diff --git a/antora/docs/modules/ROOT/pages/packages/build_task_build_labels.adoc b/antora/docs/modules/ROOT/pages/packages/build_task_build_labels.adoc index 50a378466..3b656c204 100644 --- a/antora/docs/modules/ROOT/pages/packages/build_task_build_labels.adoc +++ b/antora/docs/modules/ROOT/pages/packages/build_task_build_labels.adoc @@ -16,6 +16,7 @@ Confirm the build task definition has the required build type label. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The required build label '%s' is missing` * Code: `build_labels.build_type_label_set` +* To exclude this rule, add `build_labels.build_type_label_set` to the `exclude` list in your policy config. You can also exclude the entire package with `build_labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/build_task/build_labels/build_labels.rego#L18[Source, window="_blank"] [#build_labels__build_task_has_label] @@ -26,4 +27,5 @@ Confirm that the build task definition includes at least one label. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The task definition does not include any labels` * Code: `build_labels.build_task_has_label` +* To exclude this rule, add `build_labels.build_task_has_label` to the `exclude` list in your policy config. You can also exclude the entire package with `build_labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/build_task/build_labels/build_labels.rego#L31[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/pipeline_basic.adoc b/antora/docs/modules/ROOT/pages/packages/pipeline_basic.adoc index 0f455d9c0..9999c64f0 100644 --- a/antora/docs/modules/ROOT/pages/packages/pipeline_basic.adoc +++ b/antora/docs/modules/ROOT/pages/packages/pipeline_basic.adoc @@ -16,4 +16,5 @@ Confirm that the pipeline definition has the kind "Pipeline". * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Unexpected kind '%s' for pipeline definition` * Code: `basic.expected_kind` +* To exclude this rule, add `basic.expected_kind` to the `exclude` list in your policy config. You can also exclude the entire package with `basic`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/basic/basic.rego#L19[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/pipeline_required_tasks.adoc b/antora/docs/modules/ROOT/pages/packages/pipeline_required_tasks.adoc index 9ebc0b35c..d10c17e6e 100644 --- a/antora/docs/modules/ROOT/pages/packages/pipeline_required_tasks.adoc +++ b/antora/docs/modules/ROOT/pages/packages/pipeline_required_tasks.adoc @@ -16,6 +16,7 @@ Produce a warning when a task that will be required in the future is not current * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `%s is missing and will be required on %s` * Code: `required_tasks.missing_future_required_task` +* To exclude this rule, add `required_tasks.missing_future_required_task` to the `exclude` list in your policy config. You can also exclude the entire package with `required_tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/required_tasks/required_tasks.rego#L63[Source, window="_blank"] [#required_tasks__missing_required_task] @@ -26,6 +27,7 @@ Ensure that the set of required tasks is included in the Pipeline definition. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s is missing or outdated` * Code: `required_tasks.missing_required_task` +* To exclude this rule, add `required_tasks.missing_required_task` to the `exclude` list in your policy config. You can also exclude the entire package with `required_tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/required_tasks/required_tasks.rego#L100[Source, window="_blank"] [#required_tasks__tasks_found] @@ -36,6 +38,7 @@ Confirm at least one task is present in the pipeline definition. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `No tasks found in pipeline` * Code: `required_tasks.tasks_found` +* To exclude this rule, add `required_tasks.tasks_found` to the `exclude` list in your policy config. You can also exclude the entire package with `required_tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/required_tasks/required_tasks.rego#L87[Source, window="_blank"] [#required_tasks__required_tasks_list_present] @@ -46,6 +49,7 @@ Confirm the `required-tasks` rule data was provided, since it's required by the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The required tasks list is missing from the rule data` * Code: `required_tasks.required_tasks_list_present` +* To exclude this rule, add `required_tasks.required_tasks_list_present` to the `exclude` list in your policy config. You can also exclude the entire package with `required_tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/required_tasks/required_tasks.rego#L122[Source, window="_blank"] [#required_tasks__required_tasks_found] @@ -56,4 +60,5 @@ Produce a warning if a list of current or future required tasks does not exist i * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Required tasks do not exist for pipeline %q` * Code: `required_tasks.required_tasks_found` +* To exclude this rule, add `required_tasks.required_tasks_found` to the `exclude` list in your policy config. You can also exclude the entire package with `required_tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/required_tasks/required_tasks.rego#L44[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/pipeline_task_bundle.adoc b/antora/docs/modules/ROOT/pages/packages/pipeline_task_bundle.adoc index 4592ca4f5..ca4ec3274 100644 --- a/antora/docs/modules/ROOT/pages/packages/pipeline_task_bundle.adoc +++ b/antora/docs/modules/ROOT/pages/packages/pipeline_task_bundle.adoc @@ -16,6 +16,7 @@ Confirm the `trusted_tasks` rule data was provided, since it's required by the p * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Missing required trusted_tasks data` * Code: `task_bundle.missing_required_data` +* To exclude this rule, add `task_bundle.missing_required_data` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L124[Source, window="_blank"] [#task_bundle__untrusted_task_bundle] @@ -26,6 +27,7 @@ For each Task in the Pipeline definition, check if the Tekton Bundle used is a t * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pipeline task '%s' uses an untrusted task bundle '%s'` * Code: `task_bundle.untrusted_task_bundle` +* To exclude this rule, add `task_bundle.untrusted_task_bundle` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L109[Source, window="_blank"] [#task_bundle__out_of_date_task_bundle] @@ -36,6 +38,7 @@ For each Task in the Pipeline definition, check if the Tekton Bundle used is the * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Pipeline task '%s' uses an out of date task bundle '%s', new version of the Task must be used before %s` * Code: `task_bundle.out_of_date_task_bundle` +* To exclude this rule, add `task_bundle.out_of_date_task_bundle` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L60[Source, window="_blank"] [#task_bundle__empty_task_bundle_reference] @@ -46,6 +49,7 @@ Check that a valid task bundle reference is being used. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pipeline task '%s' uses an empty bundle image reference` * Code: `task_bundle.empty_task_bundle_reference` +* To exclude this rule, add `task_bundle.empty_task_bundle_reference` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L96[Source, window="_blank"] [#task_bundle__disallowed_task_reference] @@ -56,6 +60,7 @@ Check for the existence of a task bundle. This rule will fail if the task is not * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pipeline task '%s' does not contain a bundle reference` * Code: `task_bundle.disallowed_task_reference` +* To exclude this rule, add `task_bundle.disallowed_task_reference` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L82[Source, window="_blank"] [#task_bundle__unpinned_task_bundle] @@ -66,4 +71,5 @@ Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinn * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Pipeline task '%s' uses an unpinned task bundle reference '%s'` * Code: `task_bundle.unpinned_task_bundle` +* To exclude this rule, add `task_bundle.unpinned_task_bundle` to the `exclude` list in your policy config. You can also exclude the entire package with `task_bundle`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L46[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc b/antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc index c4a097794..24aa94494 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc @@ -18,6 +18,7 @@ The Conforma CLI now places the attestation data in a different location. This c * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Deprecated policy attestation format found` * Code: `attestation_type.deprecated_policy_attestation_format` +* To exclude this rule, add `attestation_type.deprecated_policy_attestation_format` to the `exclude` list in your policy config. You can also exclude the entire package with `attestation_type`, or exclude by collection with `@collection-name`. * Effective from: `2023-08-31T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/attestation_type/attestation_type.rego#L82[Source, window="_blank"] @@ -31,6 +32,7 @@ Confirm the attestation found for the image has a known attestation type. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Unknown attestation type '%s'` * Code: `attestation_type.known_attestation_type` +* To exclude this rule, add `attestation_type.known_attestation_type` to the `exclude` list in your policy config. You can also exclude the entire package with `attestation_type`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/attestation_type/attestation_type.rego#L16[Source, window="_blank"] [#attestation_type__known_attestation_types_provided] @@ -43,6 +45,7 @@ Confirm the `known_attestation_types` rule data was provided. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `attestation_type.known_attestation_types_provided` +* To exclude this rule, add `attestation_type.known_attestation_types_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `attestation_type`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/attestation_type/attestation_type.rego#L44[Source, window="_blank"] [#attestation_type__pipelinerun_attestation_found] @@ -55,4 +58,5 @@ Confirm at least one PipelineRun attestation is present. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Missing pipelinerun attestation` * Code: `attestation_type.pipelinerun_attestation_found` +* To exclude this rule, add `attestation_type.pipelinerun_attestation_found` to the `exclude` list in your policy config. You can also exclude the entire package with `attestation_type`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/attestation_type/attestation_type.rego#L62[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc b/antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc index be9319add..ad71a0cd2 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc @@ -18,6 +18,7 @@ Confirm the `allowed_registry_prefixes` rule data was provided, since it's requi * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `base_image_registries.allowed_registries_provided` +* To exclude this rule, add `base_image_registries.allowed_registries_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `base_image_registries`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L74[Source, window="_blank"] [#base_image_registries__base_image_permitted] @@ -30,6 +31,7 @@ Verify that the base images used when building a container image come from a kno * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Base image %q is from a disallowed registry` * Code: `base_image_registries.base_image_permitted` +* To exclude this rule, add `base_image_registries.base_image_permitted` to the `exclude` list in your policy config. You can also exclude the entire package with `base_image_registries`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L18[Source, window="_blank"] [#base_image_registries__base_image_info_found] @@ -42,4 +44,5 @@ Verify the expected information was provided about which base images were used d * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Base images information is missing` * Code: `base_image_registries.base_image_info_found` +* To exclude this rule, add `base_image_registries.base_image_info_found` to the `exclude` list in your policy config. You can also exclude the entire package with `base_image_registries`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L48[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc b/antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc index 482aa9217..bbd8f33cf 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc @@ -18,6 +18,7 @@ Verify the ADD_CAPABILITIES parameter of a builder Tasks was not used. