provisioning-platform/prov-ecosystem/crates/audit/policies/sbom_required.rego

32 lines
838 B
Rego
Raw Normal View History

# SBOM Required Policy
# Enforces SBOM generation for production containers
package audit.sbom
# SBOM is required for all containers
deny[msg] {
input.container_type == "production"
not input.sbom_present
msg = sprintf("Production container %s requires SBOM", [input.name])
}
# SBOM must be recent (less than 30 days old)
deny[msg] {
input.sbom_present
days_old := time.now_ns() - input.sbom_timestamp
days_old > (30 * 24 * 60 * 60 * 1000000000)
msg = sprintf("SBOM for %s is %d days old, must be regenerated", [input.name, days_old / (24 * 60 * 60 * 1000000000)])
}
# SBOM must contain version information
deny[msg] {
input.sbom_present
input.sbom_version == ""
msg = sprintf("SBOM for %s is missing version information", [input.name])
}
# Pass if all checks succeed
pass {
not deny[_]
}