diff --git a/docs/configuration/initiatives/index.md b/docs/configuration/initiatives/index.md
index 30035d07a..1cd377120 100644
--- a/docs/configuration/initiatives/index.md
+++ b/docs/configuration/initiatives/index.md
@@ -22,6 +22,7 @@
|-----------|-------------|
| [Apply Scribe Template Policy](/docs/configuration/initiatives/rules/api/scribe-api.md) | Verify XX using the Scribe API template rule. |
| [Scribe Published Policy](/docs/configuration/initiatives/rules/api/scribe-api-published.md) | Verify image Scribe Publish flag is set for container image. |
+| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [NTIA SBOM Compliance Check](/docs/configuration/initiatives/rules/sbom/NTIA-compliance.md) | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. |
| [Enforce SBOM Freshness](/docs/configuration/initiatives/rules/sbom/fresh-sbom.md) | Verify the SBOM is not older than the specified duration. |
| [Require SBOM Existence](/docs/configuration/initiatives/rules/sbom/evidence-exists.md) | Verify the SBOM exists as evidence. |
@@ -41,13 +42,13 @@
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/images/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Restrict Build Scripts](/docs/configuration/initiatives/rules/images/blocklist-build-scripts.md) | Verify no build scripts commands appear in block list. |
| [Registry Connection HTTPS](/docs/configuration/initiatives/rules/images/enforce-https-registry.md) | Checks if the container's registry scheme is HTTPS |
+| [Verify NPM Packages Origin](/docs/configuration/initiatives/rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. |
| [Require Image Labels](/docs/configuration/initiatives/rules/images/verify-labels-exist.md) | Verify the image has the specified labels. |
| [Require Healthcheck](/docs/configuration/initiatives/rules/images/require-healthcheck.md) | Checks that the container image includes at least one healthcheck property. |
| [Allowed Base Image](/docs/configuration/initiatives/rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. |
| [Fresh Image](/docs/configuration/initiatives/rules/images/fresh-image.md) | Verify the image is not older than the specified threshold. |
| [Allowed Main Image Source](/docs/configuration/initiatives/rules/images/allowed-image-source.md) | Ensures the main container image referenced in the SBOM is from an approved source. |
| [Require Signed Container Image](/docs/configuration/initiatives/rules/images/image-signed.md) | Enforces that container images (target_type=container) are cryptographically signed. |
-| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/sbom/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Enforce SBOM Dependencies](/docs/configuration/initiatives/rules/sbom/required-packages.md) | Verify the artifact includes all required dependencies. |
| [Enforce SBOM License Completeness](/docs/configuration/initiatives/rules/sbom/complete-licenses.md) | Verify all dependencies in the artifact have a license. |
@@ -109,6 +110,7 @@
| [Verify `secret_scanning` Setting in `security_and_analysis`](/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md) | Verify secret scanning is configured in the GitHub repository. |
| [Limit Admin Number in GitHub Organization](/docs/configuration/initiatives/rules/github/org/max-admins.md) | Verify the maximum number of GitHub organization admins is restricted. |
| [Verify `advanced_security_enabled_for_new_repositories` setting](/docs/configuration/initiatives/rules/github/org/advanced-security.md) | Verify Advanced Security is enabled for new repositories in the GitHub organization. |
+| [Require GitHub Organization Discovery Evidence](/docs/configuration/initiatives/rules/github/org/evidence-exists.md) | Verify the GitHub Organization exists as evidence. |
| [Verify dependency_graph_enabled_for_new_repositories setting](/docs/configuration/initiatives/rules/github/org/dependency-graph.md) | Verify dependency graph is enabled for new repositories in the GitHub organization. |
| [Verify GitHub Organization Requires Signoff on Web Commits](/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md) | Verify contributors sign commits through the GitHub web interface. |
| [Verify Two-Factor Authentication (2FA) Requirement Enabled](/docs/configuration/initiatives/rules/github/org/2fa.md) | Verify Two-factor Authentication is required in the GitHub organization. |
@@ -133,6 +135,7 @@
| [Verify secret scanning.](/docs/configuration/initiatives/rules/github/repository/validity-checks.md) | Verify both `secret_scanning_validity_checks` and `security_and_analysis` are set in GitHub organization and all the repositories. |
| [Verify Dependabot security updates setting](/docs/configuration/initiatives/rules/github/repository/dependabot.md) | Verify Dependabot security updates are configured in the GitHub repository. |
| [Verify Repository Is Private](/docs/configuration/initiatives/rules/github/repository/repo-private.md) | Verify the GitHub repository is private. |
+| [Require GitHub Repository Discovery Evidence](/docs/configuration/initiatives/rules/github/repository/evidence-exists.md) | Verify the GitHub Repository exists as evidence. |
| [Verify Repository Requires Commit Signoff](/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md) | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. |
| [Verify Default Branch Protection](/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md) | Verify the default branch protection is configured in the GitHub repository. |
| [Verify No Old Secrets Exist in Repository](/docs/configuration/initiatives/rules/github/repository/old-secrets.md) | Verify secrets in the GitHub repository are not older than the specified threshold. |
@@ -215,6 +218,7 @@
|-----------|-------------|
| [Allowed Container Images](/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md) | Verify only container images specified in the Allowed List run within the Kubernetes namespace. |
| [Verify Namespace Termination](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md) | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. |
+| [Require K8s Namespace Discovery Evidence](/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md) | Verify the K8s Namespace exists as evidence. |
| [Allowed Namespaces](/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md) | Verify only namespaces specified in the Allowed List are allowed within the cluster. |
| [Verify Namespace Runtime Duration](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md) | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. |
| [Allowed Namespace Registries](/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md) | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. |
@@ -226,6 +230,7 @@
| Rule Name | Description |
|-----------|-------------|
| [Verify Pod Runtime Duration](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md) | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. |
+| [Require K8s Pod Discovery Evidence](/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md) | Verify the K8s Pod exists as evidence. |
| [Verify Pod Termination](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md) | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| [Allowed Pods](/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md) | Verify only pods explicitly listed in the Allowed List are allowed to run. |
@@ -235,6 +240,7 @@
| Rule Name | Description |
|-----------|-------------|
| [Prevent Long-Lived Tokens](/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md) | Verify Bitbucket API tokens expire before the maximum time to live. |
+| [Require Bitbucket Project Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md) | Verify the Bitbucket Project exists as evidence. |
