1beta1_store_oras_http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedStore 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | cosignEnabled: true 10 | ttl: 10 11 | useHttp: true -------------------------------------------------------------------------------- /config/samples/namespaced/store/config_v1beta1_store_oras_k8secretAuth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedStore 3 | metadata: 4 | name: store-oras 5 | spec: 6 | name: oras 7 | parameters: 8 | cacheEnabled: true 9 | ttl: 10 10 | useHttp: true 11 | authProvider: 12 | name: k8Secrets 13 | secrets: 14 | - secretName: ratify-dockerconfig -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_complete_licensechecker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-license-checker 5 | spec: 6 | name: licensechecker 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | parameters: 9 | allowedLicenses: 10 | - MIT 11 | - GPL-2.0-only 12 | - OpenSSL 13 | - BSD-2-Clause AND BSD-3-Clause 14 | - Zlib 15 | - MPL-2.0 AND MIT 16 | - ISC 17 | - Apache-2.0 18 | - MIT AND BSD-2-Clause AND GPL-2.0-or-later, 19 | - MIT AND LicenseRef-AND AND BSD-2-Clause AND LicenseRef-AND AND GPL-2.0-or-later 20 | - MPL-2.0 AND LicenseRef-AND AND MIT 21 | - BSD-2-Clause AND LicenseRef-AND AND BSD-3-Clause 22 | - NONE 23 | - NOASSERTION 24 | - "" -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | trustPolicies: 10 | - name: default 11 | scopes: 12 | - "*" 13 | keys: 14 | - provider: default/ratify-cosign-inline-key-0 15 | tLogVerify: false 16 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_cosign_keyless.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | rekorURL: https://rekor.sigstore.dev -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_cosign_legacy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | key: /usr/local/ratify-certs/cosign/cosign.pub -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_dynamic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-dynamic 5 | spec: 6 | name: dynamic 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | source: 9 | artifact: wabbitnetworks.azurecr.io/test/sample-verifier-plugin:v1 10 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_notation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - default/ratify-notation-inline-cert-0 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_notation_kmprovider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - kmprovider-akv 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_notation_specificnskmprovider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - default/ratify-notation-inline-cert-0 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_partial_licensechecker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-license-checker 5 | spec: 6 | name: licensechecker 7 | artifactTypes: application/vnd.ratify.spdx.v0 8 | parameters: 9 | allowedLicenses: 10 | - MIT 11 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_sbom.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-sbom 5 | spec: 6 | name: sbom 7 | artifactTypes: application/spdx+json 8 | parameters: 9 | nestedReferences: application/vnd.cncf.notary.signature -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_sbom_deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-sbom 5 | spec: 6 | name: sbom 7 | version: 2.0.0-alpha.1 8 | artifactTypes: application/spdx+json 9 | parameters: 10 | disallowedLicenses: 11 | - Zlib 12 | disallowedPackages: 13 | - name: musl-utils 14 | version: 1.2.3-r4 15 | nestedReferences: application/vnd.cncf.notary.signature -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_schemavalidator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-schemavalidator 5 | spec: 6 | name: schemavalidator 7 | artifactTypes: application/vnd.aquasecurity.trivy.report.sarif.v1 8 | parameters: 9 | schemas: 10 | application/sarif+json: https://json.schemastore.org/sarif-2.1.0-rtm.5.json 11 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_schemavalidator_bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-schemavalidator 5 | spec: 6 | name: schemavalidator 7 | artifactTypes: application/vnd.aquasecurity.trivy.report.sarif.v1 8 | parameters: 9 | schemas: 10 | application/sarif+json: https://json.schemastore.org/sourcehut-build-0.65.0.json 11 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_vulnerabilityreport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-vulnerabilityreport 5 | spec: 6 | name: vulnerabilityreport 7 | artifactTypes: application/sarif+json 8 | parameters: 9 | maximumAge: 24h 10 | disallowedSeverities: 11 | - high 12 | - critical 13 | denylistCVEs: 14 | - CVE-2021-44228 # Log4Shell 15 | -------------------------------------------------------------------------------- /config/samples/namespaced/verifier/config_v1beta1_verifier_vulnerabilityreport2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: NamespacedVerifier 3 | metadata: 4 | name: verifier-vulnerabilityreport 5 | spec: 6 | name: vulnerabilityreport 7 | artifactTypes: application/sarif+json 8 | parameters: 9 | maximumAge: 24h 10 | denylistCVEs: 11 | - CVE-2021-44228 # Log4Shell 12 | -------------------------------------------------------------------------------- /configs/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "verifiers": [ 3 | { 4 | "name": "notation-1", 5 | "type": "notation", 6 | "parameters": { 7 | "certificates": [ 8 | { 9 | "files": [ 10 | "${CERTIFICATE_PATH}" 11 | ] 12 | } 13 | ] 14 | } 15 | } 16 | ], 17 | "stores": { 18 | "libinbinacr.azurecr.io": { 19 | "type": "registry-store", 20 | "parameters": { 21 | "credential": { 22 | "username": "", 23 | "password": "" 24 | } 25 | } 26 | } 27 | }, 28 | "policyEnforcer": { 29 | "type": "threshold-policy", 30 | "parameters": { 31 | "policy": { 32 | "rules": [ 33 | { 34 | "verifierName": "notation-1" 35 | } 36 | ] 37 | } 38 | } 39 | } 40 | } -------------------------------------------------------------------------------- /configs/constrainttemplates/default/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: RatifyVerification 3 | metadata: 4 | name: ratify-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] 12 | -------------------------------------------------------------------------------- /crd.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as builder 15 | 16 | ARG TARGETOS 17 | ARG TARGETARCH 18 | ARG KUBE_VERSION 19 | 20 | RUN echo "Ratify crd building on $TARGETOS, building for $TARGETARCH" 21 | 22 | RUN apk add --no-cache curl && \ 23 | curl -LO https://dl.k8s.io/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \ 24 | chmod +x kubectl 25 | 26 | FROM scratch as build 27 | USER 65532:65532 28 | COPY --chown=65532:65532 * /crds/ 29 | COPY --from=builder /kubectl /kubectl 30 | ENTRYPOINT ["/kubectl"] 31 | -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ratify-gatekeeper-provider 3 | description: A Helm chart for Ratify 4 | type: application 5 | version: 2.0.0-alpha.1 6 | appVersion: "2.0.0-alpha.1" -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/provider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: externaldata.gatekeeper.sh/v1beta1 2 | kind: Provider 3 | metadata: 4 | name: ratify-gatekeeper-provider 5 | annotations: 6 | helm.sh/hook: pre-install,pre-upgrade 7 | helm.sh/hook-weight: "5" 8 | spec: 9 | url: https://{{ include "ratify.fullname" .}}.{{ .Release.Namespace }}:6001/ratify/gatekeeper/v2/verify 10 | timeout: {{ required "You must provide .Values.provider.timeout.validationTimeoutSeconds" .Values.provider.timeout.validationTimeoutSeconds }} 11 | {{ include "ratify.providerCabundle" . | nindent 2}} 12 | --- 13 | {{- if not .Values.provider.disableMutation }} 14 | apiVersion: externaldata.gatekeeper.sh/v1beta1 15 | kind: Provider 16 | metadata: 17 | name: ratify-gatekeeper-mutation-provider 18 | annotations: 19 | helm.sh/hook: pre-install,pre-upgrade 20 | helm.sh/hook-weight: "5" 21 | spec: 22 | url: https://{{ include "ratify.fullname" .}}.{{ .Release.Namespace }}:6001/ratify/gatekeeper/v2/mutate 23 | timeout: {{ required "You must provide .Values.provider.timeout.mutationTimeoutSeconds" .Values.provider.timeout.mutationTimeoutSeconds }} 24 | {{ include "ratify.providerCabundle" . | nindent 2}} 25 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/ratify-manager-role-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | creationTimestamp: null 6 | name: ratify-manager-cluster-role 7 | rules: 8 | - apiGroups: 9 | - externaldata.gatekeeper.sh 10 | resources: 11 | - providers 12 | verbs: 13 | - get 14 | - list 15 | - patch 16 | - update 17 | - watch 18 | # Secrets access is used for k8s auth provider to access secrets across namespaces. 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - secrets 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/ratify-manager-role-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | creationTimestamp: null 6 | name: ratify-manager-role 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - serviceaccounts 12 | verbs: 13 | - get 14 | # Secrets access is used by cert-controller to manipulate TLS related secrets. 