cosign: Support errors from Rego validation consistent with policy-controller's convention

Description We are trying to print error messages when cosign verify-attestation failed as per the rego policy rules. I have a policy to satisfy my requirement, it’s working from the rego playground as you see below.

SUCCESS CASE: INPUT: { "environment": "snapshot", "type": "twistlockquality", "stage_properties": { "enabled": true, "scan_status": "PASSED", "type": "TWISTLOCK_SCAN", "running_on": "02", "scan_results": { "ImageName": "docker_build1", "vulnerabilitiesCount": "94", "complianceIssuesCount": "1", "vulnerabilityDistribution": { "critical": "4", "high": "6", "medium": "2", "low": "82", "total": "94" } } } }

Policy: `package signature

allow[msg]{ input.type == “twistlockquality” result := less_than(input.stage_properties.scan_results.vulnerabilityDistribution.critical) msg := sprintf(“FAILED - twistlockquality, REASON: Found %v criticals”, [input.stage_properties.scan_results.vulnerabilityDistribution.critical]) result != true }

less_than(x) := to_number(x) < 5

larger_than(x) := to_number(x) > 1`

OUTPUT: { "allow": [ ] }

FAIL CASE: INPUT: { "environment": "snapshot", "type": "twistlockquality", "stage_properties": { "enabled": true, "scan_status": "PASSED", "type": "TWISTLOCK_SCAN", "running_on": "02", "scan_results": { "ImageName": "docker_build1", "vulnerabilitiesCount": "94", "complianceIssuesCount": "1", "vulnerabilityDistribution": { "critical": "4", "high": "6", "medium": "2", "low": "82", "total": "94" } } } }

Policy: `package signature

allow[msg]{ input.type == “twistlockquality” result := less_than(input.stage_properties.scan_results.vulnerabilityDistribution.critical) msg := sprintf(“FAILED - twistlockquality, REASON: Found %v criticals”, [input.stage_properties.scan_results.vulnerabilityDistribution.critical]) result != true }

less_than(x) := to_number(x) < 2

larger_than(x) := to_number(x) > 1`

OUTPUT: { "allow": [ "FAILED - twistlockquality, REASON: Found 4 criticals" ] }

But when I integrate and use the same policy at cosign verify-attestation, even in the policy success case, cosign verification is failing with expression value, [], is not true and main.go:74: error during command execution: 7 validation errors occurred.

Policy success case:

• COSIGN_EXPERIMENTAL=1
• cosign verify-attestation --key cosign.pub --type spdxjson hello-python/snapshot/docker_build1:1.0.0 --policy policy.rego will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] There are 7 number of errors occurred during the validation: expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true Error: 7 validation errors occurred main.go:74: error during command execution: 7 validation errors occurred

Policy fail case:

• COSIGN_EXPERIMENTAL=1
• cosign verify-attestation --key cosign.pub --type spdxjson hello-python/snapshot/docker_build1:1.0.0 --policy policy.rego will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] will be validating against Rego policies: [rekor-policy/gto-policy.rego] There are 7 number of errors occurred during the validation: expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [], is not true expression value, [FAILED - twistlockquality, REASON: Found 4 criticals], is not true Error: 7 validation errors occurred main.go:74: error during command execution: 7 validation errors occurred