External parameters Package
Verify the attribute .predicate.buildDefinition.externalParameters of a SLSA Provenance v1.0 matches the expectation.
Rules Included
Pipeline run params
Verify the PipelineRun was initialized with a set of expected parameters. By default it asserts git-repo, git-revision, and output-image are provided with non-empty values. This is configurable by the rule data key pipeline_run_params. Any additional parameters are NOT allowed.
-
Rule type: FAILURE
-
FAILURE message:
PipelineRun params, %v, do not match expectation, %v. -
Code:
external_parameters.pipeline_run_params
PipelineRun params provided
Confirm the pipeline_run_params rule data was provided.
Solution: Provide a non-empty list of expected PipelineRun parameters.
-
Rule type: FAILURE
-
FAILURE message:
%s -
Code:
external_parameters.pipeline_run_params_provided
Restrict shared volumes
Verify the PipelineRun did not use any pre-existing PersistentVolumeClaim workspaces.
-
Rule type: FAILURE
-
FAILURE message:
PipelineRun uses shared volumes, %v. -
Code:
external_parameters.restrict_shared_volumes