| [Allowed Project Admins](/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. |
| [Allowed Project Users](/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket project. |
| [Prevent Credential Exposure](/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md) | Verify access to the Bitbucket project is blocked if exposed credentials are detected. |
@@ -244,6 +250,7 @@
| Rule Name | Description |
|-----------|-------------|
+| [Require Bitbucket Repository Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md) | Verify the Bitbucket Repository exists as evidence. |
| [Allowed Repository Admins](/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. |
| [Verify Default Branch Protection Setting Is Configured](/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md) | Verify the default branch protection is enabled in the Bitbucket repository. |
| [Allowed Repository Users](/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket repository. |
@@ -253,18 +260,10 @@
| Rule Name | Description |
|-----------|-------------|
+| [Require Bitbucket Workspace Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md) | Verify the Bitbucket Workspace exists as evidence. |
| [Allowed Workspace Admins](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. |
| [Allowed Workspace Users](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. |
-### Discovery Evidence
-**Evidence Type:** [Discovery Evidence](/docs/platforms/discover)
-
-| Rule Name | Description |
-|-----------|-------------|
-| [Verify GitLab Pipeline Labels](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md) | Verify the pipeline includes all required label keys and values. |
-| [GitLab pipeline verify labels exist](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md) | Verify the pipeline has all required label keys and values. |
-| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |
-
### Dockerhub Project Discovery Evidence
**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery)
@@ -273,11 +272,20 @@
| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. |
| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. |
+### Jenkins Folder Discovery Evidence
+**Evidence Type:** [Jenkins Folder Discovery Evidence](/docs/platforms/discover#jenkins-discovery)
+
+| Rule Name | Description |
+|-----------|-------------|
+| [Require Jenkins Folder Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md) | Verify the Jenkins Folder exists as evidence. |
+| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |
+
### Jenkins Instance Discovery Evidence
**Evidence Type:** [Jenkins Instance Discovery Evidence](/docs/platforms/discover#jenkins-discovery)
| Rule Name | Description |
|-----------|-------------|
+| [Require Jenkins Instance Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md) | Verify the Jenkins Instance exists as evidence. |
| [Disallow Unused Users](/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md) | Verify there are no users with zero activity. |
| [Verify Inactive Users](/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md) | Verify there are no inactive users. |
diff --git a/docs/configuration/initiatives/rules/api/scribe-api-cve.md b/docs/configuration/initiatives/rules/api/scribe-api-cve.md
index 420ce34c5..84a5e0040 100644
--- a/docs/configuration/initiatives/rules/api/scribe-api-cve.md
+++ b/docs/configuration/initiatives/rules/api/scribe-api-cve.md
@@ -33,6 +33,8 @@ with:
cve:
max: 0
severity: 6
+ has_kev: true
+ has_fix: false
```
## Mitigation
@@ -48,10 +50,9 @@ This rule ensures that there are no critical or high severity vulnerabilities in
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
-| target_type | container |
## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
-| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int]] |
+| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int], has_kev: bool, has_fix: bool]]. |
diff --git a/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md
index de262da4c..cbf578cdc 100644
--- a/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md
+++ b/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=project |
+| asset_platform | bitbucket |
+| asset_type | project |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md
index 013c0209c..83826bea0 100644
--- a/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md
+++ b/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=project |
+| asset_platform | bitbucket |
+| asset_type | project |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md
new file mode 100644
index 000000000..6c9e275f5
--- /dev/null
+++ b/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require Bitbucket Project Discovery Evidence
+title: Require Bitbucket Project Discovery Evidence
+---
+# Require Bitbucket Project Discovery Evidence
+**Type:** Rule
+**ID:** `bb-project-exists`
+**Source:** [v2/rules/bitbucket/project/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.rego)
+**Labels:** Bitbucket, Project
+
+Verify the Bitbucket Project exists as evidence.
+
+:::note
+This rule requires Bitbucket Project Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: bitbucket/project/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | bitbucket |
+| asset_type | project |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md b/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md
index 82a465060..4ff8b5b2f 100644
--- a/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md
+++ b/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=project |
+| asset_platform | bitbucket |
+| asset_type | project |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md b/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md
index 828f6e046..ddc631e83 100644
--- a/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md
+++ b/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md
@@ -49,7 +49,20 @@ It performs the following steps:
| signed | False |
| content_body_type | generic |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=project
- platform=bitbucket
- platform_instance=bitbucket_dc |
+| asset_platform | bitbucket |
+| asset_type | project |
+| asset_name | Template value (see below) |
+| labels | - platform_instance=bitbucket_dc |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md
index bdcb29925..b45507813 100644
--- a/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md
+++ b/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=repository |
+| asset_platform | bitbucket |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md
index 7f9d70f65..d63e86351 100644
--- a/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md
+++ b/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=repository |
+| asset_platform | bitbucket |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md b/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md
index 347cd4b4d..fb763fafc 100644
--- a/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md
+++ b/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=repository |
+| asset_platform | bitbucket |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md
new file mode 100644
index 000000000..43f7c2242
--- /dev/null
+++ b/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require Bitbucket Repository Discovery Evidence
+title: Require Bitbucket Repository Discovery Evidence
+---
+# Require Bitbucket Repository Discovery Evidence
+**Type:** Rule
+**ID:** `bb-repo-exists`
+**Source:** [v2/rules/bitbucket/repository/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/repository/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/repository/evidence-exists.rego)
+**Labels:** Bitbucket, Repository
+
+Verify the Bitbucket Repository exists as evidence.
