BINARYAUTHORIZATION
binaryauthorization.projects.attestors.create
enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
valid {
input.Body.description == STRING
input.Body.etag == STRING
input.Body.name == STRING
input.Body.userOwnedGrafeasNote.noteReference == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].asciiArmoredPgpPublicKey == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].comment == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].id == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.keyId == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.publicKeyPem == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
input.ReqMap.parent == STRING
input.Qs.attestorId == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.delete
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.getIamPolicy
valid {
input.ReqMap.resource == STRING
input.Qs.options.requestedPolicyVersion == INTEGER
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.setIamPolicy
valid {
input.Body.policy.bindings[_].condition.description == STRING
input.Body.policy.bindings[_].condition.expression == STRING
input.Body.policy.bindings[_].condition.location == STRING
input.Body.policy.bindings[_].condition.title == STRING
input.Body.policy.bindings[_].members[_] == STRING
input.Body.policy.bindings[_].role == STRING
input.Body.policy.etag == STRING
input.Body.policy.version == INTEGER
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.testIamPermissions
valid {
input.Body.permissions[_] == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.update
enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
valid {
input.Body.description == STRING
input.Body.etag == STRING
input.Body.name == STRING
input.Body.userOwnedGrafeasNote.noteReference == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].asciiArmoredPgpPublicKey == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].comment == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].id == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.keyId == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.publicKeyPem == STRING
input.Body.userOwnedGrafeasNote.publicKeys[_].pkixPublicKey.signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.attestors.validateAttestationOccurrence
valid {
input.Body.attestation.jwts[_].compactJwt == STRING
input.Body.attestation.serializedPayload == STRING
input.Body.attestation.signatures[_].publicKeyId == STRING
input.Body.attestation.signatures[_].signature == STRING
input.Body.occurrenceNote == STRING
input.Body.occurrenceResourceUri == STRING
input.ReqMap.attestor == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.getPolicy
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.gke.policies.evaluate
valid {
input.Body.resource.STRING == ANY
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.policies.create
enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
enum_VerificationRuleTrustedBuilder := [ "BUILDER_UNSPECIFIED", "GOOGLE_CLOUD_BUILD" ]
enum_VulnerabilityCheckMaximumFixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
enum_VulnerabilityCheckMaximumUnfixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
valid {
input.Body.description == STRING
input.Body.etag == STRING
input.Body.gkePolicy.checkSets[_].checks[_].alwaysDeny == BOOLEAN
input.Body.gkePolicy.checkSets[_].checks[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].imageAllowlist.allowPattern[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].imageFreshnessCheck.maxUploadAgeDays == INTEGER
input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].publicKeySet.publicKeys[_].publicKeyPem == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].keyId == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].publicKeyPem == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.containerAnalysisAttestationProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].attestationSource.containerAnalysisAttestationProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].configBasedBuildRequired == BOOLEAN
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedBuilder == enum_VerificationRuleTrustedBuilder[_]
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedSourceRepoPatterns[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].trustedDirectoryCheck.trustedDirPatterns[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.allowedCves[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.blockedCves[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.containerAnalysisVulnerabilityProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumFixableSeverity == enum_VulnerabilityCheckMaximumFixableSeverity[_]
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumUnfixableSeverity == enum_VulnerabilityCheckMaximumUnfixableSeverity[_]
input.Body.gkePolicy.checkSets[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].imageAllowlist.allowPattern[_] == STRING
input.Body.gkePolicy.checkSets[_].scope.kubernetesNamespace == STRING
input.Body.gkePolicy.checkSets[_].scope.kubernetesServiceAccount == STRING
input.Body.gkePolicy.imageAllowlist.allowPattern[_] == STRING
input.ReqMap.parent == STRING
input.Qs.policyId == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.policies.delete
valid {
input.ReqMap.name == STRING
input.Qs.etag == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.policies.get
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.policies.list
valid {
input.ReqMap.parent == STRING
input.Qs.pageSize == INTEGER
input.Qs.pageToken == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.platforms.policies.replacePlatformPolicy
