SBOM Package

Checks general properties of the SBOMs associated with the image being validated. More specific rules for SPDX and CycloneDX SBOMs are in separate packages.

Package Name

sbom

Rules Included

Disallowed packages list is provided

Confirm the disallowed_packages and disallowed_attributes rule data were provided, since they are required by the policy rules in this package.

Solution: Provide a list of disallowed packages or package attributes in the expected format.

Rule type: FAILURE
FAILURE message: %s
Code: sbom.disallowed_packages_provided
Source

Found

Confirm an SBOM attestation exists.

Solution: Make sure the build process produces an SBOM attestation.

Rule type: FAILURE
FAILURE message: No SBOM attestations found
Code: sbom.found
Source