+
+:::note
+This rule requires Bitbucket Repository Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: bitbucket/repository/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | bitbucket |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md
index 793de740c..b549e9fa3 100644
--- a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md
+++ b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=workspace |
+| asset_platform | bitbucket |
+| asset_type | workspace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "workspace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md
index 0a6d19ee1..f3e8a56eb 100644
--- a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md
+++ b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=bitbucket
- asset_type=workspace |
+| asset_platform | bitbucket |
+| asset_type | workspace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "workspace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md
new file mode 100644
index 000000000..45322ca78
--- /dev/null
+++ b/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require Bitbucket Workspace Discovery Evidence
+title: Require Bitbucket Workspace Discovery Evidence
+---
+# Require Bitbucket Workspace Discovery Evidence
+**Type:** Rule
+**ID:** `bb-workspace-exists`
+**Source:** [v2/rules/bitbucket/workspace/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/workspace/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/workspace/evidence-exists.rego)
+**Labels:** Bitbucket, Workspace
+
+Verify the Bitbucket Workspace exists as evidence.
+
+:::note
+This rule requires Bitbucket Workspace Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: bitbucket/workspace/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | bitbucket |
+| asset_type | workspace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "workspace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/dockerhub/token-expiration.md b/docs/configuration/initiatives/rules/dockerhub/token-expiration.md
index 31c705621..d0a7936a9 100644
--- a/docs/configuration/initiatives/rules/dockerhub/token-expiration.md
+++ b/docs/configuration/initiatives/rules/dockerhub/token-expiration.md
@@ -49,5 +49,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=project
- platform=dockerhub |
+| asset_platform | dockerhub |
+| asset_type | oci_repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "oci_repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/dockerhub/token-not-used.md b/docs/configuration/initiatives/rules/dockerhub/token-not-used.md
index 14ba8e6e3..c1f4fc788 100644
--- a/docs/configuration/initiatives/rules/dockerhub/token-not-used.md
+++ b/docs/configuration/initiatives/rules/dockerhub/token-not-used.md
@@ -44,5 +44,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=project
- platform=dockerhub |
+| asset_platform | dockerhub |
+| asset_type | oci_repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "oci_repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/org/2fa.md b/docs/configuration/initiatives/rules/github/org/2fa.md
index 644e07024..f0d31dc8e 100644
--- a/docs/configuration/initiatives/rules/github/org/2fa.md
+++ b/docs/configuration/initiatives/rules/github/org/2fa.md
@@ -52,7 +52,19 @@ layer of security against unauthorized access.
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/org/advanced-security.md b/docs/configuration/initiatives/rules/github/org/advanced-security.md
index e74375a12..32cd77c26 100644
--- a/docs/configuration/initiatives/rules/github/org/advanced-security.md
+++ b/docs/configuration/initiatives/rules/github/org/advanced-security.md
@@ -52,7 +52,19 @@ introducing vulnerabilities or unapproved software.
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/allow-admins.md b/docs/configuration/initiatives/rules/github/org/allow-admins.md
index 8ef25f7f2..5ba2e3c76 100644
--- a/docs/configuration/initiatives/rules/github/org/allow-admins.md
+++ b/docs/configuration/initiatives/rules/github/org/allow-admins.md
@@ -54,7 +54,19 @@ the desired value, a violation is recorded. This ensures that only users in the
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/allow-users.md b/docs/configuration/initiatives/rules/github/org/allow-users.md
index ca8df3d50..0ffd3e3c0 100644
--- a/docs/configuration/initiatives/rules/github/org/allow-users.md
+++ b/docs/configuration/initiatives/rules/github/org/allow-users.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/create-private-repos.md b/docs/configuration/initiatives/rules/github/org/create-private-repos.md
index 60db251bb..83f83966a 100644
--- a/docs/configuration/initiatives/rules/github/org/create-private-repos.md
+++ b/docs/configuration/initiatives/rules/github/org/create-private-repos.md
@@ -54,7 +54,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/create-repos.md b/docs/configuration/initiatives/rules/github/org/create-repos.md
index 8f3e68c18..ef6226252 100644
--- a/docs/configuration/initiatives/rules/github/org/create-repos.md
+++ b/docs/configuration/initiatives/rules/github/org/create-repos.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md b/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md
index 6805700cf..e499bad7a 100644
--- a/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md
+++ b/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md
index ae9bac2b0..4991eebca 100644
--- a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md
+++ b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md
index 45e410708..649db827e 100644
--- a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md
+++ b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/dependency-graph.md b/docs/configuration/initiatives/rules/github/org/dependency-graph.md
index 9999445b2..e6430aea4 100644
--- a/docs/configuration/initiatives/rules/github/org/dependency-graph.md
+++ b/docs/configuration/initiatives/rules/github/org/dependency-graph.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/evidence-exists.md b/docs/configuration/initiatives/rules/github/org/evidence-exists.md
new file mode 100644
index 000000000..7b30d4482
--- /dev/null
+++ b/docs/configuration/initiatives/rules/github/org/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require GitHub Organization Discovery Evidence
+title: Require GitHub Organization Discovery Evidence
+---
+# Require GitHub Organization Discovery Evidence
+**Type:** Rule
+**ID:** `github-org-exists`
+**Source:** [v2/rules/github/org/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/org/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/org/evidence-exists.rego)
+**Labels:** GitHub, Organization
+
+Verify the GitHub Organization exists as evidence.
