Class VerificationRule

Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted. An image is considered verified by the rule if any of the fetched SLSA attestations is verified.

Inheritance

object

VerificationRule

Implements

IDirectResponseSchema

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace: Google.Apis.BinaryAuthorization.v1.Data

Assembly: Google.Apis.BinaryAuthorization.v1.dll

Syntax

public class VerificationRule : IDirectResponseSchema

Properties

AttestationSource

Specifies where to fetch the provenances attestations generated by the builder (group).

Declaration

[JsonProperty("attestationSource")]
public virtual AttestationSource AttestationSource { get; set; }

Property Value

Type	Description
AttestationSource

ConfigBasedBuildRequired

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

Declaration

[JsonProperty("configBasedBuildRequired")]
public virtual bool? ConfigBasedBuildRequired { get; set; }

Property Value

Type	Description
bool?

CustomConstraints

Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process.

Declaration

[JsonProperty("customConstraints")]
public virtual string CustomConstraints { get; set; }

Property Value

Type	Description
string

ETag

The ETag of the item.

Declaration

public virtual string ETag { get; set; }

Property Value

Type	Description
string

TrustedBuilder

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

Declaration

[JsonProperty("trustedBuilder")]
public virtual string TrustedBuilder { get; set; }

Property Value

Type	Description
string

TrustedSourceRepoPatterns

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

Declaration

[JsonProperty("trustedSourceRepoPatterns")]
public virtual IList<string> TrustedSourceRepoPatterns { get; set; }

Property Value

Type	Description
IList<string>

Implements

IDirectResponseSchema