A single check to perform against a Pod. Checks are grouped into CheckSet objects, which are defined by the top-level policy.

Attributes

• alwaysDeny (type: boolean(), default: nil) - Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
• displayName (type: String.t, default: nil) - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
• imageAllowlist (type: GoogleApi.BinaryAuthorization.V1.Model.ImageAllowlist.t, default: nil) - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
• imageFreshnessCheck (type: GoogleApi.BinaryAuthorization.V1.Model.ImageFreshnessCheck.t, default: nil) - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
• sigstoreSignatureCheck (type: GoogleApi.BinaryAuthorization.V1.Model.SigstoreSignatureCheck.t, default: nil) - Optional. Require that an image was signed by Cosign with a trusted key. This check requires that both the image and signature are stored in Artifact Registry.
• simpleSigningAttestationCheck (type: GoogleApi.BinaryAuthorization.V1.Model.SimpleSigningAttestationCheck.t, default: nil) - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
• slsaCheck (type: GoogleApi.BinaryAuthorization.V1.Model.SlsaCheck.t, default: nil) - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
• trustedDirectoryCheck (type: GoogleApi.BinaryAuthorization.V1.Model.TrustedDirectoryCheck.t, default: nil) - Optional. Require that an image lives in a trusted directory.
• vulnerabilityCheck (type: GoogleApi.BinaryAuthorization.V1.Model.VulnerabilityCheck.t, default: nil) - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.