open-policy-agent · carmithersh · Jan 29, 2026 · Feb 1, 2026 · Copilot · Jan 29, 2026
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: jfrogcheckevidence
+metadata:
+  name: jfrog-check-evidence
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    checkedRegistries: ["my-jfrog-registry.jfrog.io"]
+    # add whitelist for repositories, uncomment to enable
+    # checkedRepositories: ["docker-local"]
+    checkedPredicateTypes: ["https://slsa.dev/provenance/v1"]
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: your-jfrog-testing-pod
+spec:
+  containers:
+  - name: testing
+    image: my-jfrog-registry.jfrog.io/docker-local/your-valid-testing-image:1.0.0
+    imagePullPolicy: Always
+  imagePullSecrets: 
+  - name: jfrog-secret
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: your-jfrog-testing-pod
+spec:
+  containers:
+  - name: testing
+    image: my-jfrog-registry.jfrog.io/docker-local/your-invalid-testing-image:1.0.0
+    imagePullPolicy: Always
+  imagePullSecrets: 
+  - name: jfrog-secret
@@ -0,0 +1,18 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: replicalimits
-  name: replicalimits
+  name: k8sjfrogcheckevidence
-  name: replicalimits
+  name: k8sjfrogcheckevidence
+tests:
+- name: replica-limit
- name: replica-limit
+- name: jfrog-evidence-check
- name: replica-limit
+- name: jfrog-evidence-check
+  template: template.yaml
+  constraint: samples/jfrogcheckevidence/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/jfrogcheckevidence/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/jfrogcheckevidence/example_disallowed.yaml
+    assertions:
+    - violations: yes
+
@@ -0,0 +1,100 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: jfrogcheckevidence
+  annotations:
+    metadata.gatekeeper.sh/title: "Check JFrog Evidence"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Checks if the images in a pod comply with regulations or corporate policies by validating they have required verified evidence.
+      This policy is based on the JFrog OPA provider. To deploy JFrog OPA Provider, please visit: https://github.com/jfrog/jfrog-opa-policy
+spec:
+  crd:
+    spec:
+      names:
+        kind: jfrogcheckevidence
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            checkedPredicateTypes:
+              type: array
+              items:
+                type: string
+            checkedRegistries:
+              type: array
+              items:
+                type: string
+            checkedRepositories: 
-            checkedPredicateTypes:
-              type: array
-              items:
-                type: string
-            checkedRegistries:
-              type: array
-              items:
-                type: string
-            checkedRepositories: 
+            checkedPredicateTypes:
+              description: >-
+                List of predicate types to check for each image. Each entry is
+                a string that will be concatenated into a comma-separated
+                value and passed as part of the key set to the JFrog evidence
+                OPA provider.
+              type: array
+              items:
+                type: string
+            checkedRegistries:
+              description: >-
+                List of container registry prefixes to include in the check.
+                Only images whose names start with one of these prefixes will
+                be evaluated by this constraint.
+              type: array
+              items:
+                type: string
+            checkedRepositories: 
+              description: >-
+                List of repository path substrings to include in the check.
+                Only images whose names contain one of these substrings will
+                be evaluated by this constraint.
-            checkedPredicateTypes:
-              type: array
-              items:
-                type: string
-            checkedRegistries:
-              type: array
-              items:
-                type: string
-            checkedRepositories: 
+            checkedPredicateTypes:
+              description: >-
+                List of predicate types to check for each image. Each entry is
+                a string that will be concatenated into a comma-separated
+                value and passed as part of the key set to the JFrog evidence
+                OPA provider.
+              type: array
+              items:
+                type: string
+            checkedRegistries:
+              description: >-
+                List of container registry prefixes to include in the check.
+                Only images whose names start with one of these prefixes will
+                be evaluated by this constraint.
+              type: array
+              items:
+                type: string
+            checkedRepositories: 
+              description: >-
+                List of repository path substrings to include in the check.
+                Only images whose names contain one of these substrings will
+                be evaluated by this constraint.