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - create 21 | - list 22 | - update 23 | - watch 24 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/ratify-manager-rolebinding-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | heritage: '{{ .Release.Service }}' 7 | release: '{{ .Release.Name }}' 8 | name: ratify-manager-cluster-rolebinding 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "ratify.serviceAccountName" . }} 12 | namespace: '{{ .Release.Namespace }}' 13 | roleRef: 14 | kind: ClusterRole 15 | name: ratify-manager-cluster-role 16 | apiGroup: rbac.authorization.k8s.io 17 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/ratify-manager-rolebinding-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | labels: 6 | heritage: '{{ .Release.Service }}' 7 | release: '{{ .Release.Name }}' 8 | name: ratify-manager-rolebinding 9 | namespace: {{ .Release.Namespace }} 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "ratify.serviceAccountName" . }} 13 | namespace: '{{ .Release.Namespace }}' 14 | roleRef: 15 | kind: Role 16 | name: ratify-manager-role 17 | apiGroup: rbac.authorization.k8s.io 18 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: {{ include "ratify.fullname" . }}-notation-certs 5 | type: Opaque 6 | stringData: 7 | {{- range $index, $cert := .Values.notation.certs }} 8 | ratify{{ $index }}.crt: | 9 | {{ $cert | indent 4 }} 10 | {{- end }} 11 | 12 | --- 13 | {{- if and (eq (include "ratify.tlsCertsProvided" .) "false") (not (lookup "v1" "Secret" .Release.Namespace (include "ratify.tlsSecretName" .))) (.Values.provider.tls.disableCertRotation) }} 14 | {{- fail "You must provide a TLS certificate/key for Ratify to use or enable cert rotation to make Ratify generate and rotate its certificate/key."}} 15 | {{- else if or (eq (include "ratify.tlsCertsProvided" .) "true") (and (eq (include "ratify.tlsCertsProvided" .) "false") (not (lookup "v1" "Secret" .Release.Namespace (include "ratify.tlsSecretName" .))) (not .Values.provider.tls.disableCertRotation))}} 16 | apiVersion: v1 17 | kind: Secret 18 | metadata: 19 | name: {{ include "ratify.fullname" . }}-tls 20 | annotations: 21 | helm.sh/hook: pre-install,pre-upgrade 22 | helm.sh/hook-weight: "5" 23 | data: 24 | {{ include "ratify.tlsSecret" . | nindent 2 }} 25 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "ratify.fullname" . }} 5 | labels: 6 | {{- include "ratify.labels" . | nindent 4 }} 7 | spec: 8 | type: ClusterIP 9 | ports: 10 | - port: 6001 11 | targetPort: 6001 12 | selector: 13 | {{- include "ratify.selectorLabels" . | nindent 4 }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "ratify.labels" . | nindent 4 }} 7 | {{- with .Values.serviceAccount.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | name: {{ include "ratify.serviceAccountName" . }} 12 | {{- end }} -------------------------------------------------------------------------------- /deployments/ratify-gatekeeper-provider/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | repository: "ghcr.io/notaryproject/ratify-gatekeeper-provider" 3 | pullPolicy: IfNotPresent 4 | tag: "" 5 | 6 | replicaCount: 1 7 | 8 | notation: 9 | scope: [] 10 | trustedIdentities: [] 11 | certs: [] 12 | 13 | stores: 14 | - scope: "" 15 | username: "" 16 | password: "" 17 | 18 | provider: 19 | tls: 20 | crt: "" # crt used by ratify (httpserver), please provide your own crt 21 | key: "" # key used by ratify (httpserver), please provide your own key 22 | caCert: "" # CA crt used by ratify (httpserver), please provide your own CA crt 23 | disableCertRotation: false 24 | disableMutation: false 25 | timeout: 26 | # timeout values must match gatekeeper webhook timeouts 27 | validationTimeoutSeconds: 5 28 | mutationTimeoutSeconds: 2 29 | 30 | gatekeeper: 31 | namespace: "gatekeeper-system" 32 | 33 | serviceAccount: 34 | create: true 35 | name: ratify-gatekeeper-provider-admin 36 | # annotations to add to the service account 37 | annotations: {} 38 | -------------------------------------------------------------------------------- /docs/img/CRL/CRL-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/CRL/CRL-workflow.png -------------------------------------------------------------------------------- /docs/img/architecture/ratify-v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/architecture/ratify-v1.png -------------------------------------------------------------------------------- /docs/img/architecture/ratify-v2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/architecture/ratify-v2.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/B12iZKE_C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/B12iZKE_C.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/Byrwl2zuC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/Byrwl2zuC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/H1KYhmnDA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/H1KYhmnDA.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/HJHWNwfuC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/HJHWNwfuC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/SJTOOXhDA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/SJTOOXhDA.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/SJqHDNL_A.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/SJqHDNL_A.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/SkUQfOr_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/SkUQfOr_0.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/SkubOnMuA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/SkubOnMuA.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/Sy6OtPVuC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/Sy6OtPVuC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/SyfhDP4dC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/SyfhDP4dC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/r1vemTRwC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/r1vemTRwC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/rJtithG_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/rJtithG_0.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/rJvv5_N_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/rJvv5_N_0.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/rkrEZvfd0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/rkrEZvfd0.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/ryMGu8L_C.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/ryMGu8L_C.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/rym_MFHOC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/rym_MFHOC.png -------------------------------------------------------------------------------- /docs/img/ratify-errors/rys__uEOA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/notaryproject/ratify/b8b074b6e7bf8714fd60a8ae24d2d9e44fe5a9b6/docs/img/ratify-errors/rys__uEOA.png -------------------------------------------------------------------------------- /errors/azure.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package errors 17 | 18 | const ( 19 | AKVLink = "https://learn.microsoft.com/en-us/azure/key-vault/general/overview" 20 | AzureWorkloadIdentityLink = "https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview" 21 | AzureManagedIdentityLink = "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview" 22 | ) 23 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ -------------------------------------------------------------------------------- /instrumentation/additional-scrape-configs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | prometheus-additional.yaml: LSBqb2JfbmFtZTogJ2t1YmVybmV0ZXMtcG9kcycKICBzY3JhcGVfaW50ZXJ2YWw6IDVzCiAga3ViZXJuZXRlc19zZF9jb25maWdzOgogIC0gcm9sZTogcG9kCiAgcmVsYWJlbF9jb25maWdzOgogIC0gc291cmNlX2xhYmVsczogW19fbWV0YV9rdWJlcm5ldGVzX3BvZF9hbm5vdGF0aW9uX3Byb21ldGhldXNfaW9fc2NyYXBlXQogICAgYWN0aW9uOiBrZWVwCiAgICByZWdleDogdHJ1ZQogIC0gc291cmNlX2xhYmVsczogW19fbWV0YV9rdWJlcm5ldGVzX3BvZF9hbm5vdGF0aW9uX3Byb21ldGhldXNfaW9fcGF0aF0KICAgIGFjdGlvbjogcmVwbGFjZQogICAgdGFyZ2V0X2xhYmVsOiBfX21ldHJpY3NfcGF0aF9fCiAgICByZWdleDogKC4rKQogIC0gc291cmNlX2xhYmVsczogW19fYWRkcmVzc19fLCBfX21ldGFfa3ViZXJuZXRlc19wb2RfYW5ub3RhdGlvbl9wcm9tZXRoZXVzX2lvX3BvcnRdCiAgICBhY3Rpb246IHJlcGxhY2UKICAgIHJlZ2V4OiAoW146XSspKD86OlxkKyk/OyhcZCspCiAgICByZXBsYWNlbWVudDogJDE6JDIKICAgIHRhcmdldF9sYWJlbDogX19hZGRyZXNzX18KICAtIGFjdGlvbjogbGFiZWxtYXAKICAgIHJlZ2V4OiBfX21ldGFfa3ViZXJuZXRlc19wb2RfbGFiZWxfKC4rKQogIC0gc291cmNlX2xhYmVsczogW19fbWV0YV9rdWJlcm5ldGVzX25hbWVzcGFjZV0KICAgIGFjdGlvbjogcmVwbGFjZQogICAgdGFyZ2V0X2xhYmVsOiBrdWJlcm5ldGVzX25hbWVzcGFjZQogIC0gc291cmNlX2xhYmVsczogW19fbWV0YV9rdWJlcm5ldGVzX3BvZF9uYW1lXQogICAgYWN0aW9uOiByZXBsYWNlCiAgICB0YXJnZXRfbGFiZWw6IGt1YmVybmV0ZXNfcG9kX25hbWU= 4 | kind: Secret 5 | metadata: 6 | creationTimestamp: null 7 | name: additional-scrape-configs 8 | -------------------------------------------------------------------------------- /instrumentation/prometheus-additional.yaml: -------------------------------------------------------------------------------- 1 | - job_name: 'kubernetes-pods' 2 | scrape_interval: 5s 3 | kubernetes_sd_configs: 4 | - role: pod 5 | relabel_configs: 6 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 7 | action: keep 8 | regex: true 9 | - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 10 | action: replace 11 | target_label: __metrics_path__ 12 | regex: (.+) 13 | - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 14 | action: replace 15 | regex: ([^:]+)(?::\d+)?;(\d+) 16 | replacement: $1:$2 17 | target_label: __address__ 18 | - action: labelmap 19 | regex: __meta_kubernetes_pod_label_(.