generate only provenance att

Author: st3penta

.github/workflows/build-attest.yml

@@ -65,25 +65,6 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3
 
-      - name: Generate SBOM for container image
-        uses: anchore/sbom-action@v0
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
-          output-file: build-sample-sbom.spdx.json
-          artifact-name: "build-sample-sbom.spdx.json"
-
-      - name: Sign container image with Cosign
-        run: |
-          cosign sign --yes \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
-
-      - name: Attest SBOM with Cosign
-        run: |
-          cosign attest --yes \
-            --predicate build-sample-sbom.spdx.json \
-            --type spdx \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
-
       - name: Generate SLSA provenance with GitHub action
         uses: actions/attest-build-provenance/predicate@v3
         id: provenance

policy/policy.yaml

@@ -0,0 +1,16 @@
+sources:
+  - policy:
+      - oci::quay.io/enterprise-contract/ec-release-policy:latest
+
+    config:
+      include:
+        - slsa_build_build_service.slsa_builder_id_found
+        - slsa_build_build_service.allowed_builder_ids_provided
+
+    ruleData:
+      disallowed_packages:
+        - purl: "pkg:oci/critical-cve-package"
+          format: "semver"
+          max: "1.30.0"
+      allowed_builder_ids:
+        - tbd