{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stellaops.io/schemas/verification-policy.v1.json", "title": "VerificationPolicy", "description": "Attestation verification policy configuration for StellaOps", "type": "object", "required": ["policyId", "version", "predicateTypes", "signerRequirements"], "properties": { "policyId": { "type": "string", "description": "Unique policy identifier", "pattern": "^[a-z0-9-]+$", "examples": ["default-verification-policy", "strict-slsa-policy"] }, "version": { "type": "string", "description": "Policy version (SemVer)", "pattern": "^\\d+\\.\\d+\\.\\d+$", "examples": ["1.0.0", "2.1.0"] }, "description": { "type": "string", "description": "Human-readable policy description" }, "tenantScope": { "type": "string", "description": "Tenant ID this policy applies to, or '*' for all tenants", "default": "*" }, "predicateTypes": { "type": "array", "description": "Allowed attestation predicate types", "items": { "type": "string" }, "minItems": 1, "examples": [ ["stella.ops/sbom@v1", "stella.ops/vex@v1"] ] }, "signerRequirements": { "$ref": "#/$defs/SignerRequirements" }, "validityWindow": { "$ref": "#/$defs/ValidityWindow" }, "metadata": { "type": "object", "description": "Free-form metadata", "additionalProperties": true } }, "$defs": { "SignerRequirements": { "type": "object", "description": "Requirements for attestation signers", "properties": { "minimumSignatures": { "type": "integer", "minimum": 1, "default": 1, "description": "Minimum number of valid signatures required" }, "trustedKeyFingerprints": { "type": "array", "items": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "description": "List of trusted signer key fingerprints (SHA-256)" }, "trustedIssuers": { "type": "array", "items": { "type": "string", "format": "uri" }, "description": "List of trusted issuer identities (OIDC issuers)" }, "requireRekor": { "type": "boolean", "default": false, "description": "Require Sigstore Rekor transparency log entry" }, "algorithms": { "type": "array", "items": { "type": "string", "enum": ["ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "EdDSA"] }, "description": "Allowed signing algorithms", "default": ["ES256", "RS256", "EdDSA"] } } }, "ValidityWindow": { "type": "object", "description": "Time-based validity constraints", "properties": { "notBefore": { "type": "string", "format": "date-time", "description": "Policy not valid before this time (ISO-8601)" }, "notAfter": { "type": "string", "format": "date-time", "description": "Policy not valid after this time (ISO-8601)" }, "maxAttestationAge": { "type": "integer", "minimum": 0, "description": "Maximum age of attestation in seconds (0 = no limit)" } } } }, "examples": [ { "policyId": "default-verification-policy", "version": "1.0.0", "description": "Default verification policy for StellaOps attestations", "tenantScope": "*", "predicateTypes": [ "stella.ops/sbom@v1", "stella.ops/vex@v1", "stella.ops/vexDecision@v1", "stella.ops/policy@v1", "stella.ops/promotion@v1", "stella.ops/evidence@v1", "stella.ops/graph@v1", "stella.ops/replay@v1", "https://slsa.dev/provenance/v1", "https://cyclonedx.org/bom", "https://spdx.dev/Document", "https://openvex.dev/ns" ], "signerRequirements": { "minimumSignatures": 1, "trustedKeyFingerprints": [ "sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" ], "requireRekor": false, "algorithms": ["ES256", "RS256", "EdDSA"] }, "validityWindow": { "maxAttestationAge": 86400 } } ] }