Require Image Labels
Type: Rule
ID: required-image-labels
Source: v2/rules/images/verify-labels-exist.yaml
Rego Source: verify-labels-exist.rego
Labels: SBOM, Images
Verify the image has the specified labels.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by target and product.
Usage example
uses: images/verify-labels-exist@v2
with:
labels:
- "org.opencontainers.image.created"
- "org.opencontainers.image.revision"
- "org.opencontainers.image.title"
- "org.opencontainers.image.vendor"
- "org.opencontainers.image.version"
Mitigation
Ensures that container images include all required metadata labels, which are essential for traceability, auditing, and enforcing compliance with security and operational standards.
Description
This rule checks the CycloneDX SBOM evidence for the container image to verify that each required label
(as defined in the with.labels parameter) exists with the correct value.
- The rule iterates over the list of required labels provided in the
with.labelsconfiguration. - For each required label, it examines the
metadata.component.propertiesarray in the SBOM. - It looks for a property where the name starts with "label_" and ends with the required label key, and where the property value matches the expected value.
- If such a property is not found, a violation is recorded with the missing label and expected value details.
Evidence Requirements
- Evidence must be provided in the
cyclonedx-jsonformat. - The SBOM should include a
metadata.component.propertiesarray that contains label information.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['target', 'product'] |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| labels | array | False | A list of required labels. |