Enforce Allowed SBOM Components
Type: Rule
ID: sbom-allowed-components
Source: v2/rules/sbom/allowed-components.yaml
Rego Source: allowed-components.rego
Labels: SBOM, Image
Verify the artifact contains only allowed components.
This rule requires Image SBOM. See here for more details.
Components type reference: https://cyclonedx.org/docs/1.6/json/#components_items_type
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: sbom/allowed-components@v2
with:
types:
- library
- operating-system
Mitigation
Ensures that only approved components are included in the SBOM, reducing the risk of introducing vulnerabilities or unapproved dependencies into the software supply chain.
Description
This rule inspects the CycloneDX SBOM evidence for the artifact to verify that it contains only allowed components. It performs the following steps:
- Iterates over the components listed in the SBOM.
- Checks each component's type against the allowed types specified in the
with.typesconfiguration. - Compares each component's name against the allowlist provided in the
with.allowlistconfiguration.- If a component's type or name is not allowed, the rule flags it as a violation.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a list of components with their types and names.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| types | array | True | A list of allowed component types. |
| allowlist | array | True | A list of allowed components. |