feat(catalog): posture-verify component + sbom-attest ordering
Summary
Two related pieces of the v2 supply-chain story:
1. posture-verify component (new)
Generic-by-design verifier of .gitlab/posture-claims.yaml. The
consumer authors verify shell commands per claim; this component
iterates them and fails closed on any verification failure. Schema
shown in templates/posture-verify/README.md.
Standards alignment: NIST 800-53 CM-5/CM-7/SI-7, CMMC 2.0 L2, SSDF v1.1 RV.1.2. Mechanical claims beat narrative claims.
Added:
scripts/posture-verify.py-- Python + PyYAML CLI.containers/posture-verify.Containerfile-- adds python3 + PyYAML, COPYs the CLI.templates/posture-verify/template.yml-- component, defaults to default-branch + tag.templates/posture-verify/README.md-- usage + schema reference.
2. container-attest sequences after container-sbom
Optional needs: on a new sbom_job input prevents the cosign
attest race where container-sbom and container-attest both write to
:sha256-<digest>.att concurrently and last-writer-wins drops one
attestation.
If the consumer doesn't include container-sbom, the needs is skipped
(optional: true).
Test plan
- MR pipeline green (syntax + lint-templates).
- After merge: posture-verify image rebuilds with python3 + the CLI; v2.0.0-rc.5 tag pipeline verifies it.
- kaniko consumer (separate MR) swaps its custom verify-posture script for the new component to validate end-to-end.