Registry Connection HTTPS
Type: Rule
ID: images-registry-https-check
Source: v2/rules/images/enforce-https-registry.yaml
Rego Source: enforce-https-registry.rego
Labels: Registry, Images
Checks if the container's registry scheme is HTTPS
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: images/enforce-https-registry@v2
Description
This rule examines the CycloneDX SBOM evidence for a container image to verify that the registry connection
is secure. It does so by scanning the metadata.component.properties array for a property named
'registry_scheme'. If the value of this property is exactly 'https', the rule passes; otherwise, it fails,
indicating that the image may have been pulled from an insecure registry.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM should include a
metadata.component.propertiesarray with an entry for 'registry_scheme'.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['product', 'target'] |