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `ADD_CAPABILITIES parameter is not allowed` * Code: `buildah_build_task.add_capabilities_param` +* To exclude this rule, add `buildah_build_task.add_capabilities_param` to the `exclude` list in your policy config. You can also exclude the entire package with `buildah_build_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-08-31T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/buildah_build_task/buildah_build_task.rego#L38[Source, window="_blank"] @@ -31,6 +32,7 @@ Verify the Dockerfile used in the buildah task was not fetched from an external * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `DOCKERFILE param value (%s) is an external source` * Code: `buildah_build_task.buildah_uses_local_dockerfile` +* To exclude this rule, add `buildah_build_task.buildah_uses_local_dockerfile` to the `exclude` list in your policy config. You can also exclude the entire package with `buildah_build_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/buildah_build_task/buildah_build_task.rego#L17[Source, window="_blank"] [#buildah_build_task__platform_param] @@ -43,6 +45,7 @@ Verify the value of the PLATFORM parameter of a builder Task is allowed by match * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `PLATFORM parameter value %q is disallowed by regex %q` * Code: `buildah_build_task.platform_param` +* To exclude this rule, add `buildah_build_task.platform_param` to the `exclude` list in your policy config. You can also exclude the entire package with `buildah_build_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-09-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/buildah_build_task/buildah_build_task.rego#L61[Source, window="_blank"] @@ -56,6 +59,7 @@ Verify the PRIVILEGED_NESTED parameter of a builder Tasks was not set to `true`. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `setting PRIVILEGED_NESTED parameter to true is not allowed` * Code: `buildah_build_task.privileged_nested_param` +* To exclude this rule, add `buildah_build_task.privileged_nested_param` to the `exclude` list in your policy config. You can also exclude the entire package with `buildah_build_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/buildah_build_task/buildah_build_task.rego#L100[Source, window="_blank"] [#buildah_build_task__disallowed_platform_patterns_pattern] @@ -66,4 +70,5 @@ Confirm the `disallowed_platform_patterns` rule data, if provided matches the ex * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `buildah_build_task.disallowed_platform_patterns_pattern` +* To exclude this rule, add `buildah_build_task.disallowed_platform_patterns_pattern` to the `exclude` list in your policy config. You can also exclude the entire package with `buildah_build_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/buildah_build_task/buildah_build_task.rego#L84[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_cve.adoc b/antora/docs/modules/ROOT/pages/packages/release_cve.adoc index 4c542b77c..d0c784972 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_cve.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_cve.adoc @@ -41,6 +41,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Found %q vulnerability of %s security level` * Code: `cve.cve_blockers` +* To exclude this rule, add `cve.cve_blockers` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L115[Source, window="_blank"] [#cve__unpatched_cve_blockers] @@ -53,6 +54,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Found %q unpatched vulnerability of %s security level` * Code: `cve.unpatched_cve_blockers` +* To exclude this rule, add `cve.unpatched_cve_blockers` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L149[Source, window="_blank"] [#cve__cve_results_found] @@ -65,6 +67,7 @@ Confirm that CVE scan task results (Clair or TPA) are present in the SLSA Proven * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `CVE scan results were not found` * Code: `cve.cve_results_found` +* To exclude this rule, add `cve.cve_results_found` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L185[Source, window="_blank"] [#cve__cve_warnings] @@ -77,6 +80,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Found %q non-blocking vulnerability of %s security level` * Code: `cve.cve_warnings` +* To exclude this rule, add `cve.cve_warnings` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L60[Source, window="_blank"] [#cve__unpatched_cve_warnings] @@ -89,6 +93,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Found %q non-blocking unpatched vulnerability of %s security level` * Code: `cve.unpatched_cve_warnings` +* To exclude this rule, add `cve.unpatched_cve_warnings` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L87[Source, window="_blank"] [#cve__rule_data_provided] @@ -101,4 +106,5 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `cve.rule_data_provided` +* To exclude this rule, add `cve.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `cve`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L215[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc b/antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc index 8473b77c3..ed0fb9f05 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc @@ -16,6 +16,7 @@ Verify the PipelineRun was initialized with a set of expected parameters. By def * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `PipelineRun params, %v, do not match expectation, %v.` * Code: `external_parameters.pipeline_run_params` +* To exclude this rule, add `external_parameters.pipeline_run_params` to the `exclude` list in your policy config. You can also exclude the entire package with `external_parameters`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/external_parameters/external_parameters.rego#L17[Source, window="_blank"] [#external_parameters__pipeline_run_params_provided] @@ -28,6 +29,7 @@ Confirm the `pipeline_run_params` rule data was provided. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `external_parameters.pipeline_run_params_provided` +* To exclude this rule, add `external_parameters.pipeline_run_params_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `external_parameters`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/external_parameters/external_parameters.rego#L41[Source, window="_blank"] [#external_parameters__restrict_shared_volumes] @@ -38,4 +40,5 @@ Verify the PipelineRun did not use any pre-existing PersistentVolumeClaim worksp * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `PipelineRun uses shared volumes, %v.` * Code: `external_parameters.restrict_shared_volumes` +* To exclude this rule, add `external_parameters.restrict_shared_volumes` to the `exclude` list in your policy config. You can also exclude the entire package with `external_parameters`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/external_parameters/external_parameters.rego#L56[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_git_branch.adoc b/antora/docs/modules/ROOT/pages/packages/release_git_branch.adoc index a465d6ad2..f34bdb984 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_git_branch.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_git_branch.adoc @@ -16,5 +16,6 @@ Build must target a configured branch pattern (e.g., 'c10s') * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Build target is %s which is not a trusted target branch` * Code: `git_branch.git_branch` +* To exclude this rule, add `git_branch.git_branch` to the `exclude` list in your policy config. You can also exclude the entire package with `git_branch`, or exclude by collection with `@collection-name`. * Effective from: `2025-07-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/git_branch/git_branch.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc b/antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc index eb74746d7..57f4832fc 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc @@ -16,6 +16,7 @@ Check if the image signature certificate contains the expected GitHub extensions * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Missing extension %q` * Code: `github_certificate.gh_workflow_extensions` +* To exclude this rule, add `github_certificate.gh_workflow_extensions` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L16[Source, window="_blank"] [#github_certificate__gh_workflow_name] @@ -26,6 +27,7 @@ Check if the value of the GitHub Workflow Name extension in the image signature * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Name %q not in allowed list: %v` * Code: `github_certificate.gh_workflow_name` +* To exclude this rule, add `github_certificate.gh_workflow_name` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L64[Source, window="_blank"] [#github_certificate__gh_workflow_repository] @@ -36,6 +38,7 @@ Check if the value of the GitHub Workflow Repository extension in the image sign * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Repository %q not in allowed list: %v` * Code: `github_certificate.gh_workflow_repository` +* To exclude this rule, add `github_certificate.gh_workflow_repository` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L34[Source, window="_blank"] [#github_certificate__gh_workflow_ref] @@ -46,6 +49,7 @@ Check if the value of the GitHub Workflow Ref extension in the image signature c * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Ref %q not in allowed list: %v` * Code: `github_certificate.gh_workflow_ref` +* To exclude this rule, add `github_certificate.gh_workflow_ref` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L49[Source, window="_blank"] [#github_certificate__gh_workflow_trigger] @@ -56,6 +60,7 @@ Check if the value of the GitHub Workflow Trigger extension in the image signatu * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Trigger %q not in allowed list: %v` * Code: `github_certificate.gh_workflow_trigger` +* To exclude this rule, add `github_certificate.gh_workflow_trigger` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L79[Source, window="_blank"] [#github_certificate__rule_data_provided] @@ -68,4 +73,5 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `github_certificate.rule_data_provided` +* To exclude this rule, add `github_certificate.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `github_certificate`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/github_certificate/github_certificate.rego#L94[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_hermetic_task.adoc b/antora/docs/modules/ROOT/pages/packages/release_hermetic_task.adoc index 35c4fb405..b1c37026b 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_hermetic_task.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_hermetic_task.adoc @@ -18,4 +18,5 @@ Verify the task in the PipelineRun attestation was invoked with the proper param * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task '%s' was not invoked with the hermetic parameter set` * Code: `hermetic_task.hermetic` +* To exclude this rule, add `hermetic_task.hermetic` to the `exclude` list in your policy config. You can also exclude the entire package with `hermetic_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/hermetic_task/hermetic_task.rego#L18[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_labels.adoc b/antora/docs/modules/ROOT/pages/packages/release_labels.adoc index 0cf5323c4..a7e1c8bf9 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_labels.