enum_PkixPublicKeySignatureAlgorithm := [ "SIGNATURE_ALGORITHM_UNSPECIFIED", "RSA_PSS_2048_SHA256", "RSA_SIGN_PSS_2048_SHA256", "RSA_PSS_3072_SHA256", "RSA_SIGN_PSS_3072_SHA256", "RSA_PSS_4096_SHA256", "RSA_SIGN_PSS_4096_SHA256", "RSA_PSS_4096_SHA512", "RSA_SIGN_PSS_4096_SHA512", "RSA_SIGN_PKCS1_2048_SHA256", "RSA_SIGN_PKCS1_3072_SHA256", "RSA_SIGN_PKCS1_4096_SHA256", "RSA_SIGN_PKCS1_4096_SHA512", "ECDSA_P256_SHA256", "EC_SIGN_P256_SHA256", "ECDSA_P384_SHA384", "EC_SIGN_P384_SHA384", "ECDSA_P521_SHA512", "EC_SIGN_P521_SHA512" ]
enum_VerificationRuleTrustedBuilder := [ "BUILDER_UNSPECIFIED", "GOOGLE_CLOUD_BUILD" ]
enum_VulnerabilityCheckMaximumFixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
enum_VulnerabilityCheckMaximumUnfixableSeverity := [ "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED", "BLOCK_ALL", "MINIMAL", "LOW", "MEDIUM", "HIGH", "CRITICAL", "ALLOW_ALL" ]
valid {
input.Body.description == STRING
input.Body.etag == STRING
input.Body.gkePolicy.checkSets[_].checks[_].alwaysDeny == BOOLEAN
input.Body.gkePolicy.checkSets[_].checks[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].imageAllowlist.allowPattern[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].imageFreshnessCheck.maxUploadAgeDays == INTEGER
input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].sigstoreSignatureCheck.sigstoreAuthorities[_].publicKeySet.publicKeys[_].publicKeyPem == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].keyId == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].publicKeyPem == STRING
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.attestationAuthenticators[_].pkixPublicKeySet.pkixPublicKeys[_].signatureAlgorithm == enum_PkixPublicKeySignatureAlgorithm[_]
input.Body.gkePolicy.checkSets[_].checks[_].simpleSigningAttestationCheck.containerAnalysisAttestationProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].attestationSource.containerAnalysisAttestationProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].configBasedBuildRequired == BOOLEAN
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedBuilder == enum_VerificationRuleTrustedBuilder[_]
input.Body.gkePolicy.checkSets[_].checks[_].slsaCheck.rules[_].trustedSourceRepoPatterns[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].trustedDirectoryCheck.trustedDirPatterns[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.allowedCves[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.blockedCves[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.containerAnalysisVulnerabilityProjects[_] == STRING
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumFixableSeverity == enum_VulnerabilityCheckMaximumFixableSeverity[_]
input.Body.gkePolicy.checkSets[_].checks[_].vulnerabilityCheck.maximumUnfixableSeverity == enum_VulnerabilityCheckMaximumUnfixableSeverity[_]
input.Body.gkePolicy.checkSets[_].displayName == STRING
input.Body.gkePolicy.checkSets[_].imageAllowlist.allowPattern[_] == STRING
input.Body.gkePolicy.checkSets[_].scope.kubernetesNamespace == STRING
input.Body.gkePolicy.checkSets[_].scope.kubernetesServiceAccount == STRING
input.Body.gkePolicy.imageAllowlist.allowPattern[_] == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.policy.getIamPolicy
valid {
input.ReqMap.resource == STRING
input.Qs.options.requestedPolicyVersion == INTEGER
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.policy.setIamPolicy
valid {
input.Body.policy.bindings[_].condition.description == STRING
input.Body.policy.bindings[_].condition.expression == STRING
input.Body.policy.bindings[_].condition.location == STRING
input.Body.policy.bindings[_].condition.title == STRING
input.Body.policy.bindings[_].members[_] == STRING
input.Body.policy.bindings[_].role == STRING
input.Body.policy.etag == STRING
input.Body.policy.version == INTEGER
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.policy.testIamPermissions
valid {
input.Body.permissions[_] == STRING
input.ReqMap.resource == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.projects.updatePolicy
enum_AdmissionRuleEnforcementMode := [ "ENFORCEMENT_MODE_UNSPECIFIED", "ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY" ]
enum_AdmissionRuleEvaluationMode := [ "EVALUATION_MODE_UNSPECIFIED", "ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY" ]
enum_PolicyGlobalPolicyEvaluationMode := [ "GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED", "ENABLE", "DISABLE" ]
valid {
input.Body.admissionWhitelistPatterns[_].namePattern == STRING
input.Body.clusterAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
input.Body.clusterAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
input.Body.clusterAdmissionRules.STRING.requireAttestationsBy[_] == STRING
input.Body.defaultAdmissionRule.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
input.Body.defaultAdmissionRule.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
input.Body.defaultAdmissionRule.requireAttestationsBy[_] == STRING
input.Body.description == STRING
input.Body.etag == STRING
input.Body.globalPolicyEvaluationMode == enum_PolicyGlobalPolicyEvaluationMode[_]
input.Body.istioServiceIdentityAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
input.Body.istioServiceIdentityAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
input.Body.istioServiceIdentityAdmissionRules.STRING.requireAttestationsBy[_] == STRING
input.Body.kubernetesNamespaceAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
input.Body.kubernetesNamespaceAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
input.Body.kubernetesNamespaceAdmissionRules.STRING.requireAttestationsBy[_] == STRING
input.Body.kubernetesServiceAccountAdmissionRules.STRING.enforcementMode == enum_AdmissionRuleEnforcementMode[_]
input.Body.kubernetesServiceAccountAdmissionRules.STRING.evaluationMode == enum_AdmissionRuleEvaluationMode[_]
input.Body.kubernetesServiceAccountAdmissionRules.STRING.requireAttestationsBy[_] == STRING
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
binaryauthorization.systempolicy.getPolicy
valid {
input.ReqMap.name == STRING
input.ProviderMetadata.Region == STRING
}
Updated 8 days ago