+) 20 | - source_labels: [__meta_kubernetes_namespace] 21 | action: replace 22 | target_label: kubernetes_namespace 23 | - source_labels: [__meta_kubernetes_pod_name] 24 | action: replace 25 | target_label: kubernetes_pod_name -------------------------------------------------------------------------------- /internal/cache/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package cache 17 | 18 | import ( 19 | "context" 20 | "errors" 21 | ) 22 | 23 | var ( 24 | ErrNotFound = errors.New("cache not found") 25 | ErrInvalidTTL = errors.New("invalid TTL provided") 26 | ErrAddFailed = errors.New("failed to add key/value to cache") 27 | ) 28 | 29 | // Cache is the main interface for a generic key-value cache. 30 | type Cache interface { 31 | // Get returns the value associated with the key, or an error if not found. 32 | Get(ctx context.Context, key string) (any, error) 33 | 34 | // Set stores a value with the specified key. 35 | Set(ctx context.Context, key string, value any) error 36 | 37 | // Delete removes the specified key/value from the cache. 38 | Delete(ctx context.Context, key string) error 39 | } 40 | -------------------------------------------------------------------------------- /internal/constants/constants.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package constants 18 | 19 | const RatifyPolicy = "ratify-policy" 20 | const EmptyNamespace = "" 21 | const NamespaceSeperator = "/" 22 | const MaxBriefErrLength = 100 23 | -------------------------------------------------------------------------------- /internal/httpserver/config/homedir_unix.go: -------------------------------------------------------------------------------- 1 | //go:build !windows 2 | 3 | /* 4 | Copyright The Ratify Authors. 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | */ 17 | 18 | package config 19 | 20 | import ( 21 | "os" 22 | "os/user" 23 | ) 24 | 25 | func get() string { 26 | home := os.Getenv("HOME") 27 | if home == "" { 28 | if u, err := user.Current(); err == nil { 29 | return u.HomeDir 30 | } 31 | } 32 | return home 33 | } 34 | -------------------------------------------------------------------------------- /internal/httpserver/config/homedir_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | 3 | /* 4 | Copyright The Ratify Authors. 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | */ 17 | 18 | package config 19 | 20 | import "os" 21 | 22 | func get() string { 23 | return os.Getenv("USERPROFILE") 24 | } 25 | -------------------------------------------------------------------------------- /internal/pod/podinfo.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package pod 17 | 18 | import "os" 19 | 20 | // GetNamespace returns the namespace. 21 | func GetNamespace() string { 22 | ns, found := os.LookupEnv("RATIFY_NAMESPACE") 23 | if !found { 24 | return "gatekeeper-system" 25 | } 26 | return ns 27 | } 28 | 29 | // GetServiceName returns the service name. 30 | func GetServiceName() string { 31 | name, found := os.LookupEnv("RATIFY_NAME") 32 | if !found { 33 | return "ratify-gatekeeper-provider" 34 | } 35 | return name 36 | } 37 | -------------------------------------------------------------------------------- /internal/policyenforcer/policyenforcer.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package policyenforcer 17 | 18 | import ( 19 | "github.com/notaryproject/ratify-go" 20 | "github.com/notaryproject/ratify/v2/internal/policyenforcer/factory" 21 | _ "github.com/notaryproject/ratify/v2/internal/policyenforcer/factory/thresholdpolicy" // Register the threshold policy factory 22 | ) 23 | 24 | // NewPolicyEnforcer creates a new PolicyEnforcer instance based on the provided options. 25 | func NewPolicyEnforcer(opts *factory.NewPolicyEnforcerOptions) (ratify.PolicyEnforcer, error) { 26 | return factory.NewPolicyEnforcer(opts) 27 | } 28 | -------------------------------------------------------------------------------- /internal/verifier/keyprovider/api_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package keyprovider 17 | 18 | import ( 19 | "context" 20 | "crypto/x509" 21 | "testing" 22 | ) 23 | 24 | const mockProvider = "mock-provider" 25 | 26 | type mockKeyProvider struct{} 27 | 28 | func (m *mockKeyProvider) GetCertificates(_ context.Context) ([]*x509.Certificate, error) { 29 | return nil, nil 30 | } 31 | 32 | func TestCreateKeyProvider(t *testing.T) { 33 | RegisterKeyProvider(mockProvider, func(_ any) (KeyProvider, error) { 34 | return &mockKeyProvider{}, nil 35 | }) 36 | 37 | provider, err := CreateKeyProvider(mockProvider, nil) 38 | if err != nil { 39 | t.Fatalf("expected no error, got %v", err) 40 | } 41 | if provider == nil { 42 | t.Fatal("expected non-nil key provider") 43 | } 44 | 45 | if _, err = CreateKeyProvider("unknown-provider", nil); err == nil { 46 | t.Fatal("expected error, got nil") 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /internal/verifier/verifier.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package verifier 17 | 18 | import ( 19 | "fmt" 20 | 21 | "github.com/notaryproject/ratify-go" 22 | "github.com/notaryproject/ratify/v2/internal/verifier/factory" 23 | _ "github.com/notaryproject/ratify/v2/internal/verifier/factory/notation" // Register the Notation verifier factory 24 | ) 25 | 26 | // NewVerifiers creates a slice of ratify.Verifier instances based on the 27 | // provided options. 28 | func NewVerifiers(opts []factory.NewVerifierOptions) ([]ratify.Verifier, error) { 29 | if len(opts) == 0 { 30 | return nil, fmt.Errorf("no verifier options provided") 31 | } 32 | verifiers := make([]ratify.Verifier, len(opts)) 33 | for idx, opt := range opts { 34 | verifier, err := factory.NewVerifier(opt) 35 | if err != nil { 36 | return nil, err 37 | } 38 | verifiers[idx] = verifier 39 | } 40 | return verifiers, nil 41 | } 42 | -------------------------------------------------------------------------------- /internal/version/version_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package version 17 | 18 | import ( 19 | "fmt" 20 | "runtime" 21 | "testing" 22 | ) 23 | 24 | func TestInit(t *testing.T) { 25 | expected := fmt.Sprintf("%s+%s (%s/%s)", "ratify", "unknown", runtime.GOOS, runtime.GOARCH) 26 | actual := generateUserAgent() 27 | if actual != expected { 28 | t.Errorf("Expected: %s, got: %s", expected, actual) 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /library/default/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: RatifyVerification 3 | metadata: 4 | name: ratify-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] 12 | -------------------------------------------------------------------------------- /library/multi-tenancy-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: RatifyVerification 3 | metadata: 4 | name: ratify-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default", "new-namespace"] 12 | -------------------------------------------------------------------------------- /library/notation-issuer-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: NotationIssuerValidation 3 | metadata: 4 | name: localhost-signature-validation 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["*"] 12 | parameters: 13 | issuer: "localhost:5000" 14 | -------------------------------------------------------------------------------- /library/notation-nested-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: NotationNestedValidation 3 | metadata: 4 | name: notation-nested-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] 12 | -------------------------------------------------------------------------------- /library/notation-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: notationvalidation 3 | metadata: 4 | name: ratify-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] 12 | -------------------------------------------------------------------------------- /library/rego/README.md: -------------------------------------------------------------------------------- 1 | # Ratify Rego Policies 2 | 3 | This folder contains `.rego` files that contain rego policies to be used ONLY with Ratify's [Rego Policy Provider](https://ratify.dev/docs/reference/crds/policies#regopolicy) -------------------------------------------------------------------------------- /library/sbom-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: SbomValidation 3 | metadata: 4 | name: sbom-validation-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] -------------------------------------------------------------------------------- /library/vulnerability-report-validation/samples/constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: VulnerabilityReportValidation 3 | metadata: 4 | name: vulnerability-report-validation-constraint 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: ["default"] -------------------------------------------------------------------------------- /pkg/common/oras/authprovider/authproviderconfig.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package authprovider 17 | 18 | // AuthProviderConfig represents the configuration of an AuthProvider 19 | type AuthProviderConfig map[string]interface{} //nolint:revive // ignore linter to have unique type name 20 | -------------------------------------------------------------------------------- /pkg/common/oras/authprovider/azure/const.