+
+:::note
+This rule requires Github Organization Discovery Evidence. See [here](/docs/platforms/discover#github-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: github/org/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/github/org/max-admins.md b/docs/configuration/initiatives/rules/github/org/max-admins.md
index 458ae9876..8fce427bd 100644
--- a/docs/configuration/initiatives/rules/github/org/max-admins.md
+++ b/docs/configuration/initiatives/rules/github/org/max-admins.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/old-secrets.md b/docs/configuration/initiatives/rules/github/org/old-secrets.md
index fee218e54..34c7c29cb 100644
--- a/docs/configuration/initiatives/rules/github/org/old-secrets.md
+++ b/docs/configuration/initiatives/rules/github/org/old-secrets.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/pp-custom-link.md b/docs/configuration/initiatives/rules/github/org/pp-custom-link.md
index a09354b45..8fa5c5586 100644
--- a/docs/configuration/initiatives/rules/github/org/pp-custom-link.md
+++ b/docs/configuration/initiatives/rules/github/org/pp-custom-link.md
@@ -34,7 +34,19 @@ uses: github/org/pp-custom-link@v2
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/org/push-protection-sa.md b/docs/configuration/initiatives/rules/github/org/push-protection-sa.md
index ff0d21fe2..b34ac3b70 100644
--- a/docs/configuration/initiatives/rules/github/org/push-protection-sa.md
+++ b/docs/configuration/initiatives/rules/github/org/push-protection-sa.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/org/push-protection.md b/docs/configuration/initiatives/rules/github/org/push-protection.md
index 5aadbeab3..19349ceb4 100644
--- a/docs/configuration/initiatives/rules/github/org/push-protection.md
+++ b/docs/configuration/initiatives/rules/github/org/push-protection.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/repo-visibility.md b/docs/configuration/initiatives/rules/github/org/repo-visibility.md
index 98603f352..48a923646 100644
--- a/docs/configuration/initiatives/rules/github/org/repo-visibility.md
+++ b/docs/configuration/initiatives/rules/github/org/repo-visibility.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md b/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md
index 16fabb0dd..79eca1c85 100644
--- a/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md
+++ b/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/org/secret-scanning.md b/docs/configuration/initiatives/rules/github/org/secret-scanning.md
index aad5af60f..094c470ec 100644
--- a/docs/configuration/initiatives/rules/github/org/secret-scanning.md
+++ b/docs/configuration/initiatives/rules/github/org/secret-scanning.md
@@ -34,7 +34,19 @@ uses: github/org/secret-scanning@v2
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md b/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md
index ba7944eb9..846fee4c3 100644
--- a/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md
+++ b/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/org/validity-checks.md b/docs/configuration/initiatives/rules/github/org/validity-checks.md
index e0e954854..e0fe070b0 100644
--- a/docs/configuration/initiatives/rules/github/org/validity-checks.md
+++ b/docs/configuration/initiatives/rules/github/org/validity-checks.md
@@ -34,7 +34,19 @@ uses: github/org/validity-checks@v2
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md b/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md
index 50f953fd3..cea1ae3a5 100644
--- a/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md
+++ b/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=organization |
+| asset_platform | github |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md b/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md
index 21ebba0c3..2993d9056 100644
--- a/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md
+++ b/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/repository/branch-protection.md b/docs/configuration/initiatives/rules/github/repository/branch-protection.md
index 89069fd1d..5a98e7a54 100644
--- a/docs/configuration/initiatives/rules/github/repository/branch-protection.md
+++ b/docs/configuration/initiatives/rules/github/repository/branch-protection.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/repository/branch-verification.md b/docs/configuration/initiatives/rules/github/repository/branch-verification.md
index 48232d5e9..7ed9f8f8b 100644
--- a/docs/configuration/initiatives/rules/github/repository/branch-verification.md
+++ b/docs/configuration/initiatives/rules/github/repository/branch-verification.md
@@ -48,7 +48,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md b/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md
index dec363eed..61e7eab52 100644
--- a/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md
+++ b/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md b/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md
index 1d266e99a..82dcad2f0 100644
--- a/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md
+++ b/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/dependabot.md b/docs/configuration/initiatives/rules/github/repository/dependabot.md
index 08b9ba9ba..1075bc73d 100644
--- a/docs/configuration/initiatives/rules/github/repository/dependabot.md
+++ b/docs/configuration/initiatives/rules/github/repository/dependabot.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md b/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md
index 3893a88d4..522165bec 100644
--- a/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md
+++ b/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/evidence-exists.md b/docs/configuration/initiatives/rules/github/repository/evidence-exists.md
new file mode 100644
index 000000000..7ef28bd7d
--- /dev/null
+++ b/docs/configuration/initiatives/rules/github/repository/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require GitHub Repository Discovery Evidence
+title: Require GitHub Repository Discovery Evidence
+---
+# Require GitHub Repository Discovery Evidence
+**Type:** Rule
+**ID:** `github-repo-exists`
+**Source:** [v2/rules/github/repository/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/repository/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/repository/evidence-exists.rego)
+**Labels:** GitHub, Repository
+
+Verify the GitHub Repository exists as evidence.
