Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted. An image is considered verified by the rule if any of the fetched SLSA attestations is verified.

Attributes

• attestationSource (type: GoogleApi.BinaryAuthorization.V1.Model.AttestationSource.t, default: nil) - Specifies where to fetch the provenances attestations generated by the builder (group).
• configBasedBuildRequired (type: boolean(), default: nil) - If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
• customConstraints (type: String.t, default: nil) - Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process.
• trustedBuilder (type: String.t, default: nil) - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
• trustedSourceRepoPatterns (type: list(String.t), default: nil) - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub