feat(buildah_build_task): add INCLUDE_PREFETCH_SBOM and INCLUDE_SOURCE_SBOM policy rules

[polasudo]

Summary

Add Conforma policy rules to the buildah_build_task package that deny release when INCLUDE_PREFETCH_SBOM or INCLUDE_SOURCE_SBOM is set to "false" on a buildah builder task.

This ensures pipelines cannot silently exclude prefetch or source SBOM content from a hermetic build without an explicit policy exception.

Context

konflux-ci/build-definitions#3259 proposes adding INCLUDE_PREFETCH_SBOM and INCLUDE_SOURCE_SBOM optional params to the buildah-oci-ta task. Both default to "true" for backward compatibility.

During review, @chmeliik noted that:

the usage of these parameters would absolutely have to be blocked by Conforma policies, and those would have to be in place first before we merge this.

This PR provides that policy gate.

Why these params exist

In Yarn workspace monorepos, Hermeto/Cachi2 resolves the root yarn.lock when prefetching for any workspace path, producing a prefetch SBOM that covers all workspaces — not just the target. This is a known limitation of Yarn workspace resolution in Hermeto (not a general monorepo behavior). Each plugin image ends up with dependencies from sibling workspaces in its SBOM, causing:

• ~16x CVE duplication across plugin images
• SBOM noise and inflated package counts
• Unnecessary ProdSec ticket churn

The params allow pipelines to opt out of prefetch/source SBOM merging while preserving hermetic build guarantees. The hermetic build still runs — only the SBOM merge step is affected.

Design

Follows the exact same pattern as existing buildah_build_task rules (PRIVILEGED_NESTED, ADD_CAPABILITIES, PLATFORM):

• Scans all buildah build tasks in the PipelineRun attestation
• Denies if INCLUDE_PREFETCH_SBOM == "false" or INCLUDE_SOURCE_SBOM == "false"
• If the param is missing or set to "true", no violation is raised
• Part of the redhat collection

Pipelines that legitimately need false (e.g. RHDH's Yarn monorepo) must configure a policy exception.

Tests

• test_include_prefetch_sbom_false — denies when param is "false"
• test_include_prefetch_sbom_true — passes when param is "true"
• test_include_prefetch_sbom_missing — passes when param is absent
• test_include_source_sbom_false — denies when param is "false"
• test_include_source_sbom_true — passes when param is "true"
• test_include_both_sbom_false — denies both violations simultaneously

Related: konflux-ci/build-definitions#3259, RHIDP-11640

Made with Cursor

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines	Coverage Δ
...release/buildah_build_task/buildah_build_task.rego	100.00% <100.00%> (ø)
...se/buildah_build_task/buildah_build_task_test.rego	100.00% <100.00%> (ø)

... and 18 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

You can do a make lint to see/address the lint gripes.

[simonbaird]

Note that the "invalid checksum digest length" errors are just cosmetic, you don't have to fix those. (But see EC-1679.

[simonbaird]

Also you'll need to run make generate-docs and git add the docs updates.

[simonbaird]

Looks pretty good otherwise.

[polasudo]

Hi @simonbaird Thanks for review we are now mostly waiting for approval from kflux team so we can merge both PRs
see this PR for more context, Thank you
PR

[eskultety]

My 2c's . Doesn't PREFETCH_SBOM and SOURCE_SBOM in Konflux's context mean exactly the same thing? I think we need to be aligned with the correct terminology: https://www.cisa.gov/resources-tools/resources/types-software-bill-materials-sbom. There's no such thing as a prefetch SBOM, Hermeto produces a source SBOM. My understanding of what AI's notion of SOURCE_SBOM is here is an analyzed SBOM, because IIUC we only run Syft on the produced artifacts to enhance the source SBOM from Hermeto to make it a more complex and more accurate byproduct.