+
+:::note
+This rule requires Github Repository Discovery Evidence. See [here](/docs/platforms/discover#github-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: github/repository/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md b/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md
index 8f2e89285..1ad92ea1d 100644
--- a/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md
+++ b/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md b/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md
index be2c1a241..493694831 100644
--- a/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md
+++ b/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/old-secrets.md b/docs/configuration/initiatives/rules/github/repository/old-secrets.md
index fd5293186..1337e07ad 100644
--- a/docs/configuration/initiatives/rules/github/repository/old-secrets.md
+++ b/docs/configuration/initiatives/rules/github/repository/old-secrets.md
@@ -48,7 +48,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Rule Parameters (`with`)
| Parameter | Default |
diff --git a/docs/configuration/initiatives/rules/github/repository/push-protection.md b/docs/configuration/initiatives/rules/github/repository/push-protection.md
index 7bedd3d91..c1421015a 100644
--- a/docs/configuration/initiatives/rules/github/repository/push-protection.md
+++ b/docs/configuration/initiatives/rules/github/repository/push-protection.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/repo-private.md b/docs/configuration/initiatives/rules/github/repository/repo-private.md
index 3f093b80b..f18bdad1a 100644
--- a/docs/configuration/initiatives/rules/github/repository/repo-private.md
+++ b/docs/configuration/initiatives/rules/github/repository/repo-private.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/secret-scanning.md b/docs/configuration/initiatives/rules/github/repository/secret-scanning.md
index c36877398..de375e7af 100644
--- a/docs/configuration/initiatives/rules/github/repository/secret-scanning.md
+++ b/docs/configuration/initiatives/rules/github/repository/secret-scanning.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/signed-commits.md b/docs/configuration/initiatives/rules/github/repository/signed-commits.md
index 7d5d1e7a1..97eb14d10 100644
--- a/docs/configuration/initiatives/rules/github/repository/signed-commits.md
+++ b/docs/configuration/initiatives/rules/github/repository/signed-commits.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/validity-checks.md b/docs/configuration/initiatives/rules/github/repository/validity-checks.md
index 4b385d1f0..fbfb8e5de 100644
--- a/docs/configuration/initiatives/rules/github/repository/validity-checks.md
+++ b/docs/configuration/initiatives/rules/github/repository/validity-checks.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/github/repository/visibility.md b/docs/configuration/initiatives/rules/github/repository/visibility.md
index 897e4c6fb..10758380e 100644
--- a/docs/configuration/initiatives/rules/github/repository/visibility.md
+++ b/docs/configuration/initiatives/rules/github/repository/visibility.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md b/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md
index 224fb90da..87af8cb30 100644
--- a/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md
+++ b/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=github
- asset_type=repository |
+| asset_platform | github |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md b/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md
index 73c7c93f6..f4c8a340b 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md b/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md
index 3e2bdf5c5..edcc4c73c 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-users.md b/docs/configuration/initiatives/rules/gitlab/org/allow-users.md
index cdc185c53..2e496a650 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/allow-users.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/allow-users.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md b/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md
index 0486fbdf8..7e57cc902 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md
index 824fc4a93..fbe766e9f 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md b/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md
index 4c5950612..33a351d90 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md b/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md
index 74e4dbbf7..6740ce944 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md
index 922de7791..b8716586d 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/max-admins.md b/docs/configuration/initiatives/rules/gitlab/org/max-admins.md
index 7ab171500..fb28f1912 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/max-admins.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/max-admins.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md b/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md
index 303c97227..7ff76ba3c 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md
@@ -48,7 +48,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md
index 619affeb1..8a2aec6ef 100644
--- a/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md
+++ b/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=organization |
+| asset_platform | gitlab |
+| asset_type | organization |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "organization" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json b/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json
deleted file mode 100644
index a57065cbf..000000000
--- a/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "label": "Pipeline",
- "position": 1
-}
\ No newline at end of file
diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md b/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md
deleted file mode 100644
index 9c019a28e..000000000
--- a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-sidebar_label: GitLab pipeline verify labels exist
-title: GitLab pipeline verify labels exist
----
-# GitLab pipeline verify labels exist
-**Type:** Rule
-**ID:** `gitlab-pipeline-verify-labels-exist`
-**Source:** [v2/rules/gitlab/pipeline/verify-labels-exist.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels-exist.yaml)
-**Rego Source:** [verify-labels-exist.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels-exist.rego)
-**Labels:** Gitlab, Pipeline
-
-Verify the pipeline has all required label keys and values.
-
-:::note
-This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details.
-:::
-:::tip
-Signed Evidence for this rule **IS NOT** required by default but is recommended.
-:::
-:::warning
-Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
-:::
-
-## Usage example
-
-```yaml
-uses: gitlab/pipeline/verify-labels-exist@v2
-with:
- labels:
- - "app.kubernetes.io/instance"
-```
-
-## Mitigation
-Ensure that all required labels exist in the pipeline to reduce the risk of misconfiguration.
-
-
-## Description
-This rule ensures that the pipeline has all required label keys and values.
-It performs the following steps:
-
-1. Checks the settings of the GitLab pipeline.
-2. Verifies that all required labels exist in the pipeline.
-
-**Evidence Requirements:**
-- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitLab pipeline resources.
-
-## Evidence Requirements
-| Field | Value |
-|-------|-------|
-| signed | False |
-| content_body_type | generic |
-| target_type | data |
-| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=pipeline |
-
-## Input Definitions
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| labels | array | True | List of labels to verify exist in the pipeline. |
-
diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md b/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md
deleted file mode 100644
index cc46d1ca1..000000000
--- a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-sidebar_label: Verify GitLab Pipeline Labels
-title: Verify GitLab Pipeline Labels
----
-# Verify GitLab Pipeline Labels
-**Type:** Rule
-**ID:** `gitlab-pipeline-verify-labels`
-**Source:** [v2/rules/gitlab/pipeline/verify-labels.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels.yaml)
-**Rego Source:** [verify-labels.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels.rego)
-**Labels:** Gitlab, Pipeline
-
-Verify the pipeline includes all required label keys and values.
-
-:::note
-This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details.
-:::
-:::tip
-Signed Evidence for this rule **IS NOT** required by default but is recommended.
-:::
-:::warning
-Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
-:::
-
-## Usage example
-
-```yaml
-uses: gitlab/pipeline/verify-labels@v2
-with:
- labels:
- app.kubernetes.io/instance: "defaul1t"
-```
-
-## Mitigation
-Ensure that all required labels exist in the pipeline to reduce the risk of misconfiguration.
-
-
-## Description
-This rule ensures that the pipeline includes all required label keys and values.
-It performs the following steps:
-
-1. Checks the settings of the GitLab pipeline.
-2. Verifies that all required labels exist in the pipeline.
-2.1 Verify that all the label values match the expected values.
-
-**Evidence Requirements:**
-- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitLab pipeline resources.
