google-native.binaryauthorization/v1.getPolicy

func LookupPolicy(ctx *Context, args *LookupPolicyArgs, opts ...InvokeOption) (*LookupPolicyResult, error)
func LookupPolicyOutput(ctx *Context, args *LookupPolicyOutputArgs, opts ...InvokeOption) LookupPolicyResultOutput

> Note: This function is named LookupPolicy in the Go SDK.

PlatformId string

PolicyId string

Project string

PlatformId string

PolicyId string

Project string

platformId String

policyId String

project String

platformId string

policyId string

project string

platform_id str

policy_id str

project str

platformId String

policyId String

project String

Description string

Optional. A description comment about the policy.

GkePolicy Pulumi.GoogleNative.BinaryAuthorization.V1.Outputs.GkePolicyResponse

Optional. GKE platform-specific policy.

Name string

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

UpdateTime string

Time when the policy was last updated.

Description string

Optional. A description comment about the policy.

GkePolicy GkePolicyResponse

Optional. GKE platform-specific policy.

Name string

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

UpdateTime string

Time when the policy was last updated.

description String

Optional. A description comment about the policy.

gkePolicy GkePolicyResponse

Optional. GKE platform-specific policy.

name String

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

updateTime String

Time when the policy was last updated.

description string

Optional. A description comment about the policy.

gkePolicy GkePolicyResponse

Optional. GKE platform-specific policy.

name string

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

updateTime string

Time when the policy was last updated.

description str

Optional. A description comment about the policy.

gke_policy GkePolicyResponse

Optional. GKE platform-specific policy.

name str

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

update_time str

Time when the policy was last updated.

description String

Optional. A description comment about the policy.

gkePolicy Property Map

Optional. GKE platform-specific policy.

name String

The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

updateTime String

Time when the policy was last updated.

DisplayName string

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

PkixPublicKeySet Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetResponse

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

DisplayName string

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

PkixPublicKeySet PkixPublicKeySetResponse

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

pkixPublicKeySet PkixPublicKeySetResponse

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName string

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

pkixPublicKeySet PkixPublicKeySetResponse

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

display_name str

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

pkix_public_key_set PkixPublicKeySetResponse

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String

Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

pkixPublicKeySet Property Map

Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

ContainerAnalysisAttestationProjects List<string>

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

ContainerAnalysisAttestationProjects []string

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects string[]

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

container_analysis_attestation_projects Sequence[str]

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>

The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

AlwaysDeny bool

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

DisplayName string

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

ImageFreshnessCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckResponse

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

SimpleSigningAttestationCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckResponse

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

SlsaCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckResponse

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

TrustedDirectoryCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckResponse

Optional. Require that an image lives in a trusted directory.

VulnerabilityCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckResponse

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

AlwaysDeny bool

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

DisplayName string

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

ImageAllowlist ImageAllowlistResponse

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

ImageFreshnessCheck ImageFreshnessCheckResponse

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

SimpleSigningAttestationCheck SimpleSigningAttestationCheckResponse

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

SlsaCheck SlsaCheckResponse

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

TrustedDirectoryCheck TrustedDirectoryCheckResponse

Optional. Require that an image lives in a trusted directory.

VulnerabilityCheck VulnerabilityCheckResponse

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

displayName String

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

imageFreshnessCheck ImageFreshnessCheckResponse

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

slsaCheck SlsaCheckResponse

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

trustedDirectoryCheck TrustedDirectoryCheckResponse

Optional. Require that an image lives in a trusted directory.

vulnerabilityCheck VulnerabilityCheckResponse

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny boolean

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

displayName string

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

imageFreshnessCheck ImageFreshnessCheckResponse

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

slsaCheck SlsaCheckResponse

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

trustedDirectoryCheck TrustedDirectoryCheckResponse

Optional. Require that an image lives in a trusted directory.

vulnerabilityCheck VulnerabilityCheckResponse

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

always_deny bool

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

display_name str

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

image_allowlist ImageAllowlistResponse

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

image_freshness_check ImageFreshnessCheckResponse

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

simple_signing_attestation_check SimpleSigningAttestationCheckResponse

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

slsa_check SlsaCheckResponse

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

trusted_directory_check TrustedDirectoryCheckResponse

Optional. Require that an image lives in a trusted directory.

vulnerability_check VulnerabilityCheckResponse

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean

Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".

displayName String

Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist Property Map

Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.

imageFreshnessCheck Property Map

Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.

simpleSigningAttestationCheck Property Map

Optional. Require a SimpleSigning-type attestation for every image in the deployment.

slsaCheck Property Map

Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.

trustedDirectoryCheck Property Map

Optional. Require that an image lives in a trusted directory.

vulnerabilityCheck Property Map

Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

Checks List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckResponse>

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

DisplayName string

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

Scope Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ScopeResponse

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

Checks []CheckResponse

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

DisplayName string

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

ImageAllowlist ImageAllowlistResponse

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

Scope ScopeResponse

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<CheckResponse>

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

displayName String

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

scope ScopeResponse

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks CheckResponse[]

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

displayName string

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

scope ScopeResponse

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks Sequence[CheckResponse]

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

display_name str

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

image_allowlist ImageAllowlistResponse

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

scope ScopeResponse

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<Property Map>

Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".

displayName String

Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.

imageAllowlist Property Map

Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.

scope Property Map

Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

CheckSets List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetResponse>

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

CheckSets []CheckSetResponse

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

ImageAllowlist ImageAllowlistResponse

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<CheckSetResponse>

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets CheckSetResponse[]

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

imageAllowlist ImageAllowlistResponse

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

check_sets Sequence[CheckSetResponse]

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

image_allowlist ImageAllowlistResponse

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<Property Map>

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.

imageAllowlist Property Map

Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

AllowPattern List<string>

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

AllowPattern []string

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern string[]

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allow_pattern Sequence[str]

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>

A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

MaxUploadAgeDays int

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

MaxUploadAgeDays int

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Integer

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays number

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

max_upload_age_days int

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Number

The max number of days that is allowed since the image was uploaded. Must be greater than zero.

