Slot: policy
The policy the subject was verified against. MUST contain a URI; SHOULD contain a digest identifying the exact policy version.
URI: slsa:policy
Alias: policy
Applicable Classes
Properties
Type and Range
Cardinality and Requirements
| Property |
Value |
| Required |
Yes |
In Subsets
Notes
- SSF Policy Engine layer (CNCF TAG-Security): In the SSF reference architecture, the policy consumed here is enforced at admission time by a Policy Engine such as OPA/Gatekeeper or Kyverno. These engines consume Verification Summary Attestations (VSAs) to verify that an artifact meets the required SLSA level before allowing deployment. Best practice is to reference a versioned, content-addressed policy document so verifiers can reconstruct the exact policy evaluated.
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Mappings
| Mapping Type |
Mapped Value |
| self |
slsa:policy |
| native |
slsa:policy |
LinkML Source
name: policy
description: The policy the subject was verified against. MUST contain a URI; SHOULD
contain a digest identifying the exact policy version.
notes:
- 'SSF Policy Engine layer (CNCF TAG-Security): In the SSF reference architecture,
the policy consumed here is enforced at admission time by a Policy Engine such as
OPA/Gatekeeper or Kyverno. These engines consume Verification Summary Attestations
(VSAs) to verify that an artifact meets the required SLSA level before allowing
deployment. Best practice is to reference a versioned, content-addressed policy
document so verifiers can reconstruct the exact policy evaluated.'
in_subset:
- slsa_build_track
- slsa_source_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
alias: policy
domain_of:
- VerificationSummaryAttestation
range: ResourceDescriptor
required: true
inlined: true