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package azure 17 | 18 | import ( 19 | "time" 20 | 21 | "github.com/notaryproject/ratify/v2/internal/logger" 22 | ) 23 | 24 | const ( 25 | dockerTokenLoginUsernameGUID = "00000000-0000-0000-0000-000000000000" 26 | AADResource = "https://containerregistry.azure.net/.default" 27 | defaultACRExpiryDuration time.Duration = 3 * time.Hour 28 | ) 29 | 30 | var ( 31 | logOpt = logger.Option{ 32 | ComponentType: logger.AuthProvider, 33 | } 34 | defaultACREndpoints = []string{"*.azurecr.io", "*.azurecr.us", "*.azurecr.cn"} 35 | ) 36 | -------------------------------------------------------------------------------- /pkg/common/plugin/find.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package plugin 17 | 18 | import ( 19 | "fmt" 20 | "os" 21 | "path/filepath" 22 | ) 23 | 24 | // FindInPaths returns the full path of the plugin executable by searching in the provided list of paths 25 | func FindInPaths(plugin string, paths []string) (string, error) { 26 | if plugin == "" { 27 | return "", fmt.Errorf("plugin name is required") 28 | } 29 | 30 | if len(paths) == 0 { 31 | return "", fmt.Errorf("no paths provided to find a plugin") 32 | } 33 | 34 | for _, path := range paths { 35 | for _, fe := range executableFileExtensions { 36 | fullpath := filepath.Join(path, plugin) + fe 37 | if fi, err := os.Stat(fullpath); err == nil && fi.Mode().IsRegular() { 38 | return fullpath, nil 39 | } 40 | } 41 | } 42 | 43 | return "", fmt.Errorf("failed to find plugin %q in paths %s", plugin, paths) 44 | } 45 | -------------------------------------------------------------------------------- /pkg/common/plugin/os_unix.go: -------------------------------------------------------------------------------- 1 | // Copyright The Ratify Authors. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | // you may not use this file except in compliance with the License. 4 | // You may obtain a copy of the License at 5 | 6 | // http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | // Unless required by applicable law or agreed to in writing, software 9 | // distributed under the License is distributed on an "AS IS" BASIS, 10 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | // See the License for the specific language governing permissions and 12 | // limitations under the License. 13 | 14 | //go:build darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris 15 | // +build darwin dragonfly freebsd linux netbsd openbsd solaris 16 | 17 | package plugin 18 | 19 | // Valid file extensions for plugin executables. 20 | var executableFileExtensions = []string{""} 21 | -------------------------------------------------------------------------------- /pkg/common/plugin/os_windows.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package plugin 17 | 18 | // Valid file extensions for plugin executables. 19 | var executableFileExtensions = []string{".exe", ""} 20 | -------------------------------------------------------------------------------- /pkg/common/plugin/types_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package plugin 17 | 18 | import "testing" 19 | 20 | func TestError_ReturnsExpected(t *testing.T) { 21 | testError := NewError(123, "test error", "test err details") 22 | 23 | if testError.Error() != "test error; test err details" { 24 | t.Fatal("formatted error mismatches") 25 | } 26 | 27 | testErrorWithoutDetails := NewError(123, "test error", "") 28 | 29 | if testErrorWithoutDetails.Error() != "test error" { 30 | t.Fatal("formatted error without details mismatches") 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /pkg/common/reference.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package common 17 | 18 | import ( 19 | "github.com/opencontainers/go-digest" 20 | ) 21 | 22 | // Reference describes an image reference identifier that includes properties like digest, tag 23 | type Reference struct { 24 | Path string 25 | Digest digest.Digest 26 | Tag string 27 | Original string 28 | } 29 | 30 | func (ref Reference) String() string { 31 | return ref.Original 32 | } 33 | -------------------------------------------------------------------------------- /pkg/common/utils/utils.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package utils 17 | 18 | import ( 19 | oci "github.com/opencontainers/image-spec/specs-go/v1" 20 | "github.com/ratify-project/ratify/pkg/ocispecs" 21 | ) 22 | 23 | func OciManifestToReferenceManifest(ociManifest oci.Manifest) ocispecs.ReferenceManifest { 24 | artifactType := ociManifest.Config.MediaType 25 | if artifactType == oci.DescriptorEmptyJSON.MediaType { 26 | artifactType = ociManifest.ArtifactType 27 | } 28 | 29 | return ocispecs.ReferenceManifest{ 30 | MediaType: ociManifest.MediaType, 31 | ArtifactType: artifactType, 32 | Blobs: ociManifest.Layers, 33 | Subject: ociManifest.Subject, 34 | Annotations: ociManifest.Annotations, 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/customresources/certificatestores/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | http://www.apache.org/licenses/LICENSE-2.0 7 | Unless required by applicable law or agreed to in writing, software 8 | distributed under the License is distributed on an "AS IS" BASIS, 9 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 | See the License for the specific language governing permissions and 11 | limitations under the License. 12 | */ 13 | 14 | package certificatestores 15 | 16 | import ( 17 | "context" 18 | "crypto/x509" 19 | ) 20 | 21 | // CertStoreManager is an interface that defines the methods for managing certificate stores across different scopes. 22 | type CertStoreManager interface { 23 | // GetCertsFromStore returns certificates from the given certificate store. 24 | GetCertsFromStore(ctx context.Context, storeName string) ([]*x509.Certificate, error) 25 | 26 | // AddStore adds the given certificate. 27 | AddStore(storeName string, cert []*x509.Certificate) 28 | 29 | // DeleteStore deletes the certificate from the given scope. 30 | DeleteStore(storeName string) 31 | 32 | // AddStoreError adds an error to the given certificate store. 33 | AddStoreError(storeName string, err error) 34 | } 35 | -------------------------------------------------------------------------------- /pkg/customresources/policies/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package policies 17 | 18 | import "github.com/ratify-project/ratify/pkg/policyprovider" 19 | 20 | // PolicyManager is an interface that defines the methods for managing policies across different scopes. 21 | type PolicyManager interface { 22 | // GetPolicy returns the policy for the given scope. 23 | GetPolicy(scope string) policyprovider.PolicyProvider 24 | 25 | // AddPolicy adds the given policy under the given scope. 26 | AddPolicy(scope, policyName string, policy policyprovider.PolicyProvider) 27 | 28 | // DeletePolicy deletes the policy from the given scope. 29 | DeletePolicy(scope, policyName string) 30 | } 31 | -------------------------------------------------------------------------------- /pkg/customresources/referrerstores/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package referrerstores 17 | 18 | import ( 19 | "github.com/ratify-project/ratify/pkg/referrerstore" 20 | ) 21 | 22 | // ReferrerStoreManager is an interface that defines the methods for managing referrer stores across different scopes. 23 | type ReferrerStoreManager interface { 24 | // Stores returns the list of referrer stores for the given scope. 25 | GetStores(scope string) []referrerstore.ReferrerStore 26 | 27 | // AddStore adds the given store under the given scope. 28 | AddStore(scope, storeName string, store referrerstore.ReferrerStore) 29 | 30 | // DeleteStore deletes the policy from the given scope. 31 | DeleteStore(scope, storeName string) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/customresources/verifiers/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package verifiers 17 | 18 | import ( 19 | vr "github.com/ratify-project/ratify/pkg/verifier" 20 | ) 21 | 22 | // VerifierManager is an interface that defines the methods for managing verifiers across different scopes. 23 | type VerifierManager interface { 24 | // GetVerifiers returns verifiers under the given scope. 25 | GetVerifiers(scope string) []vr.ReferenceVerifier 26 | 27 | // AddVerifier adds a verifier to the given scope. 28 | AddVerifier(scope, verifierName string, verifier vr.ReferenceVerifier) 29 | 30 | // DeleteVerifier deletes a verifier from the given scope. 31 | DeleteVerifier(scope, verifierName string) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/homedir/homedir_windows.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package homedir 17 | 18 | import ( 19 | "os" 20 | ) 21 | 22 | // Key returns the environment var name for the user's home dir based on 23 | // the platform being run on 24 | func Key() string { 25 | return "USERPROFILE" 26 | } 27 | 28 | // Get returns the home directory path of the current user with the help of 29 | // environment variables depending on the target operating system. 30 | func Get() string { 31 | return os.Getenv(Key()) 32 | } 33 | 34 | // GetShortcutString returns the string that is shortcut to user's home directory 35 | // in the native shell of the platform running on. 36 | func GetShortcutString() string { 37 | return "%USERPROFILE%" 38 | } 39 | -------------------------------------------------------------------------------- /pkg/keymanagementprovider/config/config.