Verify Image Labels
Type: Rule
ID: image-labels
Source: v2/rules/images/verify-labels.yaml
Rego Source: verify-labels.rego
Labels: SBOM, Images
Verify specified labels key-value pairs exist in the image.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target or an asset input. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by target and product.
Usage example
uses: images/verify-labels@v2
with:
labels:
- "org.opencontainers.image.vendor=my_vendor"
Mitigation
Ensures that all required metadata labels are present with the expected values, which is crucial for traceability, auditing, and compliance with container security standards.
Description
This rule checks the CycloneDX SBOM evidence for the container image to verify that each
required label (as defined in the with.labels parameter) exists with the correct value.
- The rule iterates over the list of required labels provided in the
with.labelsconfiguration. - For each required label, it examines the
metadata.component.propertiesarray in the SBOM. - It looks for a property where the name starts with "label_" and ends with the required label key, and where the property value matches the expected value.
- If such a property is not found, a violation is recorded with the missing label and expected value details.
Evidence Requirements
- Evidence must be provided in the
cyclonedx-jsonformat. - The SBOM should include a
metadata.component.propertiesarray that contains label information.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
| filter-by | ['target', 'product'] |
Input Definitions
| Parameter | Type | Required | Description | Default |
|---|---|---|---|---|
| labels | array | False | A list of required labels. | [] |