31 lines
838 B
Rego
31 lines
838 B
Rego
# SBOM Required Policy
|
|
# Enforces SBOM generation for production containers
|
|
|
|
package audit.sbom
|
|
|
|
# SBOM is required for all containers
|
|
deny[msg] {
|
|
input.container_type == "production"
|
|
not input.sbom_present
|
|
msg = sprintf("Production container %s requires SBOM", [input.name])
|
|
}
|
|
|
|
# SBOM must be recent (less than 30 days old)
|
|
deny[msg] {
|
|
input.sbom_present
|
|
days_old := time.now_ns() - input.sbom_timestamp
|
|
days_old > (30 * 24 * 60 * 60 * 1000000000)
|
|
msg = sprintf("SBOM for %s is %d days old, must be regenerated", [input.name, days_old / (24 * 60 * 60 * 1000000000)])
|
|
}
|
|
|
|
# SBOM must contain version information
|
|
deny[msg] {
|
|
input.sbom_present
|
|
input.sbom_version == ""
|
|
msg = sprintf("SBOM for %s is missing version information", [input.name])
|
|
}
|
|
|
|
# Pass if all checks succeed
|
|
pass {
|
|
not deny[_]
|
|
}
|