Enforce SSCA policies in the CI and CD stages of your Harness pipelines to ensure that your artifacts only contain approved components.
For an end-to-end walkthrough, try this tutorial: Generate SBOM and enforce policies.
To enforce SSCA policies in a Harness pipeline, you need:
- A pipeline that includes SBOM generation.
- An SSCA policy file.
- A Harness file secret containing the public key from the key pair used to sign and attest the SBOM.
Add an SSCA Enforcement step
You can add the SSCA Enforcement step to either the Build or Deploy stage of a Harness pipeline.
- In a Build stage, add the SSCA Enforcement step after the artifact (image) has been pushed to an artifact repository.
- In a Deploy stage, add the SSCA Enforcement step before the deployment step.
SSCA Orchestration and Enforcement steps in deploy stage can only be used in the container step group
The SSCA Enforcement step has the following settings:
- Name: Enter a name for the step.
- Artifact Type: Select Image.
- Container Registry: Select the Docker Registry connector that is configured for the Docker-compliant container registry where your artifact is stored, such as Docker Hub, Amazon ECR, or GCR.
- Image: Enter the repo path (in your container registry) and tag for the relevant image, such as
- Public Key: Select the Harness file secret containing the public key to use to verify the authenticity of the attestation.
- File Path: Provide the path to your SSCA policy file.
If you're using Docker-compliant ECR or GCR repositories, you must:
Run the pipeline
When the pipeline runs, the SSCA Enforcement step does the following:
- Verifies the authenticity of the attestation.
- Applies policies defined in the specified policy file.
- Records policy violations and shows them on the Artifacts tab on the Execution details page.
SSCA evaluates the components described in the artifact's SBOM against your policy definitions. For a component to pass the evaluation, it must meet these conditions:
- The component must not be denied based on the rules in the
- The component must be allowed based on the rules in the
- If the
allow_listhas multiple sections, the component must be allowed by all sections. For example, if the
supplierssections, then the component's license must be allowed according to the
licensessection, and the component's supplier must be allowed according to the
supplierssection. If the component fails to pass either section, the policy evaluation fails for that component.
All components must meet the conditions described in both the
deny_list to fully pass the policy evaluation.
You can review policy violations on the Execution details page in Harness. For more information, go to View attestations and violations.