forked from go-nv/goenv
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.goenv-policy.yaml
More file actions
86 lines (76 loc) · 2.09 KB
/
Copy path.goenv-policy.yaml
File metadata and controls
86 lines (76 loc) · 2.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# yaml-language-server: $schema=./schemas/policy-schema.json
# goenv SBOM Policy Configuration
# Version: 1.0
# Description: Example policy for validating Go project SBOMs
version: "1"
# Policy options
options:
fail_on_error: true
fail_on_warning: false
verbose: false
# Validation rules
rules:
# Supply Chain Security Rules
- name: no-local-replaces
type: supply-chain
severity: error
description: Prevent local path replace directives that bypass checksum verification
check: replace-directives
blocked:
- local-path
- name: no-vendoring
type: supply-chain
severity: warning
description: Discourage vendored dependencies (optional - adjust per org policy)
check: vendoring-status
blocked:
- vendored
# Security Rules
- name: block-retracted-versions
type: security
severity: error
description: Prevent use of retracted module versions
check: retracted-versions
- name: require-cgo-disabled
type: security
severity: warning
description: Recommend disabling CGO for reduced attack surface
check: cgo-disabled
required:
- "false"
# Completeness Rules
- name: require-stdlib-component
type: completeness
severity: warning
description: Ensure standard library component is included in SBOM
check: required-components
required:
- golang-stdlib
- name: require-goenv-metadata
type: completeness
severity: info
description: Ensure Go-aware metadata is present
check: required-metadata
required:
- goenv:go_version
- goenv:platform
- goenv:build_context.goos
- goenv:build_context.goarch
# License Compliance Rules
- name: block-gpl-licenses
type: license
severity: error
description: Block copyleft licenses (adjust per org policy)
check: license-compliance
blocked:
- GPL-2.0
- GPL-3.0
- AGPL-3.0
- name: warn-lgpl-licenses
type: license
severity: warning
description: Warn on LGPL licenses requiring disclosure
check: license-compliance
blocked:
- LGPL-2.1
- LGPL-3.0