policy-strict.json
1 { 2 "$schema": "../spec/policy-schema.json", 3 "version": "1", 4 "description": "Strict trust policy - requires known signers and attestations", 5 6 "default_action": "deny", 7 8 "signers": { 9 "allowed": [ 10 { 11 "key_id": "cerro-official-*", 12 "required": true, 13 "comment": "Must be signed by Cerro Torre official key" 14 } 15 ], 16 "threshold": 1 17 }, 18 19 "registries": { 20 "allowed": [ 21 "docker.io/library/*" 22 ], 23 "blocked": [ 24 "*.untrusted.example" 25 ] 26 }, 27 28 "base_images": { 29 "allowed": [ 30 "docker.io/library/alpine:3.*", 31 "docker.io/library/debian:bookworm*" 32 ] 33 }, 34 35 "suites": { 36 "allowed": ["CT-SIG-01", "CT-SIG-02"], 37 "minimum": "CT-SIG-01" 38 }, 39 40 "require_attestations": { 41 "provenance": true, 42 "sbom": true 43 } 44 }