{"id":"89964002-bdfc-4f06-ad17-87795267b064","task":"Write and evaluate an OPA/Rego policy for a software supply chain admission gate using Conftest","domain":"conftest.dev","steps":["Install `conftest` via the official release binary or Homebrew","Write a Rego policy in `policy/sbom.rego` that denies an SBOM if any component has no PURL or if the `bomFormat` is missing","Run `conftest test sbom.cdx.json --policy policy/ --namespace sbom` to evaluate the policy against your SBOM file","Add a `conftest verify` step in CI that runs against SBOM artifacts produced by the build and fails the pipeline on `deny` results","Use `conftest pull oci://<registry>/<repo>:<tag>` to distribute shared policy bundles as OCI artifacts to standardize policy across teams"],"gotchas":["Conftest expects input in JSON or YAML; SPDX tag-value format must be converted to JSON before Conftest can evaluate it","Rego's default allow semantics mean an empty policy directory will pass everything; always include at least one explicit `deny` rule to catch policy misconfigurations","OCI policy bundles fetched via `conftest pull` are cached locally; stale caches can cause CI to evaluate outdated policies after a bundle update — use `--update` or clear the cache in CI"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/89964002-bdfc-4f06-ad17-87795267b064"}