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_labels.adoc @@ -18,6 +18,7 @@ Check the image for the presence of labels that have been deprecated. Use the ru * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q label is deprecated, replace with %q` * Code: `labels.deprecated_labels` +* To exclude this rule, add `labels.deprecated_labels` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L88[Source, window="_blank"] [#labels__disallowed_inherited_labels] @@ -30,6 +31,7 @@ Check that certain labels on the image have different values than the labels fro * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q label should not be inherited from the parent image` * Code: `labels.disallowed_inherited_labels` +* To exclude this rule, add `labels.disallowed_inherited_labels` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L137[Source, window="_blank"] [#labels__inaccessible_config] @@ -42,6 +44,7 @@ The image config is not accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image config of the image %q is inaccessible` * Code: `labels.inaccessible_config` +* To exclude this rule, add `labels.inaccessible_config` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L66[Source, window="_blank"] [#labels__inaccessible_manifest] @@ -54,6 +57,7 @@ The image manifest is not accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Manifest of the image %q is inaccessible` * Code: `labels.inaccessible_manifest` +* To exclude this rule, add `labels.inaccessible_manifest` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L47[Source, window="_blank"] [#labels__inaccessible_parent_config] @@ -66,6 +70,7 @@ The parent image config is not accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image config of the image %q, parent of image %q is inaccessible` * Code: `labels.inaccessible_parent_config` +* To exclude this rule, add `labels.inaccessible_parent_config` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L201[Source, window="_blank"] [#labels__inaccessible_parent_manifest] @@ -78,6 +83,7 @@ The parent image manifest is not accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Manifest of the image %q, parent of image %q is inaccessible` * Code: `labels.inaccessible_parent_manifest` +* To exclude this rule, add `labels.inaccessible_parent_manifest` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L182[Source, window="_blank"] [#labels__optional_labels] @@ -90,6 +96,7 @@ Check the image for the presence of labels that are recommended, but not require * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `The optional %q label is missing. Label description: %s` * Code: `labels.optional_labels` +* To exclude this rule, add `labels.optional_labels` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L20[Source, window="_blank"] [#labels__required_labels] @@ -102,6 +109,7 @@ Check the image for the presence of labels that are required. Use the rule data * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `labels.required_labels` +* To exclude this rule, add `labels.required_labels` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L116[Source, window="_blank"] [#labels__rule_data_provided] @@ -114,4 +122,5 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `labels.rule_data_provided` +* To exclude this rule, add `labels.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `labels`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/labels/labels.rego#L163[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc b/antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc index 8bbfc6130..923e620dc 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc @@ -18,6 +18,7 @@ Each Maven package listed in an SBOM must specify the repository URL that it com * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `maven_repos.deny_unpermitted_urls` +* To exclude this rule, add `maven_repos.deny_unpermitted_urls` to the `exclude` list in your policy config. You can also exclude the entire package with `maven_repos`, or exclude by collection with `@collection-name`. * Effective from: `2026-05-10T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L35[Source, window="_blank"] @@ -31,4 +32,5 @@ Ensures the required allowed_maven_repositories list is provided. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Policy data is missing the required "%s" list` * Code: `maven_repos.policy_data_missing` +* To exclude this rule, add `maven_repos.policy_data_missing` to the `exclude` list in your policy config. You can also exclude the entire package with `maven_repos`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/maven_repos/maven_repos.rego#L17[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc index 9aff8e141..eaa3b1834 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc @@ -18,6 +18,7 @@ Check the `spec.version` value in the ClusterServiceVersion manifest of the OLM * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The ClusterServiceVersion spec.version, %q, is not a valid semver` * Code: `olm.csv_semver_format` +* To exclude this rule, add `olm.csv_semver_format` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L19[Source, window="_blank"] [#olm__feature_annotations_format] @@ -30,6 +31,7 @@ Check the feature annotations in the ClusterServiceVersion manifest of the OLM b * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The annotation %q is either missing or has an unexpected value` * Code: `olm.feature_annotations_format` +* To exclude this rule, add `olm.feature_annotations_format` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L66[Source, window="_blank"] [#olm__allowed_registries] @@ -42,6 +44,7 @@ Each image referenced by the OLM bundle should match an entry in the list of pre * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q CSV image reference is not from an allowed registry.` * Code: `olm.allowed_registries` +* To exclude this rule, add `olm.allowed_registries` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2024-09-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L308[Source, window="_blank"] @@ -55,6 +58,7 @@ Operators are required to manage the network policies of their operands. This ru * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Operator %q version %q is missing required NetworkPolicy RBAC (networking.k8s.io/networkpolicies with create, delete, and update/patch)` * Code: `olm.required_network_policy_rbac_for_operands` +* To exclude this rule, add `olm.required_network_policy_rbac_for_operands` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2026-08-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L387[Source, window="_blank"] @@ -68,6 +72,7 @@ Every manifest in an OLM bundle must be of an allowed resource kind, as defined * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q manifest kind is not in the list of OLM allowed resource kinds.` * Code: `olm.allowed_resource_kinds` +* To exclude this rule, add `olm.allowed_resource_kinds` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L363[Source, window="_blank"] [#olm__olm_bundle_multi_arch] @@ -80,6 +85,7 @@ OLM bundle images should be built for a single architecture. They should not be * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q bundle image is a multi-arch reference.` * Code: `olm.olm_bundle_multi_arch` +* To exclude this rule, add `olm.olm_bundle_multi_arch` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2025-05-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L341[Source, window="_blank"] @@ -93,6 +99,7 @@ Each image indicated as a related image should match an entry in the list of pre * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q related image reference is not from an allowed registry.` * Code: `olm.allowed_registries_related` +* To exclude this rule, add `olm.allowed_registries_related` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2025-04-15T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L232[Source, window="_blank"] @@ -104,6 +111,7 @@ Confirm the `required_olm_features_annotations` rule data was provided, since it * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `olm.required_olm_features_annotations_provided` +* To exclude this rule, add `olm.required_olm_features_annotations_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L111[Source, window="_blank"] [#olm__subscriptions_annotation_format] @@ -116,6 +124,7 @@ Check the value of the operators.openshift.io/valid-subscription annotation from * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `olm.subscriptions_annotation_format` +* To exclude this rule, add `olm.subscriptions_annotation_format` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2024-04-18T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L90[Source, window="_blank"] @@ -129,6 +138,7 @@ Check the input image for the presence of related images. Ensure that all images * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q related image reference is not accessible.` * Code: `olm.inaccessible_related_images` +* To exclude this rule, add `olm.inaccessible_related_images` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2025-03-10T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L198[Source, window="_blank"] @@ -142,6 +152,7 @@ Check the OLM bundle image for the presence of unmapped image references. Unmapp * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q CSV image reference is not in the snapshot or accessible.` * Code: `olm.unmapped_references` +* To exclude this rule, add `olm.unmapped_references` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2024-08-15T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L262[Source, window="_blank"] @@ -155,6 +166,7 @@ Check the OLM bundle image for the presence of unpinned image references. Unpinn * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q image reference is not pinned at %s.` * Code: `olm.unpinned_references` +* To exclude this rule, add `olm.unpinned_references` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L40[Source, window="_blank"] [#olm__unpinned_snapshot_references] @@ -167,6 +179,7 @@ Check the input snapshot for the presence of unpinned image references. Unpinned * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q image reference is not pinned in the input snapshot.` * Code: `olm.unpinned_snapshot_references` +* To exclude this rule, add `olm.unpinned_snapshot_references` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * Effective from: `2024-08-15T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L128[Source, window="_blank"] @@ -180,4 +193,5 @@ Check the input image for the presence of related images. Ensure all related ima * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%d related images are not pinned with a digest: %s.` * Code: `olm.unpinned_related_images` +* To exclude this rule, add `olm.unpinned_related_images` to the `exclude` list in your policy config. You can also exclude the entire package with `olm`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L162[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc b/antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc index 34d55b199..7c13aa804 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc @@ -18,6 +18,7 @@ Verify that the images used to run the pre-build script tasks come from a known * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pre-Build-Script task runner image %q is from a disallowed registry` * Code: `pre_build_script_task.pre_build_script_task_runner_image_allowed` +* To exclude this rule, add `pre_build_script_task.pre_build_script_task_runner_image_allowed` to the `exclude` list in your policy config. You can also exclude the entire package with `pre_build_script_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/pre_build_script_task/pre_build_script_task.rego#L19[Source, window="_blank"] [#pre_build_script_task__valid_pre_build_script_task_runner_image_ref] @@ -30,6 +31,7 @@ Verify that a valid image reference is specified as image being used to run the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pre-Build-Script task runner image %q is not a valid image reference` * Code: `pre_build_script_task.valid_pre_build_script_task_runner_image_ref` +* To exclude this rule, add `pre_build_script_task.valid_pre_build_script_task_runner_image_ref` to the `exclude` list in your policy config. You can also exclude the entire package with `pre_build_script_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/pre_build_script_task/pre_build_script_task.rego#L72[Source, window="_blank"] [#pre_build_script_task__pre_build_script_task_runner_image_in_sbom] @@ -42,6 +44,7 @@ Verify that the image used to run the pre-build script task is included in the S * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pre-Build-Script task runner image %q is not in the SBOM` * Code: `pre_build_script_task.pre_build_script_task_runner_image_in_sbom` +* To exclude this rule, add `pre_build_script_task.pre_build_script_task_runner_image_in_sbom` to the `exclude` list in your policy config. You can also exclude the entire package with `pre_build_script_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/pre_build_script_task/pre_build_script_task.rego#L96[Source, window="_blank"] [#pre_build_script_task__pre_build_script_task_runner_image_in_results] @@ -54,4 +57,5 @@ Verify that the image used to run the pre-build script task is listed in the tas * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The runner image used for the pre-Build-Script task '%s' is not listed in the task results` * Code: `pre_build_script_task.pre_build_script_task_runner_image_in_results` +* To exclude this rule, add `pre_build_script_task.pre_build_script_task_runner_image_in_results` to the `exclude` list in your policy config. You can also exclude the entire package with `pre_build_script_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/pre_build_script_task/pre_build_script_task.rego#L49[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc b/antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc index 717ee3e85..99477ab5c 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc @@ -18,6 +18,7 @@ Verify the prefetch-dependencies task in the PipelineRun attestation was not inv * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task '%s' was invoked with mode parameter set to 'permissive'` * Code: `prefetch_dependencies.mode_not_permissive` +* To exclude this rule, add `prefetch_dependencies.mode_not_permissive` to the `exclude` list in your policy config. You can also exclude the entire package with `prefetch_dependencies`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/prefetch_dependencies/prefetch_dependencies.rego#L16[Source, window="_blank"] [#prefetch_dependencies__package_registry_proxy_enabled] @@ -30,5 +31,6 @@ Verify that prefetch-dependencies tasks have the enable-package-registry-proxy p * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task '%s' does not have the enable-package-registry-proxy parameter set to true` * Code: `prefetch_dependencies.package_registry_proxy_enabled` +* To exclude this rule, add `prefetch_dependencies.package_registry_proxy_enabled` to the `exclude` list in your policy config. You can also exclude the entire package with `prefetch_dependencies`, or exclude by collection with `@collection-name`. * Effective from: `2026-05-13T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/prefetch_dependencies/prefetch_dependencies.rego#L43[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc b/antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc index c35652d61..4dd1989c8 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc @@ -18,6 +18,7 @@ Confirm that the result of the git-clone task is included in the materials secti * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Entry in materials for the git repo %q and commit %q not found` * Code: `provenance_materials.git_clone_source_matches_provenance` +* To exclude this rule, add `provenance_materials.git_clone_source_matches_provenance` to the `exclude` list in your policy config. You can also exclude the entire package with `provenance_materials`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/provenance_materials/provenance_materials.rego#L38[Source, window="_blank"] [#provenance_materials__git_clone_task_found] @@ -30,4 +31,5 @@ Confirm that the attestation contains a git-clone task with `commit` and `url` t * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task git-clone not found` * Code: `provenance_materials.git_clone_task_found` +* To exclude this rule, add `provenance_materials.git_clone_task_found` to the `exclude` list in your policy config. You can also exclude the entire package with `provenance_materials`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/provenance_materials/provenance_materials.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_quay_expiration.adoc b/antora/docs/modules/ROOT/pages/packages/release_quay_expiration.adoc index f330e6a92..eb3a93bda 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_quay_expiration.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_quay_expiration.adoc @@ -18,4 +18,5 @@ Check the image metadata for the presence of a "quay.expires-after" label. If it * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The label 'quay.expires-after' is not allowed in the released image` * Code: `quay_expiration.expires_label` +* To exclude this rule, add `quay_expiration.expires_label` to the `exclude` list in your policy config. You can also exclude the entire package with `quay_expiration`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/quay_expiration/quay_expiration.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc b/antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc index 2b0787b16..937e2c8fe 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc @@ -18,6 +18,7 @@ Confirm the attestation created by the RHTAP Multi-CI build pipeline matches the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `RHTAP %s attestation problem: %s` * Code: `rhtap_multi_ci.attestation_format` +* To exclude this rule, add `rhtap_multi_ci.attestation_format` to the `exclude` list in your policy config. You can also exclude the entire package with `rhtap_multi_ci`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rhtap_multi_ci/rhtap_multi_ci.rego#L41[Source, window="_blank"] [#rhtap_multi_ci__attestation_found] @@ -30,4 +31,5 @@ Verify an attestation created by the RHTAP Multi-CI build pipeline is present. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `A SLSA v1.0 provenance with one of the following RHTAP Multi-CI build types was not found: %s.` * Code: `rhtap_multi_ci.attestation_found` +* To exclude this rule, add `rhtap_multi_ci.attestation_found` to the `exclude` list in your policy config. You can also exclude the entire package with `rhtap_multi_ci`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rhtap_multi_ci/rhtap_multi_ci.rego#L17[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_build_deps.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_build_deps.adoc index c50967986..b79b7f9cc 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_build_deps.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_build_deps.adoc @@ -16,4 +16,5 @@ Builds have valid download locations for RPM build dependencies * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `RPM build dependency source %s is not in the allowed list %v.` * Code: `rpm_build_deps.download_location_valid` +* To exclude this rule, add `rpm_build_deps.download_location_valid` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_build_deps`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_build_deps/rpm_build_deps.rego#L15[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc index 2e96a19e6..193dc016c 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc @@ -18,6 +18,7 @@ Verify the BUILDER_IMAGE parameter of the rpm-ostree Task uses an image referenc * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `rpm_ostree_task.builder_image_param` +* To exclude this rule, add `rpm_ostree_task.builder_image_param` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_ostree_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-03-20T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_ostree_task/rpm_ostree_task.rego#L18[Source, window="_blank"] @@ -31,4 +32,5 @@ Verify the rule data used by this package, `allowed_rpm_ostree_builder_image_pre * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `rpm_ostree_task.rule_data` +* To exclude this rule, add `rpm_ostree_task.rule_data` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_ostree_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_ostree_task/rpm_ostree_task.rego#L39[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_packages.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_packages.adoc index 586f06669..b7381e3fe 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_packages.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_packages.adoc @@ -16,4 +16,5 @@ Check if a multi-arch build has the same RPM versions installed across each diff * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Mismatched versions of the %q RPM were found across different arches. %s` * Code: `rpm_packages.unique_version` +* To exclude this rule, add `rpm_packages.unique_version` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_packages`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_packages/rpm_packages.rego#L20[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_pipeline.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_pipeline.adoc index 47c48f6e3..6a8665dd2 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_pipeline.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_pipeline.adoc @@ -16,4 +16,5 @@ The Tekton Task used specifies an invalid pipeline. The Task is annotated with ` * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task %q uses invalid pipleline %s, which is not in the list of valid pipelines: %s` * Code: `rpm_pipeline.invalid_pipeline` +* To exclude this rule, add `rpm_pipeline.invalid_pipeline` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_pipeline`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_pipeline/rpm_pipeline.rego#L20[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc index 94243c07f..d8c7c59eb 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc @@ -18,6 +18,7 @@ Each RPM package listed in an SBOM must specify the repository id that it comes * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `RPM repo id check failed: %s` * Code: `rpm_repos.ids_known` +* To exclude this rule, add `rpm_repos.ids_known` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_repos`, or exclude by collection with `@collection-name`. * Effective from: `2024-11-10T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_repos/rpm_repos.rego#L40[Source, window="_blank"] @@ -31,4 +32,5 @@ A list of known and permitted repository ids should be available in the rule dat * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Rule data '%s' has unexpected format: %s` * Code: `rpm_repos.rule_data_provided` +* To exclude this rule, add `rpm_repos.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_repos`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_repos/rpm_repos.rego#L18[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc b/antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc index 85ec0ab94..8ea42db8d 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc @@ -18,6 +18,7 @@ The SLSA Provenance attestation for the image is inspected to ensure RPMs have b * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Signing key %q is not one of the allowed keys: %s` * Code: `rpm_signature.allowed` +* To exclude this rule, add `rpm_signature.allowed` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_signature`, or exclude by collection with `@collection-name`. * Effective from: `2024-10-05T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_signature/rpm_signature.rego#L17[Source, window="_blank"] @@ -29,6 +30,7 @@ Confirm the format of the RPMS_DATA result is in the expected format. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `rpm_signature.result_format` +* To exclude this rule, add `rpm_signature.result_format` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_signature`, or exclude by collection with `@collection-name`. * Effective from: `2024-10-05T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_signature/rpm_signature.rego#L40[Source, window="_blank"] @@ -40,5 +42,6 @@ Confirm the expected `allowed_rpm_signature_keys` rule data key has been provide * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `rpm_signature.rule_data_provided` +* To exclude this rule, add `rpm_signature.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `rpm_signature`, or exclude by collection with `@collection-name`. * Effective from: `2024-10-05T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_signature/rpm_signature.rego#L57[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_sbom.adoc b/antora/docs/modules/ROOT/pages/packages/release_sbom.adoc index b55593c2f..6be9297ee 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_sbom.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_sbom.adoc @@ -18,6 +18,7 @@ Confirm the `disallowed_packages` and `disallowed_attributes` rule data were pro * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `sbom.disallowed_packages_provided` +* To exclude this rule, add `sbom.disallowed_packages_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom/sbom.rego#L36[Source, window="_blank"] [#sbom__found] @@ -30,4 +31,5 @@ Confirm an SBOM attestation exists. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `No SBOM attestations found` * Code: `sbom.found` +* To exclude this rule, add `sbom.found` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom/sbom.