Add builtin functions for OCI artifacts discovery#3169
Open
st3penta wants to merge 2 commits intoconforma:mainfrom
Open
Add builtin functions for OCI artifacts discovery#3169st3penta wants to merge 2 commits intoconforma:mainfrom
st3penta wants to merge 2 commits intoconforma:mainfrom
Conversation
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (9)
✏️ Tip: You can disable in-progress messages and the fortune message in your review settings. Tip You can get early access to new features in CodeRabbit.Enable the 📝 WalkthroughWalkthroughAdds OCI artifact discovery (legacy tag-based and OCI Referrers API) with two new OPA builtins, example Rego policies, acceptance tests, referrers-aware image signing/attestation helpers, documentation pages, and a registry image update to exercise the Referrers API. Changes
Sequence Diagram(s)sequenceDiagram
participant Test as Test Harness
participant Image as Image Builder
participant Rekor as Transparency Log (Rekor)
participant Registry as OCI Registry (Referrers API)
rect rgba(200,200,255,0.5)
Test->>Image: trigger CreateAndPushImageSignatureReferrer(image, key)
Image->>Image: build signature payload & bundle
Image->>Rekor: upload transparency bundle
Rekor-->>Image: return bundle info & log entry
Image->>Registry: push signature referrer (with bundle annotations)
Registry-->>Image: acknowledge referrer
Image-->>Test: record referrer state
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan for PR comments
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Review Summary by QodoAdd OCI artifact discovery builtins for tag-based and Referrers API approaches
WalkthroughsDescription• Add two new OCI artifact discovery builtins: ec.oci.image_tag_refs() and ec.oci.image_referrers() • Support legacy tag-based artifact discovery using cosign conventions (.sig, .att, .sbom suffixes) • Support modern OCI Referrers API for discovering attached artifacts via manifest subject field • Refactor signature/attestation creation to support both tag-based and referrer-based approaches • Update test registry from Docker Registry to Zot for proper OCI Referrers API support Diagramflowchart LR
A["OCI Image Reference"] -->|"ec.oci.image_tag_refs()"| B["Tag-based Artifacts<br/>(.sig, .att, .sbom)"]
A -->|"ec.oci.image_referrers()"| C["OCI Referrers API<br/>Artifacts"]
B --> D["Array of References"]
C --> E["Array of Descriptors<br/>with metadata"]
F["Signature/Attestation<br/>Creation"] -->|"Legacy Tags"| G["Tag-based Storage"]
F -->|"OCI Referrers"| H["Referrer-based Storage"]
File Changes1. internal/rego/oci/oci.go
|
Contributor
Code Review by Qodo
1. Referrers digest field misnamed
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@acceptance/examples/image_referrers.rego`:
- Around line 8-15: The rule deny (deny contains result if) incorrectly requires
refs := ec.oci.image_referrers(input.image.ref) to have exactly two entries
(count(refs) != 2); change it to assert the presence of the specific artifact
types you care about instead of exact count. Replace the count(refs) != 2 check
with existence checks on refs for the signature and attestation descriptors
(e.g., ensure there exists r in refs with r.artifactType ==
"<signature-artifact-type>" and there exists r in refs with r.artifactType ==
"<attestation-artifact-type>" or use filtered lists and count(filtered) >= 1),
keeping the call to ec.oci.image_referrers and the deny rule name unchanged.
Ensure the result message reflects missing artifact types rather than wrong
total count.
In `@acceptance/examples/image_tag_refs.rego`:
- Around line 8-25: The policy uses ec.oci.image_tag_refs(input.image.ref)
directly which includes .sbom tags and causes the count/format rules (the deny
blocks and all_refs_valid_format/valid_suffix checks) to reject images with
legacy SBOMs; update both uses (including the other occurrence around lines
55-75) to first filter the refs to only the suffixes you care about (e.g.,
signatures/attestations) or explicitly allow .sbom: create a filtered list like
filtered_refs := [r | r := refs[_]; not endswith(r, ".sbom")] (or include only
specific suffixes) and then use filtered_refs in the count check and
all_refs_valid_format/valid_suffix checks so .sbom entries no longer cause false
rejections (or document/allow .sbom if desired).
In `@acceptance/image/image.go`:
- Around line 418-419: The code currently saves the subject image digest
(digestRef.String()) into state.ReferrerSignatures and
state.ReferrerImageSignatures, so later readers cannot find the actual referrer
artifact; change the assignments to store the referrer artifact identifier
produced when writing the referrer (e.g., use the referrer reference/descriptor
string such as referrerRef.String() or the referrer descriptor's Digest.String()
or the variable that holds the created referrer descriptor) instead of
digestRef.String(), and make the identical fix for the other occurrence (the
ReferrerAttestations assignment noted in the comment).
In `@acceptance/registry/registry.go`:
- Around line 43-44: The constant registryImage currently uses a mutable,
amd64-specific value; update the registryImage constant to a pinned, multi-arch
Zot release (either a stable release tag like "ghcr.io/project-zot/zot:v0.x.y"
or a specific sha256 digest) and remove the "-linux-amd64" suffix so the image
is cross-platform and reproducible; locate the registryImage constant in this
file and replace its string with the chosen pinned tag or digest and run the
acceptance suite to verify compatibility.