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package config 17 | 18 | // KeyManagementProviderConfig is a map containing name and provider-specific configuration 19 | type KeyManagementProviderConfig map[string]interface{} 20 | 21 | type KeyManagementProvidersConfig struct { 22 | Version string `json:"version,omitempty"` 23 | PluginBinDirs []string `json:"pluginBinDirs,omitempty"` 24 | KeyManagementProviders []KeyManagementProviderConfig `json:"plugins,omitempty"` 25 | } 26 | -------------------------------------------------------------------------------- /pkg/keymanagementprovider/refresh/test_helper_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | package refresh 17 | 18 | import ( 19 | "github.com/ratify-project/ratify/pkg/keymanagementprovider/factory" 20 | "github.com/ratify-project/ratify/pkg/keymanagementprovider/mocks" 21 | ) 22 | 23 | func init() { 24 | // Register the mock KeyManagementProviderFactory 25 | factory.Register("test-kmp", &mocks.TestKeyManagementProviderFactory{}) 26 | } 27 | -------------------------------------------------------------------------------- /pkg/keymanagementprovider/types/types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package types 17 | 18 | const ( 19 | SpecVersion string = "0.1.0" 20 | Version string = "version" 21 | Type string = "type" 22 | Resource string = "resource" 23 | Source string = "source" 24 | ) 25 | -------------------------------------------------------------------------------- /pkg/metrics/prometheus_exporter.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package metrics 17 | 18 | import ( 19 | "fmt" 20 | "net/http" 21 | "time" 22 | 23 | "github.com/prometheus/client_golang/prometheus/promhttp" 24 | "github.com/sirupsen/logrus" 25 | ) 26 | 27 | const ( 28 | readHeaderTimeout = 5 * time.Second 29 | ) 30 | 31 | func initPrometheusExporter(port int) error { 32 | http.Handle("/metrics", promhttp.Handler()) 33 | go func() { 34 | server := &http.Server{ 35 | Addr: fmt.Sprintf(":%v", port), 36 | ReadHeaderTimeout: readHeaderTimeout, 37 | } 38 | err := server.ListenAndServe() 39 | if err != nil { 40 | logrus.Errorf("listen and server error: %v", err) 41 | } 42 | }() 43 | 44 | return nil 45 | } 46 | -------------------------------------------------------------------------------- /pkg/metrics/prometheus_exporter_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package metrics 17 | 18 | import ( 19 | "net/http" 20 | "testing" 21 | "time" 22 | ) 23 | 24 | func TestInitPrometheusExporter(t *testing.T) { 25 | if err := initPrometheusExporter(8888); err != nil { 26 | t.Fatalf("initPrometheusExporter() error = %v", err) 27 | } 28 | time.Sleep(2 * time.Second) 29 | r, err := http.NewRequest("GET", "http://localhost:8888/metrics", nil) 30 | if err != nil { 31 | t.Fatalf("http.NewRequest() error = %v", err) 32 | } 33 | resp, err := http.DefaultClient.Do(r) 34 | if err != nil { 35 | t.Fatalf("http.DefaultClient.Do() error = %v", err) 36 | } 37 | if resp.StatusCode != http.StatusOK { 38 | t.Fatalf("http.DefaultClient.Do() resp.StatusCode = %v, expected %v", resp.StatusCode, http.StatusOK) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /pkg/policyprovider/config/config.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package config 17 | 18 | // PolicyPluginConfig represents the configuration of a policy plugin 19 | type PolicyPluginConfig map[string]interface{} 20 | 21 | // PoliciesConfig describes policies that are defined in the configuration 22 | type PoliciesConfig struct { 23 | Version string `json:"version,omitempty"` 24 | PolicyPlugin PolicyPluginConfig `json:"plugin"` 25 | } 26 | -------------------------------------------------------------------------------- /pkg/policyprovider/policyengine/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package policyengine 17 | 18 | import "context" 19 | 20 | // PolicyEngine is an interface that represents a policy engine. 21 | type PolicyEngine interface { 22 | // Evaluate evaluates the policy with the given input. 23 | // input is the verifier reports that engine evaluates against. 24 | // result indicates whether the input satisfies the policy. 25 | // err indicates an error happened during the evaluation. 26 | Evaluate(ctx context.Context, input map[string]interface{}) (result bool, err error) 27 | } 28 | -------------------------------------------------------------------------------- /pkg/policyprovider/policyquery/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package policyquery 17 | 18 | import "context" 19 | 20 | // PolicyQuery is an interface with methods that make policy decisions. 21 | type PolicyQuery interface { 22 | // Evaluate evaluates the policy with the given input. 23 | // input is the verifier reports that query evaluates against. 24 | // result indicates whether the input satisfies the policy. 25 | // err indicates an error happened during the evaluation. 26 | Evaluate(ctx context.Context, input map[string]interface{}) (bool, error) 27 | } 28 | -------------------------------------------------------------------------------- /pkg/policyprovider/types/types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package types 17 | 18 | // ArtifactTypeVerifyPolicy represents an artifact type policy 19 | type ArtifactTypeVerifyPolicy string 20 | 21 | const ( 22 | AnyVerifySuccess ArtifactTypeVerifyPolicy = "any" 23 | AllVerifySuccess ArtifactTypeVerifyPolicy = "all" 24 | // RegoPolicy is the name of the rego policy provider. 25 | RegoPolicy = "regopolicy" 26 | // ConfigPolicy is the name of the config policy provider. 27 | ConfigPolicy = "configpolicy" 28 | ) 29 | -------------------------------------------------------------------------------- /pkg/utils/awsauth/utils.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package awsauth 17 | 18 | import ( 19 | "net/url" 20 | "strings" 21 | ) 22 | 23 | // RegionFromRegistry parses AWS region ID from registry url 24 | func RegionFromRegistry(registry string) string { 25 | a := strings.Split(registry, ".") 26 | if len(a) >= 6 { 27 | return a[3] 28 | } 29 | return "" 30 | } 31 | 32 | // RegistryFromImage parses registry host from image url 33 | func RegistryFromImage(image string) (string, error) { 34 | if strings.Contains(image, "https://") { 35 | u, err := url.Parse(image) 36 | if err != nil { 37 | return "", err 38 | } 39 | return u.Host, nil 40 | } 41 | 42 | return image[:strings.IndexByte(image, '/')], nil 43 | } 44 | -------------------------------------------------------------------------------- /pkg/utils/awsauth/utils_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package awsauth 17 | 18 | import "testing" 19 | 20 | const ( 21 | image = "123456789012.dkr.ecr.us-east-2.amazonaws.com/pause:3.1" 22 | registry = "123456789012.dkr.ecr.us-east-2.amazonaws.com" 23 | region = "us-east-2" 24 | ) 25 | 26 | func TestRegistryFromImage_ReturnsExpected(t *testing.T) { 27 | reg, err := RegistryFromImage(image) 28 | 29 | if reg == "" || err != nil { 30 | t.Fatalf("registry parsing failed, expected registry but returned error %v", err) 31 | } 32 | 33 | if reg != registry { 34 | t.Fatalf("incorrect registry returned, expected %s, but received %s", registry, reg) 35 | } 36 | } 37 | 38 | func TestRegionFromRegistry_ReturnsExpected(t *testing.T) { 39 | reg := RegionFromRegistry(registry) 40 | if reg != region { 41 | t.Fatalf("incorrect region returned, expected %s, but received %s", region, reg) 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /pkg/utils/testCert1.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDKDCCAhCgAwIBAgIRAKJH8DML5C8DYPTEalj/mg4wDQYJKoZIhvcNAQELBQAw 3 | IjEgMB4GA1UEAxMXaHVpc2h3YWJiaXQtbmV0d29ya3MuaW8wHhcNMjIwMTI3MTM0 4 | NjQ2WhcNMjMwMTI3MTM0NjQ2WjAiMSAwHgYDVQQDExdodWlzaHdhYmJpdC1uZXR3 5 | b3Jrcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOjyd8VQDlnz 6 | IQK07W2mIbFw5cLCe8rMFeAWVwMSwSeTqEY0DLVf0XRzg8Ogd1bDouM5Bl0sJIeM 7 | s1pOmc8sflPkWR6kn/BOpd7WWGy3iIXazb8sgVOnxlvooNuqHITdtXSGZajHgoes 8 | se3hqfivyrXFGXugSg40ES9KGzc+9ZEOwW1diJ4GxA8XHbubpPMWZO+qAAiIvYm7 9 | Iuf5sPNaeElAwuWFCvZMpxgy+R1p5VBm+NpuQONe94HhzVB3ox16yVNQNlcOcZFE 10 | GOBKGqX39H5GqnynxC59Kdr/SgsdwlCQdFTpbpok3w4cpawXMjN+ikt5ZASepQoT 11 | nFHLq4Szdy0CAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG 12 | AQUFBwMDMAwGA1UdEwEB/wQCMAAwIgYDVR0RBBswGYIXaHVpc2h3YWJiaXQtbmV0 13 | d29ya3MuaW8wDQYJKoZIhvcNAQELBQADggEBAJC2BHQULI/5eJQpgt1iXDzLSIOH 14 | TFSqQ9hZu5BpZuRAj0a7cIH0lYM1v1V7g/H4liutc3v4fF5GfK2RDBsef+TtwGkg 15 | DTB67Lqwmoy8lSKaQPysYej40sJSL+W5pZm0IoDP3yMz7Jg6egJtUxIt22zKe9xY 16 | L/085GvjKFd0A+pLuuCMbCYlHHSn2/W9gEB5Ba4lX5DqBH9YmgdRjDJB48YxaT/s 17 | zYCVj1a50u1wAg9Ykarhi/okuxkuHNCpVKelm8O6u+nlac8m2/0BR1UXn+EFwmA1 18 | hOvKCqdcvo07wYwXcF4p36f78v1BKXrrJin2Bdo9mYelOUfizE3tjs7+aYs= 19 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /pkg/verifier/config/config.