rpm-ostree Task Package

Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image reference that is both pinned to a digest and starts with a pre-defined list of prefixes. By default, the list of prefixes is empty allowing any pinned image reference to be used. This is customizable via the allowed_rpm_ostree_builder_image_prefixes rule data.

Solution: Make sure the rpm-ostree Task uses a pinned image reference from a pre-approved location.

Verify the rule data used by this package, allowed_rpm_ostree_builder_image_prefixes, is in the expected format.

Solution: Make sure the allowed_rpm_ostree_builder_image_prefixes rule data is in the expected format in the data source.