# SBOM Required Policy # Enforces SBOM generation for production containers package audit.sbom # SBOM is required for all containers deny[msg] { input.container_type == "production" not input.sbom_present msg = sprintf("Production container %s requires SBOM", [input.name]) } # SBOM must be recent (less than 30 days old) deny[msg] { input.sbom_present days_old := time.now_ns() - input.sbom_timestamp days_old > (30 * 24 * 60 * 60 * 1000000000) msg = sprintf("SBOM for %s is %d days old, must be regenerated", [input.name, days_old / (24 * 60 * 60 * 1000000000)]) } # SBOM must contain version information deny[msg] { input.sbom_present input.sbom_version == "" msg = sprintf("SBOM for %s is missing version information", [input.name]) } # Pass if all checks succeed pass { not deny[_] }