In `@docs/modules/ROOT/pages/ec_oci_image_referrers.adoc`:
- Around line 1-15: The docs for ec.oci.image_referrers are missing usage
examples and a clear return shape; update the page to include an "Example"
section showing a concrete call to
ec.oci.image_referrers("registry.example.com/myimage:v1.0") and illustrate the
returned array of objects with fields artifactType, digest, mediaType, and size
(show two sample entries), and also add a short "Errors / Fallbacks" note
describing behavior when the registry does not support the OCI Referrers API
(e.g., returns empty array or raises an error) and any retry or timeout
semantics so callers know how to handle failures.
In `@docs/modules/ROOT/pages/ec_oci_image_tag_refs.adoc`:
- Around line 1-15: Add concrete examples and clarify tag format for
ec.oci.image_tag_refs: update the docs for the function name
ec.oci.image_tag_refs and parameter `ref` to include an "Example" section that
shows calling ec.oci.image_tag_refs("registry.example.com/myimage:v1.0") and the
expected returned `refs` array with concrete tag-based artifact references (e.g.
registry.example.com/myimage:sha256-<digest>.sig, :sha256-<digest>.att,
:sha256-<digest>.sbom), and add one-line descriptions that .sig = signature,
.att = attestation, .sbom = software bill of materials so users understand the
suffix meanings.
In `@internal/rego/oci/oci.go`:
- Around line 1392-1427: The code treats any error from
ociremote.SignatureTag/AttestationTag/SBOMTag and client.Head as "artifact
missing" and continues, which hides auth/transient registry errors; modify the
discovery logic in the ociremote tag-check blocks (symbols:
ociremote.SignatureTag, ociremote.AttestationTag, ociremote.SBOMTag, and
client.Head, and the tagRefs append logic) to distinguish true-not-found cases
from other errors (e.g., inspect and match the registry error or HTTP status),
and on non-not-found/auth/temporary errors return or propagate an error (abort
discovery) instead of appending nothing—only treat NotFound/DoesNotExist as
missing and continue. Ensure the function returns an error when discovery fails
due to registry/auth issues so callers honor the contract that partial discovery
errors are reported.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4b09e1bf-5888-4a2d-b478-c76e2b6033d6
⛔ Files ignored due to path filters (1)
features/__snapshots__/validate_image.snapis excluded by!**/*.snap
📒 Files selected for processing (11)
acceptance/examples/image_referrers.regoacceptance/examples/image_tag_refs.regoacceptance/image/image.goacceptance/registry/registry.godocs/modules/ROOT/pages/ec_oci_image_referrers.adocdocs/modules/ROOT/pages/ec_oci_image_tag_refs.adocdocs/modules/ROOT/pages/rego_builtins.adocdocs/modules/ROOT/partials/rego_nav.adocfeatures/validate_image.featureinternal/rego/oci/oci.gointernal/rego/oci/oci_test.go
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
internal/rego/oci/oci_test.go (1)
1250-1270:⚠️ Potential issue | 🟡 MinorMissing
ociImageReferrersNamein registration test.The
TestFunctionsRegisteredtest verifies that builtins are registered, but onlyociImageTagRefsNamewas added. The newociImageReferrersNamebuiltin should also be included to ensure both new builtins are properly registered.🔧 Proposed fix
func TestFunctionsRegistered(t *testing.T) { names := []string{ ociBlobName, ociBlobFilesName, ociDescriptorName, ociImageFilesName, ociImageManifestName, ociImageManifestsBatchName, ociImageIndexName, ociImageTagRefsName, + ociImageReferrersName, }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/rego/oci/oci_test.go` around lines 1250 - 1270, The test TestFunctionsRegistered is missing the new builtin identifier ociImageReferrersName in its names list; update the names slice inside TestFunctionsRegistered to include ociImageReferrersName alongside ociImageTagRefsName so the loop checks registration of the new builtin (ensure you modify the names slice where ociBlobName, ociBlobFilesName, ..., ociImageTagRefsName are declared in internal/rego/oci/oci_test.go).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@internal/rego/oci/oci_test.go`:
- Around line 1250-1270: The test TestFunctionsRegistered is missing the new
builtin identifier ociImageReferrersName in its names list; update the names
slice inside TestFunctionsRegistered to include ociImageReferrersName alongside
ociImageTagRefsName so the loop checks registration of the new builtin (ensure
you modify the names slice where ociBlobName, ociBlobFilesName, ...,
ociImageTagRefsName are declared in internal/rego/oci/oci_test.go).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 9ef6fbc3-86ea-493f-bea5-a97d8c357c95
⛔ Files ignored due to path filters (1)
features/__snapshots__/validate_image.snapis excluded by!**/*.snap
📒 Files selected for processing (11)
acceptance/examples/image_referrers.regoacceptance/examples/image_tag_refs.regoacceptance/image/image.goacceptance/registry/registry.godocs/modules/ROOT/pages/ec_oci_image_referrers.adocdocs/modules/ROOT/pages/ec_oci_image_tag_refs.adocdocs/modules/ROOT/pages/rego_builtins.adocdocs/modules/ROOT/partials/rego_nav.adocfeatures/validate_image.featureinternal/rego/oci/oci.gointernal/rego/oci/oci_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- docs/modules/ROOT/pages/ec_oci_image_tag_refs.adoc