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package config 17 | 18 | import ( 19 | "github.com/ratify-project/ratify/pkg/ocispecs" 20 | rc "github.com/ratify-project/ratify/pkg/referrerstore/config" 21 | ) 22 | 23 | type VerifierConfig map[string]interface{} 24 | 25 | type PluginInputConfig struct { 26 | Config VerifierConfig `json:"config"` 27 | StoreConfig rc.StoreConfig `json:"storeConfig"` 28 | ReferencDesc ocispecs.ReferenceDescriptor `json:"referenceDesc"` 29 | } 30 | 31 | type VerifiersConfig struct { 32 | Version string `json:"version,omitempty"` 33 | PluginBinDirs []string `json:"pluginBinDirs,omitempty"` 34 | Verifiers []VerifierConfig `json:"plugins,omitempty"` 35 | } 36 | -------------------------------------------------------------------------------- /pkg/verifier/mocks/types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package mocks 17 | 18 | import ( 19 | "context" 20 | "time" 21 | 22 | "github.com/ratify-project/ratify/pkg/executor" 23 | "github.com/ratify-project/ratify/pkg/executor/types" 24 | "github.com/ratify-project/ratify/pkg/verifier" 25 | ) 26 | 27 | type TestExecutor struct { 28 | VerifySuccess bool 29 | } 30 | 31 | func (s *TestExecutor) VerifySubject(_ context.Context, _ executor.VerifyParameters) (types.VerifyResult, error) { 32 | report := verifier.VerifierResult{IsSuccess: s.VerifySuccess} 33 | return types.VerifyResult{ 34 | IsSuccess: s.VerifySuccess, 35 | VerifierReports: []interface{}{report}}, nil 36 | } 37 | 38 | func (s *TestExecutor) GetVerifyRequestTimeout() time.Duration { 39 | return 3 * time.Second 40 | } 41 | 42 | func (s *TestExecutor) GetMutationRequestTimeout() time.Duration { 43 | return 1 * time.Second 44 | } 45 | -------------------------------------------------------------------------------- /pkg/verifier/plugin/args.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package plugin 17 | 18 | import ( 19 | "fmt" 20 | "os" 21 | 22 | pluginCommon "github.com/ratify-project/ratify/pkg/common/plugin" 23 | ) 24 | 25 | // VerifierPluginArgs describes arguments that are passed to the verifier plugin 26 | type VerifierPluginArgs struct { 27 | Command string 28 | Version string 29 | SubjectReference string 30 | } 31 | 32 | var _ pluginCommon.PluginArgs = &VerifierPluginArgs{} 33 | 34 | func (args *VerifierPluginArgs) AsEnviron() []string { 35 | env := os.Environ() 36 | 37 | env = append(env, 38 | fmt.Sprintf("%s=%s", CommandEnvKey, args.Command), 39 | fmt.Sprintf("%s=%s", SubjectEnvKey, args.SubjectReference), 40 | fmt.Sprintf("%s=%s", VersionEnvKey, args.Version), 41 | ) 42 | return pluginCommon.MergeDuplicateEnviron(env) 43 | } 44 | -------------------------------------------------------------------------------- /pkg/verifier/plugin/const.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package plugin 17 | 18 | const ( 19 | VerifyCommand = "VERIFY" 20 | CommandEnvKey = "RATIFY_VERIFIER_COMMAND" 21 | SubjectEnvKey = "RATIFY_VERIFIER_SUBJECT" 22 | VersionEnvKey = "RATIFY_VERIFIER_VERSION" 23 | ) 24 | -------------------------------------------------------------------------------- /pkg/verifier/utils/utils.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package utils 17 | 18 | import ( 19 | "strings" 20 | 21 | "github.com/notaryproject/ratify/v2/internal/constants" 22 | ) 23 | 24 | // return true if string looks like a K8s namespaced resource. e.g. namespace/name 25 | func IsNamespacedNamed(name string) bool { 26 | return strings.Contains(name, constants.NamespaceSeperator) 27 | } 28 | -------------------------------------------------------------------------------- /pkg/verifiercache/api.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package verifiercache 17 | 18 | import ( 19 | "context" 20 | "time" 21 | 22 | et "github.com/ratify-project/ratify/pkg/executor/types" 23 | ) 24 | 25 | // VerifierCache is an interface that defines methods to set/get results from a cache 26 | type VerifierCache interface { 27 | // GetVerifyResult gets the result from the cache with the given subject as the key 28 | GetVerifyResult(ctx context.Context, subjectRefString string) (et.VerifyResult, bool) 29 | 30 | // SetVerifyResult sets the verify result in the cache with the given TTL 31 | SetVerifyResult(ctx context.Context, subjectRefString string, verifyResult et.VerifyResult, ttl time.Duration) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/verifiercache/memory/memorycache.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package memory 17 | 18 | import ( 19 | "context" 20 | "time" 21 | 22 | et "github.com/ratify-project/ratify/pkg/executor/types" 23 | ) 24 | 25 | // Cache describes an in-memory cache with automatic expiration 26 | type Cache struct { 27 | syncMap *SyncMapWithExpiration 28 | } 29 | 30 | func (memoryCache Cache) GetVerifyResult(_ context.Context, subjectRefString string) (et.VerifyResult, bool) { 31 | item, ok := memoryCache.syncMap.GetEntry(subjectRefString) 32 | if !ok { 33 | return et.VerifyResult{}, false 34 | } 35 | return item.(et.VerifyResult), true 36 | } 37 | 38 | func (memoryCache Cache) SetVerifyResult(_ context.Context, subjectRefString string, verifyResult et.VerifyResult, ttl time.Duration) { 39 | memoryCache.syncMap.SetEntry(subjectRefString, verifyResult, ttl) 40 | } 41 | -------------------------------------------------------------------------------- /plugins/verifier/licensechecker/utils/types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package utils 17 | 18 | type PackageLicense struct { 19 | PackageName string 20 | PackageLicense string 21 | } 22 | -------------------------------------------------------------------------------- /plugins/verifier/sbom/testdata/osv-scanner.toml: -------------------------------------------------------------------------------- 1 | [[IgnoredVulns]] 2 | id = "CVE-2022-48174" 3 | reason = "Test manifest file(syftbom.spdx.json)" 4 | 5 | [[IgnoredVulns]] 6 | id = "CVE-2023-42366" 7 | reason = "Test manifest file(syftbom.spdx.json)" 8 | 9 | [[IgnoredVulns]] 10 | id = "CVE-2023-42363" 11 | reason = "Test manifest file(syftbom.spdx.json)" 12 | 13 | [[IgnoredVulns]] 14 | id = "CVE-2023-42364" 15 | reason = "Test manifest file(syftbom.spdx.json)" 16 | 17 | [[IgnoredVulns]] 18 | id = "CVE-2023-42365" 19 | reason = "Test manifest file(syftbom.spdx.json)" -------------------------------------------------------------------------------- /plugins/verifier/schemavalidator/README.md: -------------------------------------------------------------------------------- 1 | # Json schema validator 2 | Validate Json artifacts against JSON schemas. 3 | 4 | ## Configuration 5 | Schemas can be configured in Ratify config.json or via CRD. 6 | 7 | ```json 8 | "plugins": [ 9 | { 10 | "name": "schemavalidator", 11 | "artifactTypes": "application/vnd.aquasecurity.trivy.report.sarif.v1", 12 | "schemas": { 13 | "application/sarif+json": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json" 14 | } 15 | } 16 | ] 17 | ``` 18 | 19 | ```yaml 20 | apiVersion: config.ratify.deislabs.io/v1beta1 21 | kind: Verifier 22 | metadata: 23 | name: verifier-schemavalidator 24 | spec: 25 | name: schemavalidator 26 | artifactTypes: application/vnd.aquasecurity.trivy.report.sarif.v1 27 | parameters: 28 | schemas: 29 | application/sarif+json: https://json.schemastore.org/sarif-2.1.0-rtm.5.json 30 | ``` -------------------------------------------------------------------------------- /plugins/verifier/schemavalidator/schemavalidation/testdata/bad_schema.json: -------------------------------------------------------------------------------- 1 | { 2 | bad schema 3 | -------------------------------------------------------------------------------- /plugins/verifier/schemavalidator/schemavalidation/testdata/osv-scanner.toml: -------------------------------------------------------------------------------- 1 | [[IgnoredVulns]] 2 | id = "CVE-2022-48174" 3 | reason = "Test manifest file(trivy_scan_report.json)" 4 | 5 | [[IgnoredVulns]] 6 | id = "CVE-2023-42366" 7 | reason = "Test manifest file(trivy_scan_report.json)" 8 | 9 | [[IgnoredVulns]] 10 | id = "CVE-2023-42363" 11 | reason = "Test manifest file(trivy_scan_report.json)" 12 | 13 | [[IgnoredVulns]] 14 | id = "CVE-2023-42364" 15 | reason = "Test manifest file(trivy_scan_report.json)" 16 | 17 | [[IgnoredVulns]] 18 | id = "CVE-2023-42365" 19 | reason = "Test manifest file(trivy_scan_report.json)" -------------------------------------------------------------------------------- /plugins/verifier/vulnerabilityreport/schemavalidation/testdata/bad_schema.json: -------------------------------------------------------------------------------- 1 | { 2 | bad schema 3 | -------------------------------------------------------------------------------- /plugins/verifier/vulnerabilityreport/schemavalidation/testdata/osv-scanner.toml: -------------------------------------------------------------------------------- 1 | [[IgnoredVulns]] 2 | id = "CVE-2022-48174" 3 | reason = "Test manifest file(trivy_scan_report.json)" 4 | 5 | [[IgnoredVulns]] 6 | id = "CVE-2023-42366" 7 | reason = "Test manifest file(trivy_scan_report.json)" 8 | 9 | [[IgnoredVulns]] 10 | id = "CVE-2023-42363" 11 | reason = "Test manifest file(trivy_scan_report.json)" 12 | 13 | [[IgnoredVulns]] 14 | id = "CVE-2023-42364" 15 | reason = "Test manifest file(trivy_scan_report.json)" 16 | 17 | [[IgnoredVulns]] 18 | id = "CVE-2023-42365" 19 | reason = "Test manifest file(trivy_scan_report.json)" -------------------------------------------------------------------------------- /terraform/azure/output.tf: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | output "key_vault_uri" { 15 | value = azurerm_key_vault.kv.vault_uri 16 | } 17 | 18 | output "ratify_certificate_name" { 19 | value = azurerm_key_vault_certificate.ratify-cert.name 20 | } 21 | 22 | output "tenant_id" { 23 | value = data.azurerm_client_config.current.tenant_id 24 | } 25 | 26 | output "workload_identity_client_id" { 27 | value = azurerm_user_assigned_identity.identity.client_id 28 | } 29 | -------------------------------------------------------------------------------- /terraform/azure/terraform.