-
-## Evidence Requirements
-| Field | Value |
-|-------|-------|
-| signed | False |
-| content_body_type | generic |
-| target_type | data |
-| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=pipeline |
-
-## Input Definitions
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| labels | object | True | List of labels to verify exist in the pipeline. |
-
diff --git a/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md b/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md
index 8d523c739..1c7441747 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md b/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md
index 43e902f13..f04bfedd4 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md b/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md
index 1e54c8d91..0269752c2 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md b/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md
index cfb8cda12..dd23455a1 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md b/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md
index a125c366a..c3507ab4b 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md b/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md
index a80374c33..f4b2e2e68 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md b/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md
index bf4a52c38..e9d1b3ff7 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md
index d77361ab8..4cf4ebcc7 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md
index 55e087650..7154f4dc9 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md
index a2fddaafd..125f21f61 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md
index 56cf33494..fd92fd8c2 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md b/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md
index 2786a114a..891b91819 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md b/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md
index 5f48fd56c..afad9430c 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md b/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md
index 8a9d8858e..bc137b18a 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md b/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md
index b1fe783df..d13edef26 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md b/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md
index c099ebfcb..171fff51b 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md b/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md
index 1dc623619..4e0d69848 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md b/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md
index a7563bf66..6a9138984 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md b/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md
index 97b566385..a44269fc9 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/member-check.md b/docs/configuration/initiatives/rules/gitlab/project/member-check.md
index d5e607ecc..ea95263c1 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/member-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/member-check.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md b/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md
index 699e195a9..618dbd9ea 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md
index 03f4f6a7d..6ebc685ba 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md
index 73012b220..80fdf5d31 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md b/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md
index 9bb75f6dd..891078453 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md b/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md
index 8aa4d7b58..ebdaeb6c4 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md b/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md
index d34548bc4..a340d3847 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md b/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md
index 8c0ef7478..18e800736 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md b/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md
index 77d37f3fc..0e3353d67 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md b/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md
index d966af231..9db5035cc 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md b/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md
index 74629475a..7cb56dbcc 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md b/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md
index a1d23a6e1..c163f145d 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md b/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md
index f598ceaac..947751fcc 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md b/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md
index ee0b45035..bd3ac19f8 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md b/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md
index f2dd6cb95..5a5ea427f 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md b/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md
index f1259f531..a42d791ca 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md b/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md
index d928ba814..4ca5510f2 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md b/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md
index b6394dc4e..558338740 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md b/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md
index 713c49fe2..4024768f5 100644
--- a/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md
+++ b/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md
@@ -50,7 +50,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - platform=gitlab
- asset_type=project |
+| asset_platform | gitlab |
+| asset_type | repo |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "project" "repo" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/images/allowed-base-image.md b/docs/configuration/initiatives/rules/images/allowed-base-image.md
index 2c4b9596b..141df3d36 100644
--- a/docs/configuration/initiatives/rules/images/allowed-base-image.md
+++ b/docs/configuration/initiatives/rules/images/allowed-base-image.md
@@ -30,8 +30,8 @@ Rule is scoped by target and product.
uses: images/allowed-base-image@v2
with:
approved_sources:
- - "docker.io/library/*"
- - "docker.io/my_org/*"
+ - "docker.io/.*"
+ - "docker.io/my_org/.*"
```
## Mitigation
@@ -62,6 +62,5 @@ is found, a violation is recorded indicating that the necessary base image infor
## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
-| approved_sources | array | False | A list of approved base image pattern. |
-| fail_on_no_base_image | boolean | False | Whether to fail the rule if no base image is found. |
+| approved_sources | array | False | A list of approved base image registry URL prefixes. |
diff --git a/docs/configuration/initiatives/rules/images/allowed-npm-registries.md b/docs/configuration/initiatives/rules/images/allowed-npm-registries.md
new file mode 100644
index 000000000..f8f37638f
--- /dev/null
+++ b/docs/configuration/initiatives/rules/images/allowed-npm-registries.md
@@ -0,0 +1,67 @@
+---
+sidebar_label: Verify NPM Packages Origin
+title: Verify NPM Packages Origin
+---
+# Verify NPM Packages Origin
+**Type:** Rule
+**ID:** `sbom-allowed-npm-registries`
+**Source:** [v2/rules/images/allowed-npm-registries.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/images/allowed-npm-registries.yaml)
+**Rego Source:** [allowed-npm-registries.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/images/allowed-npm-registries.rego)
+**Labels:** SBOM, Image
+
+Verify that the artifact contains only components from allowed NPM registries.
+
+:::note
+This rule requires Image SBOM. See [here](/docs/valint/sbom) for more details.
+:::
+:::note
+Components type reference: https://cyclonedx.org/docs/1.6/json/#components_items_type
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+:::info
+Rule is scoped by product and target.
+:::
+
+## Usage example
+
+```yaml
+uses: images/allowed-npm-registries@v2
+with:
+ types:
+ - library
+ - operating-system
+```
+
+## Mitigation
+Ensures that only NPM components from approved registries are included in the SBOM, reducing the risk of introducing vulnerabilities or unapproved dependencies into the software supply chain.
+
+
+## Description
+This rule inspects the CycloneDX SBOM evidence for the artifact to verify that it contains only components from allowed registries.
+It performs the following steps:
+
+1. Iterates over NPM components listed in the SBOM.
+2. For remotely installed components, checks the `registryUrl` property to ensure it matches one of the allowed NPM registries specified in the `with.allowed_registries` configuration.
+
+**Evidence Requirements:**
+- Evidence must be provided in the CycloneDX JSON format.
+- The SBOM must include a list of components with their types and names.
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| filter-by | ['product', 'target'] |
+| signed | False |
+| content_body_type | cyclonedx-json |
+| target_type | container |
+
+## Input Definitions
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| allowed_registries | array | False | A list of allowed NPM registries. |
+
diff --git a/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md b/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md
new file mode 100644
index 000000000..21ee07092
--- /dev/null
+++ b/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require Jenkins Folder Discovery Evidence
+title: Require Jenkins Folder Discovery Evidence
+---
+# Require Jenkins Folder Discovery Evidence
+**Type:** Rule
+**ID:** `jenkins-folder-exists`
+**Source:** [v2/rules/jenkins/folder/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/folder/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/folder/evidence-exists.rego)
+**Labels:** Jenkins, Folder
+
+Verify the Jenkins Folder exists as evidence.
+
+:::note
+This rule requires Jenkins Folder Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: jenkins/folder/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | jenkins |
+| asset_type | folder |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "folder" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md b/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md
index 851ca8a62..6c6a8771a 100644
--- a/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md
+++ b/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md
@@ -12,7 +12,7 @@ title: Verify Exposed Credentials
Verify there are no exposed credentials.
:::note
-This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details.