KeyId string

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

PublicKeyPem string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

SignatureAlgorithm string

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

KeyId string

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

PublicKeyPem string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

SignatureAlgorithm string

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

publicKeyPem String

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

signatureAlgorithm String

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId string

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

publicKeyPem string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

signatureAlgorithm string

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

key_id str

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

public_key_pem str

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

signature_algorithm str

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

publicKeyPem String

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

signatureAlgorithm String

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

PkixPublicKeys List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeyResponse>

pkix_public_keys must have at least one entry.

PkixPublicKeys []PkixPublicKeyResponse

pkix_public_keys must have at least one entry.

pkixPublicKeys List<PkixPublicKeyResponse>

pkix_public_keys must have at least one entry.

pkixPublicKeys PkixPublicKeyResponse[]

pkix_public_keys must have at least one entry.

pkix_public_keys Sequence[PkixPublicKeyResponse]

pkix_public_keys must have at least one entry.

pkixPublicKeys List<Property Map>

pkix_public_keys must have at least one entry.

KubernetesNamespace string

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

KubernetesServiceAccount string

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

KubernetesNamespace string

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

KubernetesServiceAccount string

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

kubernetesServiceAccount String

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace string

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

kubernetesServiceAccount string

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetes_namespace str

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

kubernetes_service_account str

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String

Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.

kubernetesServiceAccount String

Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

AttestationAuthenticators List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorResponse>

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

ContainerAnalysisAttestationProjects List<string>

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

AttestationAuthenticators []AttestationAuthenticatorResponse

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

ContainerAnalysisAttestationProjects []string

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<AttestationAuthenticatorResponse>

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

containerAnalysisAttestationProjects List<String>

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators AttestationAuthenticatorResponse[]

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

containerAnalysisAttestationProjects string[]

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestation_authenticators Sequence[AttestationAuthenticatorResponse]

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

container_analysis_attestation_projects Sequence[str]

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<Property Map>

The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.

containerAnalysisAttestationProjects List<String>

Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

Rules List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleResponse>

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

Rules []VerificationRuleResponse

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<VerificationRuleResponse>

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules VerificationRuleResponse[]

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules Sequence[VerificationRuleResponse]

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<Property Map>

Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

TrustedDirPatterns List<string>

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

TrustedDirPatterns []string

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns string[]

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trusted_dir_patterns Sequence[str]

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>

List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

AttestationSource Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceResponse

Specifies where to fetch the provenances attestations generated by the builder (group).

ConfigBasedBuildRequired bool

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

TrustedBuilder string

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

TrustedSourceRepoPatterns List<string>

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

AttestationSource AttestationSourceResponse

Specifies where to fetch the provenances attestations generated by the builder (group).

ConfigBasedBuildRequired bool

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

TrustedBuilder string

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

TrustedSourceRepoPatterns []string

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSourceResponse

Specifies where to fetch the provenances attestations generated by the builder (group).

configBasedBuildRequired Boolean

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

trustedBuilder String

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

trustedSourceRepoPatterns List<String>

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSourceResponse

Specifies where to fetch the provenances attestations generated by the builder (group).

configBasedBuildRequired boolean

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

trustedBuilder string

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

trustedSourceRepoPatterns string[]

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestation_source AttestationSourceResponse

Specifies where to fetch the provenances attestations generated by the builder (group).

config_based_build_required bool

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

trusted_builder str

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

trusted_source_repo_patterns Sequence[str]

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource Property Map

Specifies where to fetch the provenances attestations generated by the builder (group).

configBasedBuildRequired Boolean

If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.

trustedBuilder String

Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).

trustedSourceRepoPatterns List<String>

List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

AllowedCves List<string>

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

BlockedCves List<string>

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

ContainerAnalysisVulnerabilityProjects List<string>

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

MaximumFixableSeverity string

The threshold for severity for which a fix is currently available. This field is required and must be set.

MaximumUnfixableSeverity string

The threshold for severity for which a fix isn't currently available. This field is required and must be set.

AllowedCves []string

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

BlockedCves []string

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

ContainerAnalysisVulnerabilityProjects []string

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

MaximumFixableSeverity string

The threshold for severity for which a fix is currently available. This field is required and must be set.

MaximumUnfixableSeverity string

The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves List<String>

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

blockedCves List<String>

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

containerAnalysisVulnerabilityProjects List<String>

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity String

The threshold for severity for which a fix is currently available. This field is required and must be set.

maximumUnfixableSeverity String

The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves string[]

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

blockedCves string[]

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

containerAnalysisVulnerabilityProjects string[]

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity string

The threshold for severity for which a fix is currently available. This field is required and must be set.

maximumUnfixableSeverity string

The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowed_cves Sequence[str]

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

blocked_cves Sequence[str]

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

container_analysis_vulnerability_projects Sequence[str]

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximum_fixable_severity str

The threshold for severity for which a fix is currently available. This field is required and must be set.

maximum_unfixable_severity str

The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves List<String>

Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

blockedCves List<String>

Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.

containerAnalysisVulnerabilityProjects List<String>

Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity String

The threshold for severity for which a fix is currently available. This field is required and must be set.

maximumUnfixableSeverity String

The threshold for severity for which a fix isn't currently available. This field is required and must be set.