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: Rego
+        source: 
+          rego: |
+            package jfrogcheckevidence            
+            import data.lib.filter_images
+            import future.keywords.in
+            import future.keywords.contains
+            # get all images
+            all_images := [img | img = input.review.object.spec.containers[_].image]
+            target_images := [img | img = all_images[_]
+              filter_images.is_checked_registry(img)
+              filter_images.is_checked_repository(img)
+            ]
+            # get init images
+            init_images := [img | img = input.review.object.spec.initContainers[_].image]
+            target_init_images := [img | img = init_images[_]
+              filter_images.is_checked_registry(img)
+              filter_images.is_checked_repository(img)
+            ]
+
+            # append target_images, target_init_images
+            checked_images := array.concat(target_images, target_init_images)
-            # append target_images, target_init_images
-            checked_images := array.concat(target_images, target_init_images)
+            # get ephemeral container images
+            ephemeral_images := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+            target_ephemeral_images := [img | img = ephemeral_images[_]
+              filter_images.is_checked_registry(img)
+              filter_images.is_checked_repository(img)
+            ]
+
+            # append target_images, target_init_images, target_ephemeral_images
+            tmp_checked_images := array.concat(target_images, target_init_images)
+            checked_images := array.concat(tmp_checked_images, target_ephemeral_images)
-            # append target_images, target_init_images
-            checked_images := array.concat(target_images, target_init_images)
+            # get ephemeral container images
+            ephemeral_images := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+            target_ephemeral_images := [img | img = ephemeral_images[_]
+              filter_images.is_checked_registry(img)
+              filter_images.is_checked_repository(img)
+            ]
+
+            # append target_images, target_init_images, target_ephemeral_images
+            tmp_checked_images := array.concat(target_images, target_init_images)
+            checked_images := array.concat(tmp_checked_images, target_ephemeral_images)
+            # convert arreay input.parameters.checkedPredicateTypes to string
-            # convert arreay input.parameters.checkedPredicateTypes to string
+            # convert array input.parameters.checkedPredicateTypes to string
-            # convert arreay input.parameters.checkedPredicateTypes to string
+            # convert array input.parameters.checkedPredicateTypes to string
+            types := concat(",", input.parameters.checkedPredicateTypes)
+            typesArray := [types]
+
+            checked_keys := array.concat(typesArray, checked_images)
+            violation[{"msg": msg}] {              
+              count(checked_images) > 0
+              response := external_data({"provider": "jfrog-evidence-opa-provider", "keys": checked_keys})
+              any_issues_found(response)
+
+              msg := sprintf("TARGET IMAGES: %v, RESPONSE: %v", [checked_images, response])
+            }
+
+            any_issues_found(response) {
+              count(response.errors) > 0              
+            } else {
+              response.system_error != ""
+            } else {              
+              response_has_invalid(response)
+            }
+
+            response_has_invalid(response) {
+              some item in response.responses
+              count(item) == 2
+              item[1] == "_invalid"
+            }
+
+            has_check_registry_images_parameter {
+              input.parameters.checkedRegistries != null
+            }
+          libs:
+            - |
+              package lib.filter_images    
+              import future.keywords.in
+              is_checked_registry(img) {
+                  checked_registries := object.get(object.get(input, "parameters", {}), "checkedRegistries", [])
+                  some registry in checked_registries
+                  startswith(img, registry)
+              }
+              is_checked_repository(img) {
+                  checked_repositories := object.get(object.get(input, "parameters", {}), "checkedRepositories", ["/"])
+                  some repository in checked_repositories      
+                  contains(img, repository)
+              }
@@ -0,0 +1,38 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: jfrogcheckevidence
+  annotations:
+    metadata.gatekeeper.sh/title: "Check JFrog Evidence"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Checks if the images in a pod comply with regulations or corporate policies by validating they have required verified evidence.