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc b/antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc index 09e489840..c5536bf6b 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc @@ -18,6 +18,7 @@ Confirm the CycloneDX SBOM contains only allowed packages. By default all packag * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package is not allowed: %s` * Code: `sbom_cyclonedx.allowed` +* To exclude this rule, add `sbom_cyclonedx.allowed` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L106[Source, window="_blank"] [#sbom_cyclonedx__allowed_package_external_references] @@ -30,6 +31,7 @@ Confirm the CycloneDX SBOM contains only packages with explicitly allowed extern * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has reference %q of type %q which is not explicitly allowed%s` * Code: `sbom_cyclonedx.allowed_package_external_references` +* To exclude this rule, add `sbom_cyclonedx.allowed_package_external_references` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L165[Source, window="_blank"] [#sbom_cyclonedx__allowed_package_sources] @@ -42,6 +44,7 @@ For each of the components fetched by Hermeto which define externalReferences of * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed` * Code: `sbom_cyclonedx.allowed_package_sources` +* To exclude this rule, add `sbom_cyclonedx.allowed_package_sources` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * Effective from: `2024-12-15T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L229[Source, window="_blank"] @@ -55,6 +58,7 @@ For components found by Hermeto with a PURL type listed in proxy_enabled_purl_ty * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has proxy URL %q which does not match any allowed pattern for PURL type %q` * Code: `sbom_cyclonedx.allowed_proxy_urls` +* To exclude this rule, add `sbom_cyclonedx.allowed_proxy_urls` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * Effective from: `2026-06-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L269[Source, window="_blank"] @@ -68,6 +72,7 @@ Confirm the CycloneDX SBOM contains only packages without disallowed attributes. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has the attribute %q set%s` * Code: `sbom_cyclonedx.disallowed_package_attributes` +* To exclude this rule, add `sbom_cyclonedx.disallowed_package_attributes` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * Effective from: `2024-07-31T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L127[Source, window="_blank"] @@ -81,6 +86,7 @@ Confirm the CycloneDX SBOM contains only packages without disallowed external re * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has reference %q of type %q which is disallowed%s` * Code: `sbom_cyclonedx.disallowed_package_external_references` +* To exclude this rule, add `sbom_cyclonedx.disallowed_package_external_references` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * Effective from: `2024-07-31T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L197[Source, window="_blank"] @@ -94,6 +100,7 @@ For components found by Hermeto with a PURL type listed in proxy_enabled_purl_ty * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s is missing proxy metadata (no externalReference of type "distribution" with comment "proxy URL")` * Code: `sbom_cyclonedx.proxy_metadata_required` +* To exclude this rule, add `sbom_cyclonedx.proxy_metadata_required` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * Effective from: `2026-05-13T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L324[Source, window="_blank"] @@ -107,6 +114,7 @@ Check that the CycloneDX SBOM specifies a supported schema version (1.4, 1.5 or * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `CycloneDX SBOM at index %d has unsupported or missing version: %s` * Code: `sbom_cyclonedx.cdx_supported_version` +* To exclude this rule, add `sbom_cyclonedx.cdx_supported_version` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L15[Source, window="_blank"] [#sbom_cyclonedx__valid_cdx_1_4] @@ -119,6 +127,7 @@ Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `CycloneDX SBOM at index %d is not valid: %s` * Code: `sbom_cyclonedx.valid_cdx_1_4` +* To exclude this rule, add `sbom_cyclonedx.valid_cdx_1_4` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L40[Source, window="_blank"] [#sbom_cyclonedx__valid_cdx_1_5] @@ -131,6 +140,7 @@ Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `CycloneDX SBOM at index %d is not valid: %s` * Code: `sbom_cyclonedx.valid_cdx_1_5` +* To exclude this rule, add `sbom_cyclonedx.valid_cdx_1_5` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L62[Source, window="_blank"] [#sbom_cyclonedx__valid_cdx_1_6] @@ -143,4 +153,5 @@ Check the CycloneDX SBOM has the expected format. It verifies the CycloneDX SBOM * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `CycloneDX SBOM at index %d is not valid: %s` * Code: `sbom_cyclonedx.valid_cdx_1_6` +* To exclude this rule, add `sbom_cyclonedx.valid_cdx_1_6` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_cyclonedx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_cyclonedx/sbom_cyclonedx.rego#L84[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc b/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc index fcd3245f8..4bdc1581b 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc @@ -18,6 +18,7 @@ Confirm the SPDX SBOM contains only allowed packages. By default all packages ar * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package is not allowed: %s` * Code: `sbom_spdx.allowed` +* To exclude this rule, add `sbom_spdx.allowed` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L52[Source, window="_blank"] [#sbom_spdx__allowed_package_external_references] @@ -30,6 +31,7 @@ Confirm the SPDX SBOM contains only packages with explicitly allowed external re * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has reference %q of type %q which is not explicitly allowed%s` * Code: `sbom_spdx.allowed_package_external_references` +* To exclude this rule, add `sbom_spdx.allowed_package_external_references` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L75[Source, window="_blank"] [#sbom_spdx__allowed_package_sources] @@ -42,6 +44,7 @@ For each of the packages fetched by Hermeto which define externalReferences, ver * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s fetched by Hermeto was sourced from %q which is not allowed` * Code: `sbom_spdx.allowed_package_sources` +* To exclude this rule, add `sbom_spdx.allowed_package_sources` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * Effective from: `2025-02-17T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L171[Source, window="_blank"] @@ -55,6 +58,7 @@ For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_type * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has proxy URL %q which does not match any allowed pattern for PURL type %q` * Code: `sbom_spdx.allowed_proxy_urls` +* To exclude this rule, add `sbom_spdx.allowed_proxy_urls` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * Effective from: `2026-06-01T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L254[Source, window="_blank"] @@ -68,6 +72,7 @@ Check the list of files in the SPDX SBOM is not empty. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The list of files is empty` * Code: `sbom_spdx.contains_files` +* To exclude this rule, add `sbom_spdx.contains_files` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L138[Source, window="_blank"] [#sbom_spdx__contains_packages] @@ -80,6 +85,7 @@ Check the list of packages in the SPDX SBOM is not empty. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The list of packages is empty` * Code: `sbom_spdx.contains_packages` +* To exclude this rule, add `sbom_spdx.contains_packages` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L37[Source, window="_blank"] [#sbom_spdx__disallowed_package_attributes] @@ -92,6 +98,7 @@ Confirm the SPDX SBOM contains only packages without disallowed attributes. By d * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has the attribute %q set%s` * Code: `sbom_spdx.disallowed_package_attributes` +* To exclude this rule, add `sbom_spdx.disallowed_package_attributes` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * Effective from: `2025-02-04T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L212[Source, window="_blank"] @@ -105,6 +112,7 @@ Confirm the SPDX SBOM contains only packages without disallowed external referen * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s has reference %q of type %q which is disallowed%s` * Code: `sbom_spdx.disallowed_package_external_references` +* To exclude this rule, add `sbom_spdx.disallowed_package_external_references` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * Effective from: `2024-07-31T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L106[Source, window="_blank"] @@ -118,6 +126,7 @@ Check the SPDX SBOM targets the image being validated. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image digest in the SBOM, %q, is not as expected, %q` * Code: `sbom_spdx.matches_image` +* To exclude this rule, add `sbom_spdx.matches_image` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L153[Source, window="_blank"] [#sbom_spdx__proxy_metadata_required] @@ -130,6 +139,7 @@ For packages found by Hermeto with a PURL type listed in proxy_enabled_purl_type * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Package %s is missing proxy metadata (sourceInfo is empty or missing)` * Code: `sbom_spdx.proxy_metadata_required` +* To exclude this rule, add `sbom_spdx.proxy_metadata_required` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * Effective from: `2026-05-13T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L313[Source, window="_blank"] @@ -143,4 +153,5 @@ Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches t * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `SPDX SBOM at index %d is not valid: %s` * Code: `sbom_spdx.valid` +* To exclude this rule, add `sbom_spdx.valid` to the `exclude` list in your policy config. You can also exclude the entire package with `sbom_spdx`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/sbom_spdx/sbom_spdx.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_schedule.adoc b/antora/docs/modules/ROOT/pages/packages/release_schedule.adoc index 1a5858a83..aec9b079e 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_schedule.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_schedule.adoc @@ -18,6 +18,7 @@ Check if the current date is not allowed based on the rule data value from the k * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s is a disallowed date: %s` * Code: `schedule.date_restriction` +* To exclude this rule, add `schedule.date_restriction` to the `exclude` list in your policy config. You can also exclude the entire package with `schedule`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L42[Source, window="_blank"] [#schedule__rule_data_provided] @@ -30,6 +31,7 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `schedule.rule_data_provided` +* To exclude this rule, add `schedule.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `schedule`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L68[Source, window="_blank"] [#schedule__weekday_restriction] @@ -42,4 +44,5 @@ Check if the current weekday is allowed based on the rule data value from the ke * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s is a disallowed weekday: %s` * Code: `schedule.weekday_restriction` +* To exclude this rule, add `schedule.weekday_restriction` to the `exclude` list in your policy config. You can also exclude the entire package with `schedule`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L16[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc b/antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc index 30d47b267..3b3c64a7d 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc @@ -18,6 +18,7 @@ Confirm the `allowed_builder_ids` rule data was provided, since it is required b * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `slsa_build_build_service.allowed_builder_ids_provided` +* To exclude this rule, add `slsa_build_build_service.allowed_builder_ids_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_build_service`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_build_service/slsa_build_build_service.rego#L71[Source, window="_blank"] [#slsa_build_build_service__slsa_builder_id_found] @@ -30,6 +31,7 @@ Verify that the attestation attribute predicate.builder.id is set. