All Policies

Verify SLSA Provenance (Keyless)

Provenance is used to identify how an artifact was produced and from where it originated. SLSA provenance is an industry-standard method of representing that provenance. This policy verifies that an image has SLSA provenance and was signed by the expected subject and issuer when produced through GitHub Actions. It requires configuration based upon your own values.

Policy Definition

/other/verify_image_slsa.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-slsa-provenance-keyless
 5  annotations:
 6    policies.kyverno.io/title: Verify SLSA Provenance (Keyless)
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.7.0
11    kyverno.io/kyverno-version: 1.7.2
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      Provenance is used to identify how an artifact was produced
15      and from where it originated. SLSA provenance is an industry-standard
16      method of representing that provenance. This policy verifies that an
17      image has SLSA provenance and was signed by the expected subject and issuer
18      when produced through GitHub Actions. It requires configuration based upon
19      your own values.      
20spec:
21  validationFailureAction: enforce
22  webhookTimeoutSeconds: 30
23  rules:
24    - name: check-slsa-keyless
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30      verifyImages:
31      - imageReferences:
32        - "myreg.org/path/repo:*"
33        attestors:
34        - entries:
35          - keyless:
36            # In the case of GitHub Actions, the subject will be set to your Actions workflow responsible
37            # for kicking off the process. Note that this will not be set to the external action
38            # responsible for the provenance generation.
39              subject: "https://github.com/myname/myrepo/.github/workflows/my-workflow.yaml@refs/heads/mybranch"
40              issuer: "https://token.actions.githubusercontent.com"
41        attestations:
42        - predicateType: https://slsa.dev/provenance/v0.2
43          conditions:
44          - all:
45            - key: "{{ invocation.configSource.uri }}"
46              operator: Equals
47              value: "git+https://github.com/myname/myrepo@refs/heads/mybranch"
48            - key: "{{ invocation.configSource.entryPoint }}"
49              operator: Equals
50              value: ".github/workflows/my-workflow.yaml"
51            - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v[0-9].[0-9].[0-9]$','{{ builder.id}}') }}"
52              operator: Equals
53              value: true
Create policy issue