restrict-image-registries.json has logic flaw
currently the logic is:
(! registry.opencode.de) | (! ( registry.redhat.io | registry.access.redhat.com ))
this results in a TRUE value for the first check, which triggers policy we have to change that to
(! ( registry.opencode.de) | registry.redhat.io | registry.access.redhat.com ))
fix will be:
{
"policies": [
{
"id": "6c4e74a4-ff75-4005-b279-4ba6b4113136",
"name": "BSI: Restrict Image Registries",
"description": "The Policy checks, if the images derive from a trusted registry. SYS.1.6.A6",
"rationale": "Images from unknown registries may not be scanned and secured. Requiring use of known registries helps reduce threat exposure.",
"remediation": "Only reference images from registries, which are defined in this policy.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "^kube.+|^openshift.+",
"label": null
}
},
"image": null,
"expiration": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"notifiers": [],
"lastUpdated": "2023-01-03T11:08:01.787539359Z",
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"policySections": [
{
"sectionName": "Trusted Registry",
"policyGroups": [
{
"fieldName": "Image Registry",
"booleanOperator": "OR",
"negate": true,
"values": [
{
"value": "registry.opencode.de"
},
{
"value": "registry.redhat.io"
},
{
"value": "registry.access.redhat.com"
}
]
}
]
}
],
"mitreAttackVectors": [],
"criteriaLocked": false,
"mitreVectorsLocked": false,
"isDefault": false
}
]
}