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Builder ID not set in attestation` * Code: `slsa_build_build_service.slsa_builder_id_found` +* To exclude this rule, add `slsa_build_build_service.slsa_builder_id_found` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_build_service`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_build_service/slsa_build_build_service.rego#L22[Source, window="_blank"] [#slsa_build_build_service__slsa_builder_id_accepted] @@ -42,4 +44,5 @@ Verify that the attestation attribute predicate.builder.id is set to one of the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Builder ID %q is unexpected` * Code: `slsa_build_build_service.slsa_builder_id_accepted` +* To exclude this rule, add `slsa_build_build_service.slsa_builder_id_accepted` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_build_service`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_build_service/slsa_build_build_service.rego#L44[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc b/antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc index 61b5e3a88..f9011a6b7 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc @@ -20,6 +20,7 @@ Verify that the predicate.buildConfig.tasks.steps attribute for the task respons * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Build task %q does not contain any steps` * Code: `slsa_build_scripted_build.build_script_used` +* To exclude this rule, add `slsa_build_scripted_build.build_script_used` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_scripted_build`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego#L25[Source, window="_blank"] [#slsa_build_scripted_build__build_task_image_results_found] @@ -32,6 +33,7 @@ Confirm that a build task exists and it has the expected IMAGE_DIGEST and IMAGE_ * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Build task not found` * Code: `slsa_build_scripted_build.build_task_image_results_found` +* To exclude this rule, add `slsa_build_scripted_build.build_task_image_results_found` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_scripted_build`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego#L52[Source, window="_blank"] [#slsa_build_scripted_build__image_built_by_trusted_task] @@ -44,6 +46,7 @@ Verify the digest of the image being validated is reported by a trusted Task in * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image %q not built by a trusted task: %s` * Code: `slsa_build_scripted_build.image_built_by_trusted_task` +* To exclude this rule, add `slsa_build_scripted_build.image_built_by_trusted_task` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_scripted_build`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego#L111[Source, window="_blank"] [#slsa_build_scripted_build__subject_build_task_matches] @@ -56,4 +59,5 @@ Verify the subject of the attestations matches the IMAGE_DIGEST and IMAGE_URL va * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The attestation subject, %q, does not match any of the images built` * Code: `slsa_build_scripted_build.subject_build_task_matches` +* To exclude this rule, add `slsa_build_scripted_build.subject_build_task_matches` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_build_scripted_build`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego#L77[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc b/antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc index 79cc65b59..fbbfde348 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc @@ -18,6 +18,7 @@ Confirm the `allowed_predicate_types` rule data was provided, since it is requir * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `slsa_provenance_available.allowed_predicate_types_provided` +* To exclude this rule, add `slsa_provenance_available.allowed_predicate_types_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_provenance_available`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_provenance_available/slsa_provenance_available.rego#L51[Source, window="_blank"] [#slsa_provenance_available__attestation_predicate_type_accepted] @@ -30,4 +31,5 @@ Verify that the predicateType field of the attestation indicates the in-toto SLS * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Attestation predicate type %q is not an expected type (%s)` * Code: `slsa_provenance_available.attestation_predicate_type_accepted` +* To exclude this rule, add `slsa_provenance_available.attestation_predicate_type_accepted` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_provenance_available`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_provenance_available/slsa_provenance_available.rego#L22[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc b/antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc index 1bc702bc5..2ed94ff14 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc @@ -20,6 +20,7 @@ Verify that the provided source code reference is the one being attested. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The expected source code reference %q is not attested` * Code: `slsa_source_correlated.expected_source_code_reference` +* To exclude this rule, add `slsa_source_correlated.expected_source_code_reference` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_correlated`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_correlated/slsa_source_correlated.rego#L69[Source, window="_blank"] [#slsa_source_correlated__rule_data_provided] @@ -30,6 +31,7 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `slsa_source_correlated.rule_data_provided` +* To exclude this rule, add `slsa_source_correlated.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_correlated`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_correlated/slsa_source_correlated.rego#L107[Source, window="_blank"] [#slsa_source_correlated__source_code_reference_provided] @@ -42,6 +44,7 @@ Check if the expected source code reference is provided. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Expected source code reference was not provided for verification` * Code: `slsa_source_correlated.source_code_reference_provided` +* To exclude this rule, add `slsa_source_correlated.source_code_reference_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_correlated`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_correlated/slsa_source_correlated.rego#L22[Source, window="_blank"] [#slsa_source_correlated__attested_source_code_reference] @@ -54,4 +57,5 @@ Attestation contains source reference. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The attested material contains no source code reference` * Code: `slsa_source_correlated.attested_source_code_reference` +* To exclude this rule, add `slsa_source_correlated.attested_source_code_reference` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_correlated`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_correlated/slsa_source_correlated.rego#L43[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc b/antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc index 348b2bac5..a9096fd04 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc @@ -33,6 +33,7 @@ Ensure each entry in the predicate.materials array with a SHA-1 digest includes * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Material URI %q is not a git URI` * Code: `slsa_source_version_controlled.materials_uri_is_git_repo` +* To exclude this rule, add `slsa_source_version_controlled.materials_uri_is_git_repo` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_version_controlled`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego#L59[Source, window="_blank"] [#slsa_source_version_controlled__materials_format_okay] @@ -45,6 +46,7 @@ Confirm at least one entry in the predicate.materials array of the attestation c * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `No materials match expected format` * Code: `slsa_source_version_controlled.materials_format_okay` +* To exclude this rule, add `slsa_source_version_controlled.materials_format_okay` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_version_controlled`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego#L34[Source, window="_blank"] [#slsa_source_version_controlled__materials_include_git_sha] @@ -57,4 +59,5 @@ Ensure that each entry in the predicate.materials array with a SHA-1 digest incl * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Material digest %q is not a git commit sha` * Code: `slsa_source_version_controlled.materials_include_git_sha` +* To exclude this rule, add `slsa_source_version_controlled.materials_include_git_sha` to the `exclude` list in your policy config. You can also exclude the entire package with `slsa_source_version_controlled`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego#L85[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_source_image.adoc b/antora/docs/modules/ROOT/pages/packages/release_source_image.adoc index 7f334a42d..85f62f5d8 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_source_image.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_source_image.adoc @@ -16,6 +16,7 @@ Verify the source container image exists. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `source_image.exists` +* To exclude this rule, add `source_image.exists` to the `exclude` list in your policy config. You can also exclude the entire package with `source_image`, or exclude by collection with `@collection-name`. * Effective from: `2024-06-05T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/source_image/source_image.rego#L17[Source, window="_blank"] @@ -27,5 +28,6 @@ Verify the source container image is signed. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `source_image.signed` +* To exclude this rule, add `source_image.signed` to the `exclude` list in your policy config. You can also exclude the entire package with `source_image`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-04T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/source_image/source_image.rego#L32[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_tasks.adoc b/antora/docs/modules/ROOT/pages/packages/release_tasks.adoc index 87f7687bd..7b2357ec5 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_tasks.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_tasks.adoc @@ -18,6 +18,7 @@ Ensure that the all required tasks are resolved from trusted tasks. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s is required and present but not from a trusted task` * Code: `tasks.required_untrusted_task_found` +* To exclude this rule, add `tasks.required_untrusted_task_found` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L173[Source, window="_blank"] [#tasks__required_tasks_found] @@ -30,6 +31,7 @@ Ensure that the set of required tasks are included in the PipelineRun attestatio * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s is missing` * Code: `tasks.required_tasks_found` +* To exclude this rule, add `tasks.required_tasks_found` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L145[Source, window="_blank"] [#tasks__data_provided] @@ -42,6 +44,7 @@ Confirm the expected data keys have been provided in the expected format. The ke * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `tasks.data_provided` +* To exclude this rule, add `tasks.data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L300[Source, window="_blank"] [#tasks__future_required_tasks_found] @@ -54,6 +57,7 @@ Produce a warning when a task that will be required in the future was not includ * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `%s is missing and will be required on %s` * Code: `tasks.future_required_tasks_found` +* To exclude this rule, add `tasks.future_required_tasks_found` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L60[Source, window="_blank"] [#tasks__pinned_task_refs] @@ -66,6 +70,7 @@ Ensure that all Tasks in the SLSA Provenance attestation use an immuntable refer * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task %s is used by pipeline task %s via an unpinned reference.` * Code: `tasks.pinned_task_refs` +* To exclude this rule, add `tasks.pinned_task_refs` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L234[Source, window="_blank"] [#tasks__pipeline_has_tasks] @@ -78,6 +83,7 @@ Ensure that at least one Task is present in the PipelineRun attestation. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `No tasks found in PipelineRun attestation` * Code: `tasks.pipeline_has_tasks` +* To exclude this rule, add `tasks.pipeline_has_tasks` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L90[Source, window="_blank"] [#tasks__pipeline_required_tasks_list_provided] @@ -90,6 +96,7 @@ Produce a warning if the required tasks list rule data was not provided. * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Required tasks do not exist for pipeline` * Code: `tasks.pipeline_required_tasks_list_provided` +* To exclude this rule, add `tasks.pipeline_required_tasks_list_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L39[Source, window="_blank"] [#tasks__required_tasks_list_provided] @@ -102,6 +109,7 @@ Confirm the `required-tasks` rule data was provided, since it's required by the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Missing required required-tasks data` * Code: `tasks.required_tasks_list_provided` +* To exclude this rule, add `tasks.required_tasks_list_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L210[Source, window="_blank"] [#tasks__successful_pipeline_tasks] @@ -114,6 +122,7 @@ Ensure that all of the Tasks in the Pipeline completed successfully. Note that s * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Pipeline task %q did not complete successfully, %q` * Code: `tasks.successful_pipeline_tasks` +* To exclude this rule, add `tasks.successful_pipeline_tasks` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L115[Source, window="_blank"] [#tasks__unsupported] @@ -124,4 +133,5 @@ The Tekton Task used is or will be unsupported. The Task is annotated with `buil * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Task %q is used by pipeline task %q is or will be unsupported as of %s. %s` * Code: `tasks.unsupported` +* To exclude this rule, add `tasks.unsupported` to the `exclude` list in your policy config. You can also exclude the entire package with `tasks`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/tasks/tasks.rego#L261[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_test.adoc b/antora/docs/modules/ROOT/pages/packages/release_test.adoc index 88af846f5..e76a52650 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_test.