package chainloop

default allow = false

# Example only: require an SBOM material and reject mutable latest image tags.
has_sbom {
  some i
  input.materials[i].kind == "SBOM_CYCLONEDX_JSON"
}

no_latest_tag {
  some i
  material := input.materials[i]
  material.kind == "CONTAINER_IMAGE"
  not contains(material.value, ":latest")
}

allow {
  has_sbom
  no_latest_tag
}