OCI Attestations与SBOM验证治理（cosign-attestations-SBOM）最佳实践

实现示例type Digest = { alg: 'SHA-256'; hex: string } type Attestation = { subject: { name: string; digest: Digest }; predicateType: string; payloadSha256: string } type Sbom = { components: { name: string; version: string }[]; subjectDigest: string } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function validAtt(a: Attestation): boolean { return !!a.subject.name && hex64(a.subject.digest.hex) && a.predicateType.length > 0 && hex64(a.payloadSha256) } function align(a: Attestation, s: Sbom): boolean { return s.subjectDigest.toLowerCase() === a.subject.digest.hex.toLowerCase() } function evaluate(a: Attestation, s: Sbom): { ok: boolean; errors: string[] } { const errors: string[] = []; if (!validAtt(a)) errors.push('att'); if (!hex64(s.subjectDigest)) errors.push('sbom'); if (!align(a, s)) errors.push('align'); return { ok: errors.length === 0, errors } } 审计与运行治理审计镜像摘要与 Attestations 类型、SBOM 绑定；不一致阻断并回退。仅接受受控仓库与合法签名的 Attestations。