- features/validate_image.feature
- acceptance/registry/registry.go
- docs/modules/ROOT/pages/rego_builtins.adoc
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
internal/rego/oci/oci_test.go (1)
1615-1647: Assert realartifactTypevalues in this suite.These fixtures are plain
random.Image()manifests, and Lines 1769-1780 only verify thatartifactTypeexists. A regression that returnsartifactType: ""for every descriptor would still pass here even thoughacceptance/examples/image_referrers.regodepends on the exact signature and attestation types. Set explicit artifact types on the referrer fixtures and assert the returned values.Also applies to: 1768-1780
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/rego/oci/oci_test.go` around lines 1615 - 1647, The test currently creates random referrer images (sigImgWithSubject, attImgWithSubject via mutate.Subject and imgDescriptor) but never sets or asserts explicit OCI artifactType, which can mask regressions; update the referrer fixtures by setting the descriptor's artifactType (e.g., use mutate.Annotations or construct a new descriptor with ArtifactType "application/vnd.cncf.sig" for signatures and "application/vnd.cncf.attestation" for attestations, or use the appropriate helper to set the ArtifactType on sigImgWithSubject and attImgWithSubject before writing), then after pushing (after remote.Write using sigDigestRef/attDigestRef) add require.Equal checks asserting the returned descriptor artifactType equals the expected signature and attestation MIME types so the test fails if artifactType is empty or incorrect.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@internal/rego/oci/oci.go`:
- Around line 1408-1451: The ociImageTagRefs helper is incorrectly returning
hard errors when client.Head() fails for tag-based artifacts (see the sigTag,
attTag, and sbomTag handling blocks that call client.Head), which violates the
builtins contract to degrade to “no value” on failure; change each branch that
currently does "return nil, fmt.Errorf(...)" to instead log the error
(preserving the existing logger.WithFields(...).Error call) and continue
execution without returning, so the function skips that tag and allows policy
evaluation to proceed (keep the existing isNotFoundError handling and only avoid
returning on other client.Head errors).
---
Nitpick comments:
In `@internal/rego/oci/oci_test.go`:
- Around line 1615-1647: The test currently creates random referrer images
(sigImgWithSubject, attImgWithSubject via mutate.Subject and imgDescriptor) but
never sets or asserts explicit OCI artifactType, which can mask regressions;
update the referrer fixtures by setting the descriptor's artifactType (e.g., use
mutate.Annotations or construct a new descriptor with ArtifactType
"application/vnd.cncf.sig" for signatures and "application/vnd.cncf.attestation"
for attestations, or use the appropriate helper to set the ArtifactType on
sigImgWithSubject and attImgWithSubject before writing), then after pushing
(after remote.Write using sigDigestRef/attDigestRef) add require.Equal checks
asserting the returned descriptor artifactType equals the expected signature and
attestation MIME types so the test fails if artifactType is empty or incorrect.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 26128b6d-4bfe-49cb-909b-fd7a87371a55
⛔ Files ignored due to path filters (1)
features/__snapshots__/validate_image.snapis excluded by!**/*.snap
📒 Files selected for processing (9)
acceptance/examples/image_referrers.regoacceptance/image/image.goacceptance/registry/registry.godocs/modules/ROOT/pages/ec_oci_image_referrers.adocdocs/modules/ROOT/pages/rego_builtins.adocdocs/modules/ROOT/partials/rego_nav.adocfeatures/validate_image.featureinternal/rego/oci/oci.gointernal/rego/oci/oci_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- docs/modules/ROOT/partials/rego_nav.adoc
- acceptance/registry/registry.go
- docs/modules/ROOT/pages/rego_builtins.adoc
- docs/modules/ROOT/pages/ec_oci_image_referrers.adoc
Implement ec.oci.image_tag_refs() builtin to discover artifacts attached to images using legacy cosign tag conventions (.sig, .att, .sbom suffixes). This enables policy rules to locate and validate tag-based signatures, attestations, and SBOMs alongside the newer OCI Referrers API approach. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Ref: https://issues.redhat.com/browse/EC-1655
Implement ec.oci.image_referrers() builtin to discover artifacts attached to images via the OCI Referrers API. Returns descriptors with mediaType, size, digest, and artifactType for all referrers, enabling policy rules to validate modern OCI artifact associations without relying on legacy tag-based conventions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Ref: https://issues.redhat.com/browse/EC-1655
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add two new rego builtins for discovering artifacts attached to OCI images:
ec.oci.image_tag_refs()- discovers artifacts using legacy cosign tag conventions (.sig, .att, .sbom suffixes)ec.oci.image_referrers()- discovers artifacts via the OCI Referrers APIBoth builtins enable policy rules to list all the signatures, attestations, and SBOMs that are attached to a container image.