update policy and workflow

Author: Cole Kennedy

.github/workflows/pipeline.yml

@@ -19,7 +19,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://archivista.testifysec.io"
       command: go fmt ./...
 
   vet:
@@ -28,7 +28,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: vet
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://archivista.testifysec.io"
       command: go vet ./...
 
   # --ignore DL3002    
@@ -39,7 +39,7 @@ jobs:
       step: lint
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://archivista.testifysec.io"
       pre-command: |
         curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
         chmod +x /usr/local/bin/hadolint
@@ -54,7 +54,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://archivista.testifysec.io"
       command: go test ./... -coverprofile cover.out
       artifact-upload-name: cover.out
       artifact-upload-path: cover.out
@@ -67,7 +67,7 @@ jobs:
       step: sast
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://archivista.testifysec.io"      
       pre-command: python3 -m pip install semgrep==1.45.0
       command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
       artifact-upload-name: semgrep.sarif
@@ -121,7 +121,7 @@ jobs:
         version: 0.6.0
         step: build-image
         attestations: "git github environment slsa"
-        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"        
+        archivista-server: "https://archivista.testifysec.io"        
         command: |
           /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
     outputs:
@@ -134,7 +134,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: save-image
       attestations: "git github environment slsa oci"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://archivista.testifysec.io"      
       command: |
         docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
       artifact-upload-name: image.tar
@@ -148,7 +148,7 @@ jobs:
       step: generate-sbom 
       pre-command-attestations: "git github environment"
       attestations: "git github environment sbom"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://archivista.testifysec.io"      
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
@@ -165,7 +165,7 @@ jobs:
       step: secret-scan
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://archivista.testifysec.io"      
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
@@ -184,10 +184,10 @@ jobs:
       step: verify 
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://archivista.testifysec.io"      
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
         tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
       command: |
-        witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug
+        witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://archivista.testifysec.io -l debug

policy-signed.json

@@ -387,6 +387,15 @@
           },
           {
             "type": "https://witness.dev/attestations/product/v0.1"
+          },
+          {
+            "type": "https://witness.dev/attestations/sbom/v0.1",
+            "aipolicies": [
+              {
+                "name": "Check SBOM for GPL-2.0",
+                "prompt": "Check SBOM for GPL-2.0 and fail if found"
+              }
+            ]
           }
         ],
         "functionaries": [

policy.json

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1D0+7NtepGGe3
+0Irj/jjSOc4p4WSyL6MUTV0FFl0RQ55CWhPqAK7S55z5wajiSWSghY7pU5vqrh43
+pw68oomXUmFcm///oXurgfRQWKXWcjm9fWInCxWJjZwe/dAKpPmbVmJcVzqPUV0D
+bG1kNzzkm+nj6lpm648StZbjkPE9qahdwYY8ChRF96lQWxLjQHj+du7XN930StZj
+d2XCu9OcSkrXBkA4cnqYdp6NlshqhaalDiGoNVws2YKgyOurayhoeKms8ZCD3UKt
+BGgm8hxLv7z2qlRUTuE4IVxxwMex2lX+5XcIk78IhWUCQXu8XR2/8pQIx4c6jIQj
+NbnUKL6LAgMBAAECggEAVPeZgA7Nh/IHAlDgTPwJaEZuRGMcoS4PxsBDbda/2BE2
+XIbvH3owkJLWrLI/8ellSptCpKZy3d/WGGHSXZ2dGiEzxYUDzs/WPHcg0u+263rx
+M8Z6YD4oXkPRRw3vKn+fD1GrmQ/qUEVrc+bXMxdlARdV3Hom8HOM0cfbxnFHdJq0
+kknwNsj1AJ3K0uF2UMsIySsrxKKScQJuDQ5auqS6vhUVdNVMF/ypzfNPynVHIkCC
+xzk6hmqe8RK+VZgge721/Bj6bk5REthpEQCIrV62L1h64aXpJNkT6ptc2geI8mAp
+B6gFeEy23Za8TzDx6vQ8sFtiRuHBEigUHjUce0sv2QKBgQD2rRe3Z/4Hcc52vVVS
+CYIU+VouxhblAHcaJjfqAkDsI4o01EHx9iHrTp6NEI/+owIM+uOBotyaTLNuQaTC
+TUIK+tlKAEYASfp9JPGt5GqJPLxE1z1ieqxJi+Y8PZxOo845kdPr4CdYPyCumaem
+QX+d0PV2A7zybnrAv8zrsXsR1wKBgQC750v8UgkSauhVntTmJcmZHbnuF1GkMbUp
+S1Y+Gv+GXgHbR0Yu7xyLtD8vspLB017EV+Kb9jiXSxZ+cq6LgdGAGcj40Hb+v7RP
+ATro0wUilhiEsvNtNAnilOv+1qMv4XJ9szi0zKjn/KnPRcWVSYlsauFcOtzzRgma
+hA26bfZKbQKBgGYLLt9xRpX/z2AxbKU2R7izekoVKg1rxtlrbAADFKZbAWZfVDRr
+FJcJ++7xJhA5kLSb6ReMruOpzSRURXsXiLWQFelV+Z9O+y9f5BaCgkvpcxyrSbp+
+ct0t4X2UIyApBTuthtRx8vS/kJ6J89+EAu3fLlu2qihD6cXo0jXCQt4bAoGALMU0
+bp8hODkuuE/KzDdOrGPPzDHUKvoI/xjLKKsIHPzDFnsJ9t7T/1loALZcj0AMgV2r
+SZvF6g5jAqfSfLzmrM33+4i4AYStsnFJlvXIcHAw0VVN+MQAYvM2s5ZydVMTE24j
+YbitufCSiSdHp4VI8AMbRP1lbbVPTniOSNAwcZUCgYEA7aLtQ2+VfFG2v11opWe0
+OBlRdNyFVX5VPfrBl4RwtLzCq1OShbBr8F8V1IGWAvhHpx2wOJCYKXI/Iwji9nOu
+bzDTV/5qcFs43KTsTKGnghuoLSxVX+iigCuiogPUP3Q7U5h5me3ZJuROMJQjKZnN
+TxDqHZRaSlsPA0VsfHqd4kY=
+-----END PRIVATE KEY-----

private_key.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtQ9PuzbXqRhnt9CK4/44
+0jnOKeFksi+jFE1dBRZdEUOeQloT6gCu0uec+cGo4klkoIWO6VOb6q4eN6cOvKKJ
+l1JhXJv//6F7q4H0UFil1nI5vX1iJwsViY2cHv3QCqT5m1ZiXFc6j1FdA2xtZDc8
+5Jvp4+paZuuPErWW45DxPamoXcGGPAoURfepUFsS40B4/nbu1zfd9ErWY3dlwrvT
+nEpK1wZAOHJ6mHaejZbIaoWmpQ4hqDVcLNmCoMjrq2soaHiprPGQg91CrQRoJvIc
+S7+89qpUVE7hOCFcccDHsdpV/uV3CJO/CIVlAkF7vF0dv/KUCMeHOoyEIzW51Ci+
+iwIDAQAB
+-----END PUBLIC KEY-----