+This rule requires Jenkins Folder Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=folder |
+| asset_platform | jenkins |
+| asset_type | folder |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "folder" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md b/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md
new file mode 100644
index 000000000..5b757d3ec
--- /dev/null
+++ b/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require Jenkins Instance Discovery Evidence
+title: Require Jenkins Instance Discovery Evidence
+---
+# Require Jenkins Instance Discovery Evidence
+**Type:** Rule
+**ID:** `jenkins-instance-exists`
+**Source:** [v2/rules/jenkins/instance/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/instance/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/instance/evidence-exists.rego)
+**Labels:** Jenkins, Instance
+
+Verify the Jenkins Instance exists as evidence.
+
+:::note
+This rule requires Jenkins Instance Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: jenkins/instance/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | jenkins |
+| asset_type | instance |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "instance" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md b/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md
index e4a94c697..75b15f5ad 100644
--- a/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md
+++ b/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md
@@ -49,7 +49,19 @@ It performs the following steps:
| signed | False |
| content_body_type | generic |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=instance
- platform=jenkins |
+| asset_platform | jenkins |
+| asset_type | instance |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "instance" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md b/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md
index e389c4c5b..f4daabdd7 100644
--- a/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md
+++ b/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md
@@ -47,5 +47,17 @@ It performs the following steps:
| signed | False |
| content_body_type | generic |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=instance
- platform=jenkins |
+| asset_platform | jenkins |
+| asset_type | instance |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "instance" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md b/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md
index 6d4175020..adbf66157 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md b/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md
index 86df02e4e..236b1f84c 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md
@@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md b/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md
new file mode 100644
index 000000000..4eaa7c886
--- /dev/null
+++ b/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require K8s Namespace Discovery Evidence
+title: Require K8s Namespace Discovery Evidence
+---
+# Require K8s Namespace Discovery Evidence
+**Type:** Rule
+**ID:** `k8s-namespace-exists`
+**Source:** [v2/rules/k8s/namespace/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/namespace/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/namespace/evidence-exists.rego)
+**Labels:** K8s, Namespace
+
+Verify the K8s Namespace exists as evidence.
+
+:::note
+This rule requires K8s Namespace Discovery Evidence. See [here](/docs/platforms/discover#k8s-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: k8s/namespace/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md
index 9f3ab6a6e..1f6880769 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md
index 2f09ed274..9b1c0eb16 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md
index 9fa04fe21..e118fc2aa 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md
@@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md
index 16ca50ecf..4bd55523d 100644
--- a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md
+++ b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md
@@ -55,7 +55,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=namespace
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | namespace |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "namespace" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md b/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md
new file mode 100644
index 000000000..b1bdce2b9
--- /dev/null
+++ b/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md
@@ -0,0 +1,53 @@
+---
+sidebar_label: Require K8s Pod Discovery Evidence
+title: Require K8s Pod Discovery Evidence
+---
+# Require K8s Pod Discovery Evidence
+**Type:** Rule
+**ID:** `k8s-pod-exists`
+**Source:** [v2/rules/k8s/pods/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/pods/evidence-exists.yaml)
+**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/pods/evidence-exists.rego)
+**Labels:** K8s, Pod
+
+Verify the K8s Pod exists as evidence.
+
+:::note
+This rule requires K8s Pod Discovery Evidence. See [here](/docs/platforms/discover#k8s-discovery) for more details.
+:::
+:::tip
+> Evidence **IS** required for this rule and will fail if missing.
+:::
+:::tip
+Signed Evidence for this rule **IS NOT** required by default but is recommended.
+:::
+:::warning
+Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
+:::
+
+## Usage example
+
+```yaml
+uses: k8s/pods/evidence-exists@v2
+```
+
+## Evidence Requirements
+| Field | Value |
+|-------|-------|
+| signed | False |
+| content_body_type | generic |
+| target_type | data |
+| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
+| asset_platform | k8s |
+| asset_type | pod |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "pod" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
+
diff --git a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md
index 3bd9120a7..bbbc68efe 100644
--- a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md
+++ b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md
@@ -51,7 +51,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=pod
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | pod |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "pod" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md
index 0419bfd0d..e6c5a6fcd 100644
--- a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md
+++ b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md
@@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=pod
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | pod |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "pod" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
diff --git a/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md b/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md
index 2c2f7e044..397e71aa0 100644
--- a/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md
+++ b/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md
@@ -55,7 +55,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
-| labels | - asset_type=pod
- platform=k8s |
+| asset_platform | k8s |
+| asset_type | pod |
+| asset_name | Template value (see below) |
+
+**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)
+
+```
+{{- if eq .Context.asset_type "pod" -}}
+{{- on_target .Context.asset_name -}}
+{{- else -}}
+{{- on_target nil -}}
+{{- end -}}
+```
## Input Definitions
| Parameter | Type | Required | Description |
diff --git a/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md b/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md
index 070aa80fc..1f15794ba 100644
--- a/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md
+++ b/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md
@@ -18,9 +18,6 @@ the defined severity threshold.
This rule requires SARIF Evidence. See [here](/docs/valint/sarif) for more details.
:::
:::tip
-> Evidence **IS** required for this rule and will fail if missing.
-:::
-:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::info
diff --git a/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md b/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md
index 5104fbfec..313c70946 100644
--- a/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md
+++ b/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md
@@ -64,6 +64,7 @@ threshold. If the number of such violations exceeds the allowed maximum, a viola
| rule_level | array | False | List of rule levels to check for in the Trivy SARIF report. |
| precision | array | False | List of precision levels to check for in the Trivy SARIF report. |
| rule_ids | array | False | List of rule IDs to check for in the Trivy SARIF report. |
+| rule_names | array | False | List of rule names to check for in the Trivy SARIF report. |
| ignore | array | False | List of rule IDs to ignore in the Trivy SARIF report. |
| max_allowed | integer | False | The maximum number of allowed violations. |
diff --git a/docs/configuration/initiatives/rules/sarif/verify-sarif.md b/docs/configuration/initiatives/rules/sarif/verify-sarif.md
index 1dacfc9d2..9f4dda3f9 100644
--- a/docs/configuration/initiatives/rules/sarif/verify-sarif.md
+++ b/docs/configuration/initiatives/rules/sarif/verify-sarif.md
@@ -63,6 +63,7 @@ severity, and the corresponding location in the artifact.