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_test.adoc @@ -18,6 +18,7 @@ Ensure that task producing the IMAGES_PROCESSED result contains the digests of t * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Test '%s' did not process image with digest '%s'.` * Code: `test.test_all_images` +* To exclude this rule, add `test.test_all_images` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-29T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L235[Source, window="_blank"] @@ -31,6 +32,7 @@ Produce a warning if any informative tests have their result set to "FAILED". Th * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `The Task %q from the build Pipeline reports a failed informative test` * Code: `test.no_failed_informative_tests` +* To exclude this rule, add `test.no_failed_informative_tests` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L19[Source, window="_blank"] [#test__no_erred_tests] @@ -43,6 +45,7 @@ Produce a violation if any tests have their result set to "ERROR". The result ty * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The Task %q from the build Pipeline reports a test erred` * Code: `test.no_erred_tests` +* To exclude this rule, add `test.no_erred_tests` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L168[Source, window="_blank"] [#test__no_failed_tests] @@ -55,6 +58,7 @@ Produce a violation if any non-informative tests have their result set to "FAILE * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The Task %q from the build Pipeline reports a failed test` * Code: `test.no_failed_tests` +* To exclude this rule, add `test.no_failed_tests` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L144[Source, window="_blank"] [#test__no_test_warnings] @@ -67,6 +71,7 @@ Produce a warning if any tests have their result set to "WARNING". The result ty * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `The Task %q from the build Pipeline reports a test contains warnings` * Code: `test.no_test_warnings` +* To exclude this rule, add `test.no_test_warnings` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L43[Source, window="_blank"] [#test__no_skipped_tests] @@ -79,6 +84,7 @@ Produce a violation if any tests have their result set to "SKIPPED". A skipped r * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The Task %q from the build Pipeline reports a test was skipped` * Code: `test.no_skipped_tests` +* To exclude this rule, add `test.no_skipped_tests` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * Effective from: `2023-12-08T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L190[Source, window="_blank"] @@ -92,6 +98,7 @@ Ensure all test data result values are in the set of known/supported result valu * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The Task %q from the build Pipeline has an unsupported test result %q` * Code: `test.test_results_known` +* To exclude this rule, add `test.test_results_known` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L112[Source, window="_blank"] [#test__rule_data_provided] @@ -104,6 +111,7 @@ Confirm the expected rule data keys have been provided in the expected format. T * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `test.rule_data_provided` +* To exclude this rule, add `test.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L216[Source, window="_blank"] [#test__test_data_found] @@ -116,6 +124,7 @@ Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT tas * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `No test data found` * Code: `test.test_data_found` +* To exclude this rule, add `test.test_data_found` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L66[Source, window="_blank"] [#test__test_results_found] @@ -128,4 +137,5 @@ Each test result is expected to have a `results` key. Verify that the `results` * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Found tests without results` * Code: `test.test_results_found` +* To exclude this rule, add `test.test_results_found` to the `exclude` list in your policy config. You can also exclude the entire package with `test`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test/test.rego#L90[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc b/antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc index 2363555d7..ac09dfaab 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc @@ -18,6 +18,7 @@ Produce a violation if any test result attestation has a result of "FAILED". Fai * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Test attestation %q has a failed result, failed tests %s` * Code: `test_attestation.no_failed_tests` +* To exclude this rule, add `test_attestation.no_failed_tests` to the `exclude` list in your policy config. You can also exclude the entire package with `test_attestation`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test_attestation/test_attestation.rego#L51[Source, window="_blank"] [#test_attestation__no_test_warnings] @@ -30,6 +31,7 @@ Produce a warning if any test result attestation has a result of "WARNED". Warne * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Test attestation %q has warnings, warned tests %s` * Code: `test_attestation.no_test_warnings` +* To exclude this rule, add `test_attestation.no_test_warnings` to the `exclude` list in your policy config. You can also exclude the entire package with `test_attestation`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test_attestation/test_attestation.rego#L133[Source, window="_blank"] [#test_attestation__test_result_known] @@ -42,6 +44,7 @@ Ensure the result field of each test result attestation is a recognized value. V * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Test attestation %q has an unsupported result value %q` * Code: `test_attestation.test_result_known` +* To exclude this rule, add `test_attestation.test_result_known` to the `exclude` list in your policy config. You can also exclude the entire package with `test_attestation`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test_attestation/test_attestation.rego#L79[Source, window="_blank"] [#test_attestation__test_data_found] @@ -54,4 +57,5 @@ Each test result attestation must include a result field in its predicate. Verif * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Test attestation %q is missing the required result field` * Code: `test_attestation.test_data_found` +* To exclude this rule, add `test_attestation.test_data_found` to the `exclude` list in your policy config. You can also exclude the entire package with `test_attestation`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/test_attestation/test_attestation.rego#L107[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc b/antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc index 234afb408..b17c198e2 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc @@ -18,6 +18,7 @@ Confirm the expected `trusted_tasks` data keys have been provided in the expecte * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `trusted_task.data_format` +* To exclude this rule, add `trusted_task.data_format` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L258[Source, window="_blank"] [#trusted_task__future_deny_rule] @@ -30,6 +31,7 @@ Warn when a task matches a deny rule that has an effective_on date in the future * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Task %q will be denied by rule pattern %q starting on %s.` * Code: `trusted_task.future_deny_rule` +* To exclude this rule, add `trusted_task.future_deny_rule` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L112[Source, window="_blank"] [#trusted_task__pinned] @@ -42,6 +44,7 @@ Check if all Tekton Tasks use a Task definition by a pinned reference. When usin * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Pipeline task %q uses an unpinned task reference, %s` * Code: `trusted_task.pinned` +* To exclude this rule, add `trusted_task.pinned` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L53[Source, window="_blank"] @@ -55,6 +58,7 @@ Check if all Tekton Tasks defined with the bundle format contain a tag reference * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Pipeline task %q uses an untagged task reference, %s` * Code: `trusted_task.tagged` +* To exclude this rule, add `trusted_task.tagged` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L29[Source, window="_blank"] @@ -68,6 +72,7 @@ Confirm the `trusted_tasks` rule data was provided, since it's required by the p * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Missing required trusted_tasks data` * Code: `trusted_task.data` +* To exclude this rule, add `trusted_task.data` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L238[Source, window="_blank"] @@ -81,6 +86,7 @@ Check the trust of the Tekton Tasks used in the build Pipeline. There are two mo * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `trusted_task.trusted` +* To exclude this rule, add `trusted_task.trusted` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L138[Source, window="_blank"] @@ -94,6 +100,7 @@ Check if all Tekton Tasks use the latest known Task reference. When warnings wil * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `A newer version of task %q exists. Please update before %s. The current bundle is %q and the latest bundle ref is %q` * Code: `trusted_task.current` +* To exclude this rule, add `trusted_task.current` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2024-05-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L79[Source, window="_blank"] @@ -107,6 +114,7 @@ All input trusted artifacts must be produced on the pipeline. If they are not th * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Code tampering detected, input %q for task %q was not produced by the pipeline as attested.` * Code: `trusted_task.valid_trusted_artifact_inputs` +* To exclude this rule, add `trusted_task.valid_trusted_artifact_inputs` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L200[Source, window="_blank"] [#trusted_task__trusted_parameters] @@ -119,5 +127,6 @@ Confirm certain parameters provided to each builder Task have come from trusted * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The %q parameter of the %q PipelineTask includes an untrusted digest: %s` * Code: `trusted_task.trusted_parameters` +* To exclude this rule, add `trusted_task.trusted_parameters` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_task`, or exclude by collection with `@collection-name`. * Effective from: `2021-07-04T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L164[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/release_volatile_config.adoc b/antora/docs/modules/ROOT/pages/packages/release_volatile_config.adoc index 04225c579..c48992cbb 100644 --- a/antora/docs/modules/ROOT/pages/packages/release_volatile_config.adoc +++ b/antora/docs/modules/ROOT/pages/packages/release_volatile_config.adoc @@ -18,6 +18,7 @@ Generates a warning when a volatile configuration rule will expire within the co * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Volatile %s rule '%s' expires in %d days (effective until: %s)` * Code: `volatile_config.expiring_rule` +* To exclude this rule, add `volatile_config.expiring_rule` to the `exclude` list in your policy config. You can also exclude the entire package with `volatile_config`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L60[Source, window="_blank"] [#volatile_config__expired_rule] @@ -30,6 +31,7 @@ Generates a warning when a volatile configuration rule has passed its effectiveU * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Volatile %s rule '%s' has expired (effective until: %s)` * Code: `volatile_config.expired_rule` +* To exclude this rule, add `volatile_config.expired_rule` to