The Scan Policy custom resource allows you to define a Rego File for policy enforcement that you can easily reuse across Image Scan and Source Scan CRs.
The Scan Controller supports policy enforcement by using an Open Policy Agent (OPA) engine with Rego Files. This allows scan results to be validated for company policy compliance and can prevent source code from being built or images from being deployed.
For you to define a rego file for an Image Scan or Source Scan, you need to be compliant with the requirements that are defined for every Rego File in order for the policy verification to work properly.
-
Package Policies
The Rego File must define a package in its body calledpolicies
, since this will be the package the system will be looking for to take the decision about the scan's results compliance. -
Input Match
The Rego File evaluates one vulnerability match at a time, having as many iterations as different vulnerabilities are found in the scan. The structure of a match can be accessed in theinput.currentVulnerability
object inside the Rego File, and will have the CycloneDX format. -
isCompliant Rule
The Rego File must define inside its body anisCompliant
rule, which needs to be a boolean type containing the result whether the vulnerability violates the security policy or not. IfisCompliant
istrue
, the vulnerability is found to be allowed in the Source or Image scan;false
will be considered otherwise. Any scan that finds at least one vulnerability that evaluates toisCompliant=false
will make thePolicySucceeded
condition be set tofalse
as well.
apiVersion: scanning.apps.tanzu.vmware.com/v1alpha1
kind: ScanPolicy
metadata:
name: scanpolicy-sample
spec:
# A multiline string defining a valid Rego File for policy validation
regoFile: |
# Define the package policies
package policies
# Give default value to isCompliant to be returned
# if no change to `true` is applied
default isCompliant = false
# Not fail on any CVE with this severities in it
ignoreSeverities := ["Low"]
contains(array, elem) = true {
array[_] = elem
} else = false { true }
# Define the rule structure for evaluating CVEs
isCompliant {
# Check if the severity level in any of the ratings associated
# with the current CVEs is present in the ignoreSeverities
# array.
ignore := contains(ignoreSeverities, input.currentVulnerability.Ratings.Rating[_].Severity)
# If the severity level is in the array, isCompliant will be true
# since `ignore` is. isCompliant will have the default value if `ignore` is false.
ignore
}
kubectl apply -f <path_to_scan_policy>/<scan_policy_filename>.yml -n <desired_namespace>