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | registry_name = "example-registry" 15 | key_vault_name = "example-key-vault" 16 | identity_name = "example-workload-identity" 17 | resource_group_name = "example-resource-group" 18 | cluster_name = "example-cluster" 19 | tags = { 20 | environment = "example-environment" 21 | department = "example-department" 22 | } 23 | -------------------------------------------------------------------------------- /terraform/azure/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | variable "registry_name" { 15 | type = string 16 | default = "myregistry" 17 | } 18 | 19 | variable "key_vault_name" { 20 | type = string 21 | default = "mykeyvault" 22 | } 23 | 24 | variable "resource_group_name" { 25 | type = string 26 | default = "myresourcegroup" 27 | } 28 | 29 | variable "location" { 30 | type = string 31 | default = "eastus" 32 | } 33 | 34 | variable "identity_name" { 35 | type = string 36 | default = "myidentity" 37 | } 38 | 39 | variable "cluster_name" { 40 | type = string 41 | default = "mycluster" 42 | } 43 | 44 | variable "tags" { 45 | type = map(string) 46 | } 47 | 48 | variable "ratify_namespace" { 49 | type = string 50 | default = "gatekeeper-system" 51 | } 52 | 53 | variable "ratify_cert_name" { 54 | type = string 55 | default = "ratify" 56 | } -------------------------------------------------------------------------------- /test/bats/quickstart-test.bats: -------------------------------------------------------------------------------- 1 | # Copyright The Ratify Authors. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # you may not use this file except in compliance with the License. 4 | # You may obtain a copy of the License at 5 | 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | 8 | # Unless required by applicable law or agreed to in writing, software 9 | # distributed under the License is distributed on an "AS IS" BASIS, 10 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 | # See the License for the specific language governing permissions and 12 | # limitations under the License. 13 | 14 | #!/usr/bin/env bats 15 | 16 | load helpers 17 | 18 | @test "validate quick start steps" { 19 | run kubectl run demo --image=ghcr.io/ratify-project/ratify/notary-image:signed 20 | assert_success 21 | 22 | # validate unsigned fails 23 | run kubectl run demo1 --image=ghcr.io/ratify-project/ratify/notary-image:unsigned 24 | assert_failure 25 | } 26 | -------------------------------------------------------------------------------- /test/bats/tests/certificates/cosign.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvjrMZFyaBDsvg5e0C8JaHqw8ULuc 3 | n947ODVAMvfdqtjqK2eW77OGrsFLdkbG3BET9U4Dj37odn4kI5lC4Lj9Eg== 4 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /test/bats/tests/certificates/wabbit-networks.io.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDWDCCAkCgAwIBAgIBUTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL 3 | MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb 4 | MBkGA1UEAxMSd2FiYml0LW5ldHdvcmtzLmlvMCAXDTIyMTIwMjA4MDg0NFoYDzIx 5 | MjIxMjAzMDgwODQ0WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNV 6 | BAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSd2FiYml0LW5l 7 | dHdvcmtzLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoskJWB0 8 | ZsYcfbTvCYQMLqWaB/yN3Jf7Ryxvndrij83fWEQPBQJi8Mk8SpNqm2x9uP3gsQDc 9 | L/73a0p6/D+hza2jQQVhebe/oB0LJtUoD5LXlJ83UQdZETLMYAzeBNcBR4kMecrY 10 | CnE6yjHeiEWdAH+U7Mt39zJh+9lGIcbk0aUE5UOp8o3t5RWFDcl9hQ7QOXROwmpO 11 | thLUIiY/bcPpsg/2nH1nzFjqiBef3sgopFCTgtJ7qF8B83Xy/+hJ5vD29xsbSwuB 12 | 3iLE7qLxu2NxdIa4oL0Y2QKMh/getjI0xnvwAmPkFiFbzC7LFdDfd6+gA5GpUXxL 13 | u6UmwucAgiljGQIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI 14 | KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAFvRW/mGjnnMNFKJc/e3o/+yiJor 15 | dcrq/1UzyD7eNmOaASXz8rrrFT/6/TBXExPuB2OIf9OgRJFfPGLxmzCwVgaWQbK0 16 | VfTN4MQzRrSwPmNYsBAAwLxXbarYlMbm4DEmdJGyVikq08T2dZI51GC/YXEwzlnv 17 | ldN0dBflb/FKkY5rAp0JgpHLGKeStxFvB62noBjWfrm7ShCf9gkn1CjmgvP/sYK0 18 | pJgA1FHPd6EeB6yRBpLV4EJgQYUJoOpbHz+us62jKj5fAXsX052LPmk9ArmP0uJ1 19 | CJLNdj+aShCs4paSWOObDmIyXHwCx3MxCvYsFk/Wsnwura6jGC+cNsjzSx4= 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /test/bats/tests/config/akvpolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "issuerParameters": { 3 | "certificateTransparency": null, 4 | "name": "Self" 5 | }, 6 | "keyProperties": { 7 | "curve": null, 8 | "exportable": false, 9 | "keySize": 2048, 10 | "keyType": "RSA", 11 | "reuseKey": true 12 | }, 13 | "lifetimeActions": [ 14 | { 15 | "action": { 16 | "actionType": "AutoRenew" 17 | }, 18 | "trigger": { 19 | "daysBeforeExpiry": 90, 20 | "lifetimePercentage": null 21 | } 22 | } 23 | ], 24 | "secretProperties": { 25 | "contentType": "application/x-pem-file" 26 | }, 27 | "x509CertificateProperties": { 28 | "ekus": [], 29 | "keyUsage": [ 30 | "cRLSign", 31 | "dataEncipherment", 32 | "digitalSignature", 33 | "keyEncipherment", 34 | "keyAgreement", 35 | "keyCertSign" 36 | ], 37 | "subject": "CN=ratify.default", 38 | "subjectAlternativeNames": { 39 | "dnsNames": null, 40 | "emails": null, 41 | "upns": null 42 | }, 43 | "validityInMonths": 12 44 | } 45 | } -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_certstore_inline.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: CertificateStore 3 | metadata: 4 | name: certstore-inline 5 | spec: 6 | provider: inline 7 | parameters: 8 | value: | 9 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: KeyManagementProvider 3 | metadata: 4 | name: keymanagementprovider-inline 5 | spec: 6 | type: inline 7 | parameters: 8 | contentType: certificate 9 | value: | 10 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_cosign_akv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-cosign 5 | annotations: 6 | helm.sh/hook: pre-install,pre-upgrade 7 | helm.sh/hook-weight: "5" 8 | spec: 9 | name: cosign 10 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 11 | parameters: 12 | trustPolicies: 13 | - name: default 14 | version: 1.0.0 15 | scopes: 16 | - "*" 17 | keys: 18 | - provider: kmprovider-akv 19 | tLogVerify: false -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_cosign_keyless.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-cosign 5 | spec: 6 | name: cosign 7 | artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json 8 | parameters: 9 | trustPolicies: 10 | - name: default 11 | scopes: 12 | - '*' 13 | keyless: 14 | certificateIdentity: sozercan@gmail.com 15 | certificateOIDCIssuer: https://github.com/login/oauth -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_notation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - certstore-inline 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_notation_akv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - kmprovider-akv 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_notation_audit_crl.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-crl: 12 | - keymanagementprovider-inline 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: audit 21 | trustStores: 22 | - ca:ca-crl 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_notation_kmprovider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - keymanagementprovider-inline 13 | trustPolicyDoc: 14 | version: "1.0" 15 | trustPolicies: 16 | - name: default 17 | registryScopes: 18 | - "*" 19 | signatureVerification: 20 | level: strict 21 | trustStores: 22 | - ca:ca-certs 23 | trustedIdentities: 24 | - "*" 25 | -------------------------------------------------------------------------------- /test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.ratify.deislabs.io/v1beta1 2 | kind: Verifier 3 | metadata: 4 | name: verifier-notation 5 | spec: 6 | name: notation 7 | artifactTypes: application/vnd.cncf.notary.signature 8 | parameters: 9 | verificationCertStores: 10 | ca: 11 | ca-certs: 12 | - ratify-notation-inline-cert-0 13 | tsa: 14 | tsa-certs: 15 | - keymanagementprovider-inline 16 | trustPolicyDoc: 17 | version: "1.0" 18 | trustPolicies: 19 | - name: default 20 | registryScopes: 21 | - "*" 22 | signatureVerification: 23 | level: strict 24 | trustStores: 25 | - ca:ca-certs 26 | - tsa:tsa-certs 27 | trustedIdentities: 28 | - "*" 29 | -------------------------------------------------------------------------------- /test/bats/tests/config/partial_licensechecker_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy", 15 | "artifactVerificationPolicies": { 16 | "application/vnd.ratify.spdx.v0": "all" 17 | } 18 | } 19 | }, 20 | "verifier": { 21 | "version": "1.0.0", 22 | "plugins": [ 23 | { 24 | "name": "licensechecker", 25 | "artifactTypes": "application/vnd.ratify.spdx.v0", 26 | "allowedLicenses": [ 27 | "MIT" 28 | ] 29 | } 30 | ] 31 | } 32 | } -------------------------------------------------------------------------------- /test/bats/tests/config/sbom_denylist_config_licensematch.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy", 15 | "artifactVerificationPolicies": { 16 | "application/spdx+json": "all" 17 | } 18 | } 19 | }, 20 | "verifier": { 21 | "version": "1.0.0", 22 | "plugins": [ 23 | { 24 | "name": "sbom", 25 | "artifactTypes": "application/spdx+json", 26 | "disallowedLicenses": ["NOASSERTION"] 27 | } 28 | ] 29 | } 30 | } -------------------------------------------------------------------------------- /test/bats/tests/config/sbom_denylist_config_nomatch.