+      This policy is based on the JFrog OPA provider. To deploy JFrog OPA Provider, please visit: https://github.com/jfrog/jfrog-opa-policy
+spec:
+  crd:
+    spec:
+      names:
+        kind: jfrogcheckevidence
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            checkedPredicateTypes:
+              type: array
+              items:
+                type: string
+            checkedRegistries:
+              type: array
+              items:
+                type: string
+            checkedRepositories: 
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: Rego
+        source: 
+          rego: |
+{{ file.Read "src/general/jfrog-evidence/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
-{{ file.Read "src/general/jfrog-evidence/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+{{ file.Read "src/general/jfrog-evidence/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+          libs:
+          - rego: |
+{{ file.Read "src/general/jfrog-evidence/lib_filter_images.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
-{{ file.Read "src/general/jfrog-evidence/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+{{ file.Read "src/general/jfrog-evidence/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+          libs:
+          - rego: |
+{{ file.Read "src/general/jfrog-evidence/lib_filter_images.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
@@ -0,0 +1,63 @@
+package jfrogcheckevidence            
+import data.lib.filter_images
+import future.keywords.in
+import future.keywords.contains
+# get all images
+all_images := [img | img = input.review.object.spec.containers[_].image]
+target_images := [img | img = all_images[_]
+    filter_images.is_checked_registry(img)
+    filter_images.is_checked_repository(img)
+]
+# get init images
+init_images := [img | img = input.review.object.spec.initContainers[_].image]
+target_init_images := [img | img = init_images[_]
+    filter_images.is_checked_registry(img)
+    filter_images.is_checked_repository(img)
+]
+
+# append target_images, target_init_images
+checked_images := array.concat(target_images, target_init_images)
-# append target_images, target_init_images
-checked_images := array.concat(target_images, target_init_images)
+# get ephemeral container images
+ephemeral_images := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+target_ephemeral_images := [img | img = ephemeral_images[_]
+    filter_images.is_checked_registry(img)
+    filter_images.is_checked_repository(img)
+]
+
+# append target_images, target_init_images, target_ephemeral_images
+checked_images := array.concat(target_images, array.concat(target_init_images, target_ephemeral_images))
-# append target_images, target_init_images
-checked_images := array.concat(target_images, target_init_images)
+# get ephemeral container images
+ephemeral_images := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+target_ephemeral_images := [img | img = ephemeral_images[_]
+    filter_images.is_checked_registry(img)
+    filter_images.is_checked_repository(img)
+]
+
+# append target_images, target_init_images, target_ephemeral_images
+checked_images := array.concat(target_images, array.concat(target_init_images, target_ephemeral_images))
+# convert arreay input.parameters.checkedPredicateTypes to string
-# convert arreay input.parameters.checkedPredicateTypes to string
+# convert array input.parameters.checkedPredicateTypes to string
-# convert arreay input.parameters.checkedPredicateTypes to string
+# convert array input.parameters.checkedPredicateTypes to string
+types := concat(",", input.parameters.checkedPredicateTypes)
+typesArray := [types]
+
-# convert arreay input.parameters.checkedPredicateTypes to string
-types := concat(",", input.parameters.checkedPredicateTypes)
-typesArray := [types]
+
+# build typesArray from input.parameters.checkedPredicateTypes only when non-empty
+typesArray := [types] {
+    params := object.get(input, "parameters", {})
+    checked_predicate_types := object.get(params, "checkedPredicateTypes", [])
+    count(checked_predicate_types) > 0
+    types := concat(",", checked_predicate_types)
+}
+
+default typesArray := []
-# convert arreay input.parameters.checkedPredicateTypes to string
-types := concat(",", input.parameters.checkedPredicateTypes)
-typesArray := [types]
+
+# build typesArray from input.parameters.checkedPredicateTypes only when non-empty
+typesArray := [types] {
+    params := object.get(input, "parameters", {})
+    checked_predicate_types := object.get(params, "checkedPredicateTypes", [])
+    count(checked_predicate_types) > 0
+    types := concat(",", checked_predicate_types)
+}
+
+default typesArray := []
+checked_keys := array.concat(typesArray, checked_images)
+violation[{"msg": msg}] {              
+    count(checked_images) > 0
+    response := external_data({"provider": "jfrog-evidence-opa-provider", "keys": checked_keys})
+    any_issues_found(response)
+
+    msg := sprintf("TARGET IMAGES: %v, RESPONSE: %v", [checked_images, response])
+}
+
+any_issues_found(response) {
+    count(response.errors) > 0              
+} else {
+    response.system_error != ""
+} else {              
+    response_has_invalid(response)
+}
+
+response_has_invalid(response) {
+    some item in response.responses
+    count(item) == 2
+    item[1] == "_invalid"
+}
+
+has_check_registry_images_parameter {
+    input.parameters.checkedRegistries != null
+}
-has_check_registry_images_parameter {
-    input.parameters.checkedRegistries != null
-}
-has_check_registry_images_parameter {
-    input.parameters.checkedRegistries != null
-}
+libs:
+- |
+    package lib.filter_images    
+    import future.keywords.in
+    is_checked_registry(img) {
+        checked_registries := object.get(object.get(input, "parameters", {}), "checkedRegistries", [])
+        some registry in checked_registries
+        startswith(img, registry)
+    }
+    is_checked_repository(img) {
+        checked_repositories := object.get(object.get(input, "parameters", {}), "checkedRepositories", ["/"])
+        some repository in checked_repositories      
+        contains(img, repository)
+    }