Sample policies for use with policy-controller live in the examples directory of the project. Images have a signed SPDX SBOM attestation from a custom key # This sample policy asserts that all images must have a signed SPDX SBOM (spdxjson) attestation using a custom key. apiVersion: policy.sigstore.dev/v1alpha1 kind: ClusterImagePolicy metadata: name: custom-key-attestation-sbom-spdxjson spec: images: - glob: "**" authorities: - name: custom-key key: data: | -----BEGIN PUBLIC KEY----- MFkwEwY...
