Verify NPM Packages Origin
Type: Rule
ID: sbom-allowed-npm-registries
Source: v2/rules/images/allowed-npm-registries.yaml
Rego Source: allowed-npm-registries.rego
Labels: SBOM, Image
Verify that the artifact contains only components from allowed NPM registries.
This rule requires Image SBOM. See here for more details.
Components type reference: https://cyclonedx.org/docs/1.6/json/#components_items_type
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: images/allowed-npm-registries@v2
with:
types:
- library
- operating-system
Mitigation
Ensures that only NPM components from approved registries are included in the SBOM, reducing the risk of introducing vulnerabilities or unapproved dependencies into the software supply chain.
Description
This rule inspects the CycloneDX SBOM evidence for the artifact to verify that it contains only components from allowed registries. It performs the following steps:
- Iterates over NPM components listed in the SBOM.
- For remotely installed components, checks the
registryUrlproperty to ensure it matches one of the allowed NPM registries specified in thewith.allowed_registriesconfiguration.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a list of components with their types and names.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| allowed_registries | array | False | A list of allowed NPM registries. |