Verify CycloneDX SBOM (Keyless)

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-sbom-cyclonedx
 5  annotations:
 6    policies.kyverno.io/title: Verify CycloneDX SBOM (Keyless)
 7    policies.kyverno.io/category: Software Supply Chain Security
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.8.3
11    kyverno.io/kyverno-version: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      Software Bill of Materials (SBOM) provide details on the composition of a given
15      container image and may be represented in a couple different standards.
16      Having an SBOM can be important to ensuring images are built using verified
17      processes. This policy verifies that an image has an SBOM in CycloneDX format
18      and was signed by the expected subject and issuer when produced through GitHub Actions
19      and using Cosign's keyless signing. It requires configuration based upon your own values.      
20spec:
21  validationFailureAction: audit
22  webhookTimeoutSeconds: 30
23  rules:
24    - name: check-sbom
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30      verifyImages:
31      - imageReferences:
32        - "myreg.org/path/repo:*"
33        attestations:
34        - predicateType: https://cyclonedx.org/schema
35          attestors:
36          - entries:
37            - keyless:
38                subject: "mysubject"
39                issuer: "https://token.actions.githubusercontent.com"
40                rekor:
41                  url: https://rekor.sigstore.dev
42          conditions:
43          - all:
44            - key: "{{ Data.bomFormat }}"
45              operator: Equals
46              value: CycloneDX