the `exclude` list in your policy config. You can also exclude the entire package with `volatile_config`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L113[Source, window="_blank"] [#volatile_config__invalid_config] @@ -42,6 +44,7 @@ Generates a warning when a volatile configuration rule has invalid date values t * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Volatile %s rule '%s' has invalid date configuration (effectiveOn: %s, effectiveUntil: %s)` * Code: `volatile_config.invalid_config` +* To exclude this rule, add `volatile_config.invalid_config` to the `exclude` list in your policy config. You can also exclude the entire package with `volatile_config`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L138[Source, window="_blank"] [#volatile_config__no_expiration] @@ -54,6 +57,7 @@ Generates a warning when a volatile configuration rule has no effectiveUntil dat * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Volatile %s rule '%s' has no expiration date set` * Code: `volatile_config.no_expiration` +* To exclude this rule, add `volatile_config.no_expiration` to the `exclude` list in your policy config. You can also exclude the entire package with `volatile_config`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L87[Source, window="_blank"] [#volatile_config__pending_rule] @@ -66,4 +70,5 @@ Generates a warning when a volatile configuration rule has an effectiveOn date i * Rule type: [rule-type-indicator warning]#WARNING# * WARNING message: `Volatile %s rule '%s' is pending activation (effective on: %s)` * Code: `volatile_config.pending_rule` +* To exclude this rule, add `volatile_config.pending_rule` to the `exclude` list in your policy config. You can also exclude the entire package with `volatile_config`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L35[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_image.adoc b/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_image.adoc index f234bcc3a..317ed778c 100644 --- a/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_image.adoc +++ b/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_image.adoc @@ -18,6 +18,7 @@ Confirm the StepAction uses a container image with a URL that matches one of the * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image ref %q is disallowed` * Code: `stepaction_image.permitted` +* To exclude this rule, add `stepaction_image.permitted` to the `exclude` list in your policy config. You can also exclude the entire package with `stepaction_image`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/stepaction/stepaction_image/stepaction_image.rego#L40[Source, window="_blank"] [#stepaction_image__accessible] @@ -30,6 +31,7 @@ Confirm the container image used in the StepTemplate is accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Image ref %q is inaccessible` * Code: `stepaction_image.accessible` +* To exclude this rule, add `stepaction_image.accessible` to the `exclude` list in your policy config. You can also exclude the entire package with `stepaction_image`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/stepaction/stepaction_image/stepaction_image.rego#L18[Source, window="_blank"] [#stepaction_image__rule_data] @@ -42,4 +44,5 @@ Confirm the `allowed_step_image_registry_prefixes` rule data is provided. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `stepaction_image.rule_data` +* To exclude this rule, add `stepaction_image.rule_data` to the `exclude` list in your policy config. You can also exclude the entire package with `stepaction_image`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/stepaction/stepaction_image/stepaction_image.rego#L64[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_kind.adoc b/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_kind.adoc index 858760d2a..72a52ad75 100644 --- a/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_kind.adoc +++ b/antora/docs/modules/ROOT/pages/packages/stepaction_stepaction_kind.adoc @@ -16,4 +16,5 @@ Confirm the StepAction definition has the kind "StepAction". * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Unexpected kind %q for StepAction definition` * Code: `stepaction_kind.valid` +* To exclude this rule, add `stepaction_kind.valid` to the `exclude` list in your policy config. You can also exclude the entire package with `stepaction_kind`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/stepaction/stepaction_kind/stepaction_kind.rego#L14[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_annotations.adoc b/antora/docs/modules/ROOT/pages/packages/task_annotations.adoc index 71c8f45a3..a6ca61511 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_annotations.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_annotations.adoc @@ -16,4 +16,5 @@ Make sure to use the date format in RFC3339 format in the "build.appstudio.redha * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Expires on time is not in RFC3339 format: %q` * Code: `annotations.expires_on_format` +* To exclude this rule, add `annotations.expires_on_format` to the `exclude` list in your policy config. You can also exclude the entire package with `annotations`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/annotations/annotations.rego#L15[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_kind.adoc b/antora/docs/modules/ROOT/pages/packages/task_kind.adoc index eb841f80f..bc245c38d 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_kind.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_kind.adoc @@ -16,6 +16,7 @@ Confirm the task definition includes the kind field. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Required field 'kind' not found` * Code: `kind.kind_present` +* To exclude this rule, add `kind.kind_present` to the `exclude` list in your policy config. You can also exclude the entire package with `kind`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/kind/kind.rego#L31[Source, window="_blank"] [#kind__expected_kind] @@ -26,4 +27,5 @@ Confirm the task definition has the kind "Task". * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Unexpected kind '%s' for task definition` * Code: `kind.expected_kind` +* To exclude this rule, add `kind.expected_kind` to the `exclude` list in your policy config. You can also exclude the entire package with `kind`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/kind/kind.rego#L17[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_results.adoc b/antora/docs/modules/ROOT/pages/packages/task_results.adoc index 379194387..fbd6320f0 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_results.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_results.adoc @@ -16,6 +16,7 @@ Verify if Task defines the required result. This is controlled by the `required_ * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `results.required` +* To exclude this rule, add `results.required` to the `exclude` list in your policy config. You can also exclude the entire package with `results`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/results/results.rego#L16[Source, window="_blank"] [#results__rule_data_provided] @@ -28,4 +29,5 @@ Confirm the expected `required_task_results` rule data key has been provided in * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `results.rule_data_provided` +* To exclude this rule, add `results.rule_data_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `results`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/results/results.rego#L31[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_step_image_registries.adoc b/antora/docs/modules/ROOT/pages/packages/task_step_image_registries.adoc index 4ac7909e0..09d1ecd13 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_step_image_registries.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_step_image_registries.adoc @@ -18,6 +18,7 @@ Confirm the `allowed_step_image_registry_prefixes` rule data was provided, since * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `%s` * Code: `step_image_registries.step_image_registry_prefix_list_provided` +* To exclude this rule, add `step_image_registries.step_image_registry_prefix_list_provided` to the `exclude` list in your policy config. You can also exclude the entire package with `step_image_registries`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L47[Source, window="_blank"] [#step_image_registries__step_images_permitted] @@ -30,4 +31,5 @@ Confirm that each step in the Task uses a container image with a URL that matche * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Step %d uses disallowed image ref '%s'` * Code: `step_image_registries.step_images_permitted` +* To exclude this rule, add `step_image_registries.step_images_permitted` to the `exclude` list in your policy config. You can also exclude the entire package with `step_image_registries`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L19[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_step_images.adoc b/antora/docs/modules/ROOT/pages/packages/task_step_images.adoc index 8bcafbb4d..eaa52b903 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_step_images.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_step_images.adoc @@ -18,5 +18,6 @@ Confirm that each step in the Task uses a container image that is accessible. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `Step %d uses inaccessible image ref '%s'` * Code: `step_images.step_images_accessible` +* To exclude this rule, add `step_images.step_images_accessible` to the `exclude` list in your policy config. You can also exclude the entire package with `step_images`, or exclude by collection with `@collection-name`. * Effective from: `2025-02-10T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/step_images/step_images.rego#L15[Source, window="_blank"] diff --git a/antora/docs/modules/ROOT/pages/packages/task_trusted_artifacts.adoc b/antora/docs/modules/ROOT/pages/packages/task_trusted_artifacts.adoc index 3a175d888..4400914e4 100644 --- a/antora/docs/modules/ROOT/pages/packages/task_trusted_artifacts.adoc +++ b/antora/docs/modules/ROOT/pages/packages/task_trusted_artifacts.adoc @@ -16,6 +16,7 @@ Trusted Artifact parameters follow the expected naming convention. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The parameter %q of the Task %q does not use the _ARTIFACT suffix` * Code: `trusted_artifacts.parameter` +* To exclude this rule, add `trusted_artifacts.parameter` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_artifacts`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/trusted_artifacts/trusted_artifacts.rego#L17[Source, window="_blank"] [#trusted_artifacts__result] @@ -26,6 +27,7 @@ Trusted Artifact results follow the expected naming convention. * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `The result %q of the Task %q does not use the _ARTIFACT suffix` * Code: `trusted_artifacts.result` +* To exclude this rule, add `trusted_artifacts.result` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_artifacts`, or exclude by collection with `@collection-name`. * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/trusted_artifacts/trusted_artifacts.rego#L30[Source, window="_blank"] [#trusted_artifacts__workspace] @@ -36,5 +38,6 @@ Tasks that implement the Trusted Artifacts pattern should not allow general purp * Rule type: [rule-type-indicator failure]#FAILURE# * FAILURE message: `General purpose workspace %q is not allowed` * Code: `trusted_artifacts.workspace` +* To exclude this rule, add `trusted_artifacts.workspace` to the `exclude` list in your policy config. You can also exclude the entire package with `trusted_artifacts`, or exclude by collection with `@collection-name`. * Effective from: `2024-07-07T00:00:00Z` * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/task/trusted_artifacts/trusted_artifacts.rego#L43[Source, window="_blank"] diff --git a/docs/asciidoc/package.template b/docs/asciidoc/package.template index 38f4c4158..e2006fd40 100644 --- a/docs/asciidoc/package.template +++ b/docs/asciidoc/package.template @@ -24,6 +24,7 @@ * Rule type: [rule-type-indicator {{ warningOrFailure . }}]#{{ toUpper (warningOrFailure .) }}# * {{ toTitle (warningOrFailure .) }} message: `{{ index .Custom "failure_msg" }}` * Code: `{{ packageName $pkg }}.{{ index .Custom "short_name" }}` +* To exclude this rule, add `{{ packageName $pkg }}.{{ index .Custom "short_name" }}` to the `exclude` list in your policy config. You can also exclude the entire package with `{{ packageName $pkg }}`, or exclude by collection with `@collection-name`. {{- with index .Custom "effective_on" }} * Effective from: `{{ formatTime . }}` {{- end }}{{/* index .Custom "effective_on" */}}