security/compliance

Deploy OPA Gatekeeper and author a ConstraintTemplate plus Constraint to enforce a required annotation on all Kubernetes Deployments

Configure OPA Gatekeeper mutation with Assign and AssignMetadata to automatically add default labels to pods

Write an OPA Rego policy package to require specific labels and block images from disallowed registries, then unit-test it with opa test

Run an OPA bundle server, configure OPA to poll it for policy bundles, and validate decision log and status plugin output

Use conftest to policy-test Kubernetes manifests and Terraform plan JSON against Rego policies in a CI pipeline

Migrate OPA Rego policies from v0 syntax to Rego v1 syntax using the if and contains keywords

Author a Kyverno ClusterPolicy with a validate rule and set validationFailureAction to Enforce to block non-compliant resources

Write a Kyverno mutate policy using patchStrategicMerge to add default resource limits to containers that omit them

Configure a Kyverno generate policy to automatically create a default NetworkPolicy and ConfigMap when a new namespace is created

Configure Kyverno verifyImages with cosign keyless signing using Fulcio and Rekor to enforce that only verified images are admitted

Write a Kyverno PolicyException to exempt a specific workload from a validate policy rule without modifying the policy itself

Write Kyverno validate rules using CEL expressions instead of pattern-based or Rego validation

Define a Kubernetes ValidatingAdmissionPolicy using CEL to enforce that all Deployments set replica counts above a minimum without an external webhook

Generate a CycloneDX and SPDX SBOM from a container image using Syft, then diff two SBOMs from successive builds to detect component drift

Scan a container image or SBOM with Grype and configure fail thresholds based on severity to gate a CI pipeline

Create a CycloneDX VEX document to communicate that a specific CVE does not affect your product and associate it with an SBOM

Create OpenVEX statements using vexctl to mark a CVE as not exploitable and merge VEX documents

Use Trivy to generate an SBOM and then apply a VEX file to filter vulnerability scan results

Upload an SBOM to OWASP Dependency-Track via its REST API, trigger analysis, and query policy violations programmatically

Generate and verify an in-toto attestation with a SLSA provenance predicate for a build artifact

Attach a signed SBOM as a cosign attestation to an OCI image and verify the attestation in a downstream deployment step

Ingest SBOMs and attestations into GUAC and run supply-chain queries via its GraphQL API

Verify SLSA build provenance for a container image using slsa-verifier and enforce source and builder constraints

Deploy Sigstore policy-controller on Kubernetes to enforce that only images with valid cosign signatures are admitted