Attestation Scoped Policies
Deailed input documentation for Attestation Scoped Policies
This reference describes the JSON payload passed to Rego, Visual Builder, and JavaScript policies. It complements the conceptual overview with field-level details so you can validate policies or mock equivalent data in tests.
For step-by-step authoring guidance, see Write and test policies.
Policy input updates in progress
We're expanding the policy input to support broader supply-chain context and lifecycle metadata.
Policy Inputs
Attestation scoped policies are called per attestation (SBOM) with the attestation field containing metadata
and the raw field containing the JSON contents of the attestation (converted if the source is XML).
{
attestation: { ... },
raw: { ... },
namespace: { tenantId, space }
}Typescript types
The following type definitions describe the input the policies receive. Note that not all fields are necessarily populated.
// this is the top-level object that is passed to the policy
type PolicyInputType = {
namespace?: Namespace;
attestation?: Attestation;
raw?: any; // raw JSON contents for the attestation
};
type Namespace = {
tenantId: OrganizationId;
space: string;
};
type AttestationStatus = "pending" | "ok" | "invalid" | "archived";
type AttestationType = "SPDX" | "CycloneDx" | "OpenVEX" | "SLSA" | "in-toto" | "Kubernetes" | "unknown";
type AttestationContentType = "SBOM" | "CBOM" | "HBOM" | "VEX" | "VDR" | "Provenance";
type DocumentFormat = "JSON" | "YAML" | "XML" | "RDF" | "TAG-VALUE" | "unknown";
type AttestationComponent = {
id?: ComponentRef;
type?: ComponentType;
packageUrl?: string;
name?: string;
group?: string;
version?: string;
supplier?: Supplier;
manufacturer?: Supplier;
externalReferences?: ExternalReference[];
hashes?: Record<string, string>;
licenses?: LicenseChoice[];
properties?: Record<string, any>;
};
type Attestation = {
id: string;
status: AttestationStatus;
errorMessage?: string;
type: AttestationType;
contents?: AttestationContentType[];
typeSpecVersion: string;
format: DocumentFormat;
sourceFileName: string;
component: AttestationComponent;
componentsCount: number;
hashes: Record<string, string>;
timestamp: string;
properties?: Record<string, any>;
createdAt: string;
updatedAt: string;
};
type SupplierType = "ORGANIZATION" | "PERSON";
type Supplier = {
id?: SupplierId;
name: string;
type: SupplierType;
address?: OrganizationalPostalAddress;
url?: string[];
contact?: OrganizationalContact[];
createdAt?: string;
updatedAt?: string;
annotation?: SupplierAnnotation;
};
type SupplierAnnotation = {
id?: SupplierId;
displayName?: string;
url?: string;
contact?: OrganizationalContact;
address?: OrganizationalPostalAddress;
lei?: string;
vat?: string;
eori?: string;
euid?: string;
brn?: string;
internalId?: string;
cpeVendor?: string;
duns?: string;
uei?: string;
cage?: string;
gln?: string;
iso6523?: string;
notes: string;
properties?: Record<string, string>;
tags?: string[];
createdAt?: string;
updatedAt?: string;
};
type OrganizationalContact = {
name?: string;
email?: string;
phone?: string;
};
type OrganizationalPostalAddress = {
country?: string;
region?: string;
locality?: string;
postOfficeBoxNumber?: string;
postalCode?: string;
streetAddress?: string;
};
type ExternalReference = {
type: ExternalReferenceType;
url?: string;
hashes?: Record<string, string>;
};
type License = {
id?: string;
name?: string;
url?: string;
};
type LicenseChoice = {
license?: License;
expression?: string;
};
type ComponentProvenance = {
attestation?: string;
provenanceUrl?: string;
slsaVersion?: string;
slsaVersionUrl?: string;
builderId?: string;
builderName?: string;
builderUrl?: string;
logIndex?: number;
logEntryUrl?: string;
logIntegratedTime?: number;
repository?: string;
repositoryUrl?: string;
repositoryDigest?: string;
buildConfigUrl?: string;
buildConfigPath?: string;
invocationId?: string;
invocationUrl?: string;
};
type ComponentRef = string;
type ComponentType = string;
type ExternalReferenceType = string;
type OrganizationId = string;
type SupplierId = string;Usage tips
- Store sample input files alongside policy unit tests to avoid regressions.
- Scope rules to
namespace.spaceto differentiate production, staging, and customer-dedicated spaces.
Related policy guides
- Dive into the policy authoring guide to see how this payload shows up in Visual Builder, Rego, and JavaScript policies.
- Review Policies & Evaluations for the lifecycle of policy runs, violations, and remediations.
- Learn how to enforce policies in CI/CD once your rules are ready for automated gates.