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy", 15 | "artifactVerificationPolicies": { 16 | "application/spdx+json": "all" 17 | } 18 | } 19 | }, 20 | "verifier": { 21 | "version": "1.0.0", 22 | "plugins": [ 23 | { 24 | "name": "sbom", 25 | "artifactTypes": "application/spdx+json", 26 | "disallowedPackages":[{"name":"zlib","version":"1.2.13-r1"}] 27 | } 28 | ] 29 | } 30 | } -------------------------------------------------------------------------------- /test/bats/tests/config/sbom_denylist_config_packagematch.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy", 15 | "artifactVerificationPolicies": { 16 | "application/spdx+json": "all" 17 | } 18 | } 19 | }, 20 | "verifier": { 21 | "version": "1.0.0", 22 | "plugins": [ 23 | { 24 | "name": "sbom", 25 | "artifactTypes": "application/spdx+json", 26 | "disallowedPackages":[{"name":"zlib","version":"1.2.13-r0"}] 27 | } 28 | ] 29 | } 30 | } -------------------------------------------------------------------------------- /test/bats/tests/config/sbom_version_mismatch.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy", 15 | "artifactVerificationPolicies": { 16 | "application/spdx+json": "all" 17 | } 18 | } 19 | }, 20 | "verifier": { 21 | "version": "1.0.0", 22 | "plugins": [ 23 | { 24 | "version": "3.0.0", 25 | "name": "sbom", 26 | "artifactTypes": "application/spdx+json", 27 | "disallowedLicenses": ["NOASSERTION"] 28 | } 29 | ] 30 | } 31 | } -------------------------------------------------------------------------------- /test/bats/tests/config/schemavalidator_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy" 15 | } 16 | }, 17 | "verifier": { 18 | "version": "1.0.0", 19 | "plugins": [ 20 | { 21 | "name": "schemavalidator", 22 | "artifactTypes": "application/vnd.aquasecurity.trivy.report.sarif.v1", 23 | "schemas": { 24 | "application/sarif+json": "file:///home/runner/.ratify/schemas/sarif-2.1.0-rtm.5.json" 25 | } 26 | } 27 | ] 28 | } 29 | } -------------------------------------------------------------------------------- /test/bats/tests/config/vulnerabilityreport_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "store": { 3 | "version": "1.0.0", 4 | "plugins": [ 5 | { 6 | "name": "oras", 7 | "useHttp": true 8 | } 9 | ] 10 | }, 11 | "policy": { 12 | "version": "1.0.0", 13 | "plugin": { 14 | "name": "configPolicy" 15 | } 16 | }, 17 | "verifier": { 18 | "version": "1.0.0", 19 | "plugins": [ 20 | { 21 | "name": "vulnerabilityreport", 22 | "artifactTypes": "application/sarif+json", 23 | "maximumAge": "24h", 24 | "denylistCVEs": ["CVE-2021-44228"] 25 | } 26 | ] 27 | } 28 | } -------------------------------------------------------------------------------- /test/bats/tests/config/zot-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "Storage": { 3 | "RootDirectory": "/var/lib/registry" 4 | }, 5 | "HTTP": { 6 | "Address": "0.0.0.0", 7 | "Port": "5000", 8 | "Auth": { 9 | "HTPasswd": { 10 | "Path": "/etc/zot/htpasswd" 11 | } 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /test/bats/tests/configmap/invalidconfigmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: ratify-configuration 5 | data: 6 | config.json: | 7 | { 8 | "executor": { 9 | "verificationRequestTimeout": 6800 10 | }, 11 | "store": { 12 | "version": "1.0.0", 13 | "plugins": [ 14 | { 15 | "name": "oras" 16 | } 17 | ] 18 | }, 19 | "policy": { 20 | "version": "1.0.0", 21 | "plugin": { 22 | "name": "configPolicy", 23 | "artifactVerificationPolicies": { 24 | "application/vnd.dev.cosign.artifact.sig.v1+json": "any" 25 | } 26 | } 27 | }, 28 | "verifier": { 29 | "version": "1.0.0", 30 | "plugins": [ 31 | { 32 | "name":"notation", 33 | "artifactTypes" : "application/vnd.cncf.notary.signature", 34 | "verificationCerts": [ 35 | "/usr/local/ratify-certs/notation" 36 | ] 37 | } 38 | ] 39 | } 40 | } -------------------------------------------------------------------------------- /test/testdata/cosign.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBiEwSL0YJy4hyyEB5S7K7rERVqt1 3 | K2RMHUvjNzk5/bWzWNqI4GspPDaVtIHSm3DhCqIC/Ip25hTRovMeho847Q== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /test/testdata/dapr/dapr-redis-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: ratify-dapr-signing-key 5 | data: 6 | signingKey: "" 7 | -------------------------------------------------------------------------------- /test/testdata/dapr/dapr-redis.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: dapr.io/v1alpha1 2 | kind: Component 3 | metadata: 4 | name: dapr-redis 5 | spec: 6 | type: state.redis 7 | version: v1 8 | metadata: 9 | # These settings will work out of the box if you use `helm install 10 | # bitnami/redis`. If you have your own setup, replace 11 | # `redis-master:6379` with your own Redis master address, and the 12 | # Redis password with your own Secret's name. For more information, 13 | # see https://docs.dapr.io/operations/components/component-secrets . 14 | - name: redisHost 15 | value: redis-master:6379 16 | - name: redisPassword 17 | secretKeyRef: 18 | name: redis 19 | key: redis-password 20 | - name: primaryEncryptionKey 21 | secretKeyRef: 22 | name: ratify-dapr-signing-key 23 | key: signingKey 24 | - name: enableTLS 25 | value: "true" 26 | auth: 27 | secretStore: kubernetes 28 | -------------------------------------------------------------------------------- /test/testdata/invalid_json.json: -------------------------------------------------------------------------------- 1 | { -------------------------------------------------------------------------------- /test/testdata/invalid_trust_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0" 3 | } -------------------------------------------------------------------------------- /test/testdata/notation.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL 3 | BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X 4 | DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5 5 | MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A 6 | MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8 7 | 3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4 8 | FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo 9 | ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa 10 | gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo 11 | 3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci 12 | EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE 13 | ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL 14 | BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt 15 | BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ 16 | hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF 17 | 90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync 18 | cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp 19 | Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg= 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /test/testdata/osv-scanner.toml: -------------------------------------------------------------------------------- 1 | [[IgnoredVulns]] 2 | id = "CVE-2022-48174" 3 | reason = "Test manifest file(trivy_scan_report.json)" 4 | 5 | [[IgnoredVulns]] 6 | id = "CVE-2023-42366" 7 | reason = "Test manifest file(trivy_scan_report.json)" 8 | 9 | [[IgnoredVulns]] 10 | id = "CVE-2023-42363" 11 | reason = "Test manifest file(trivy_scan_report.json)" 12 | 13 | [[IgnoredVulns]] 14 | id = "CVE-2023-42364" 15 | reason = "Test manifest file(trivy_scan_report.json)" 16 | 17 | [[IgnoredVulns]] 18 | id = "CVE-2023-42365" 19 | reason = "Test manifest file(trivy_scan_report.json)" -------------------------------------------------------------------------------- /test/testdata/pod_initContainers_signed.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: initcontainer-pod1 5 | spec: 6 | containers: 7 | - name: service-container 8 | image: registry:5000/notation:signed 9 | initContainers: 10 | - name: init-service 11 | image: registry:5000/notation:signed 12 | command: ['sh', '-c', 'echo "logging"'] -------------------------------------------------------------------------------- /test/testdata/pod_initContainers_unsigned.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: initcontainer-pod 5 | spec: 6 | containers: 7 | - name: service-container 8 | image: registry:5000/notation:signed 9 | initContainers: 10 | - name: init-service 11 | image: registry:5000/notation:unsigned 12 | command: ['sh', '-c', 'echo "logging"'] -------------------------------------------------------------------------------- /test/testdata/valid_trust_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "trustPolicies": [ 4 | { 5 | "name": "default", 6 | "registryScopes": [ 7 | "*" 8 | ], 9 | "signatureVerification": { 10 | "level": "strict" 11 | }, 12 | "trustStores": [ 13 | "ca:certs" 14 | ], 15 | "trustedIdentities": [ 16 | "*" 17 | ] 18 | } 19 | ] 20 | } -------------------------------------------------------------------------------- /utils/utils.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Ratify Authors. 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package utils 17 | 18 | import ( 19 | "net/url" 20 | "strings" 21 | ) 22 | 23 | func SanitizeString(input string) string { 24 | sanitized := strings.ReplaceAll(input, "\n", "") 25 | sanitized = strings.ReplaceAll(sanitized, "\r", "") 26 | return sanitized 27 | } 28 | 29 | func SanitizeURL(input url.URL) string { 30 | return SanitizeString(input.String()) 31 | } 32 | 33 | func MakePtr[T any](value T) *T { 34 | b := value 35 | return &b 36 | } 37 | --------------------------------------------------------------------------------