Pre-build-script task checks Package

Verify that the images used to run the pre-build script tasks come from a known set of trusted registries to reduce potential supply chain attacks. By default this policy defines trusted registries as registries that are fully maintained by Red Hat and only contain content produced by Red Hat. The list of allowed registries can be customized by setting the allowed_registry_prefixes list in the rule data.

Solution: Make sure the image referenced in the parameter 'SCRIPT_RUNNER_IMAGE' comes from a trusted registry. The list of trusted registries is a configurable data source.

Verify that a valid image reference is specified as image being used to run the pre-build script task

Solution: Make sure the value in the 'SCRIPT_RUNNER_IMAGE_REFERENCE' result is a valid image reference

Verify that the image used to run the pre-build script task is included in the SBOM

Solution: Make sure the image referenced in the 'SCRIPT_RUNNER_IMAGE_REFERENCE' result is included in the SBOM.

Verify that the image used to run the pre-build script task is listed in the task result SCRIPT_RUNNER_IMAGE_REFERENCE

Solution: Make sure the image used to run the pre-build task is referenced in the 'SCRIPT_RUNNER_IMAGE_REFERENCE' task result.