| rule_level | array | False | List of rule levels to check for in the SARIF report. |
| precision | array | False | List of precision levels to check for in the SARIF report. |
| rule_ids | array | False | List of rule IDs to check for in the SARIF report. |
+| rule_names | array | False | List of rule names to check for in the SARIF report. |
| ignore | array | False | List of rule IDs to ignore in the SARIF report. |
| max_allowed | integer | False | The maximum number of allowed violations. |
diff --git a/docs/configuration/initiatives/sp-800-190.md b/docs/configuration/initiatives/sp-800-190.md
index d7f0538c5..c9d45f4c6 100644
--- a/docs/configuration/initiatives/sp-800-190.md
+++ b/docs/configuration/initiatives/sp-800-190.md
@@ -41,15 +41,20 @@ Ensures that all container images meet organizational security policies before
| Rule ID | Rule Name | Rule Description |
|---------|-----------|------------------|
-| [trivy-verify-vulnerability-findings](rules/sarif/trivy/verify-cve-severity.md) | [4.1.1 Severity-Based Vulnerabilities (Trivy)](rules/sarif/trivy/verify-cve-severity.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
-| [trivy-blocklist-cve](rules/sarif/trivy/blocklist-cve.md) | [4.1.1 High-Profile Vulnerabilities (Trivy)](rules/sarif/trivy/blocklist-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
-| [sbom-disallowed-users](rules/images/banned-users.md) | [4.1.2 Default Non-Root User](rules/images/banned-users.md) | Ensures that containers do not run as the root user. |
-| [images-banned-ports](rules/images/banned-ports.md) | [4.1.2 Banned Open Port 22](rules/images/banned-ports.md) | Blocks images that expose SSH (port 22), which should not be used in containerized applications. |
-| [images-require-healthcheck](rules/images/require-healthcheck.md) | [4.1.3 Set HEALTHCHECK Instruction](rules/images/require-healthcheck.md) | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. |
-| [image-labels](rules/images/verify-labels.md) | [4.1.3 Verify Required Image Labels](rules/images/verify-labels.md) | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. |
-| [images-allowed-base-image](rules/images/allowed-base-image.md) | [4.1.5 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. |
-| [images-allowed-image-source](rules/images/allowed-image-source.md) | [4.1.5 Approved Source Images](rules/images/allowed-image-source.md) | Ensures that application images are built from approved sources. |
-| [images-require-signed-image](rules/images/image-signed.md) | [4.1.5 Signed Images](rules/images/image-signed.md) | Ensures that images are cryptographically signed before execution. |
+| [4.1.1-trivy-verify-vulnerability-findings](rules/sarif/trivy/verify-cve-severity.md) | [4.1.1 Severity-Based Vulnerabilities](rules/sarif/trivy/verify-cve-severity.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
+| [4.1.1-trivy-blocklist-cve](rules/sarif/trivy/blocklist-cve.md) | [4.1.1 High-Profile Vulnerabilities](rules/sarif/trivy/blocklist-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
+| [4.1.1-scribe-api-verify-vulnerability-findings](rules/api/scribe-api-cve.md) | [4.1.1 Severity-Based Vulnerabilities](rules/api/scribe-api-cve.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. |
+| [4.1.1-scribe-api-blocklist-cve](rules/api/scribe-api-cve.md) | [4.1.1 High-Profile Vulnerabilities](rules/api/scribe-api-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. |
+| [4.1.2-image-disallowed-users](rules/images/banned-users.md) | [4.1.2 Default Non-Root User](rules/images/banned-users.md) | Ensures that containers do not run as the root user. |
+| [4.1.2-image-banned-ports](rules/images/banned-ports.md) | [4.1.2 Banned Open Port 22](rules/images/banned-ports.md) | Blocks images that expose SSH (port 22), which should not be used in containerized applications. |
+| [4.1.2-image-allowed-base](rules/images/allowed-base-image.md) | [4.1.2 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. |
+| [4.1.2-image-fresh-base](rules/images/fresh-base-image.md) | [4.1.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. |
+| [4.1.3-image-require-healthcheck](rules/images/require-healthcheck.md) | [4.1.3 Set HEALTHCHECK Instruction](rules/images/require-healthcheck.md) | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. |
+| [4.1.3-image-verify-labels](rules/images/verify-labels.md) | [4.1.3 Verify Required Image Labels](rules/images/verify-labels.md) | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. |
+| [4.1.5-image-allowed-base](rules/images/allowed-base-image.md) | [4.1.5 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. |
+| [4.1.5-image-allowed-source](rules/images/allowed-image-source.md) | [4.1.5 Approved Source Images](rules/images/allowed-image-source.md) | Ensures that application images are built from approved sources. |
+| [4.1.5-image-signed](rules/images/image-signed.md) | [4.1.5 Signed Images](rules/images/image-signed.md) | Ensures that images are cryptographically signed before execution. |
+| [4.1.5-image-fresh](rules/images/fresh-image.md) | [4.1.5 Fresh Images](rules/images/fresh-image.md) | Ensures that images are not older than a specified time limit. |
## [4.2] 4.2 REGISTRY COUNTERMEASURES
@@ -63,6 +68,6 @@ Reduces risks associated with registry security, stale images, and unauthorized
| Rule ID | Rule Name | Rule Description |
|---------|-----------|------------------|
-| [images-registry-https-check](rules/images/enforce-https-registry.md) | [4.2.1 Registry Connection Enforcement](rules/images/enforce-https-registry.md) | Ensures that images are only pulled from registries using HTTPS. |
-| [images-fresh-base-image](rules/images/fresh-base-image.md) | [4.2.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. |
-| [fresh-image](rules/images/fresh-image.md) | [4.2.2 Up-to-Date Derived Images](rules/images/fresh-image.md) | Ensures that derived images are refreshed regularly and not outdated. |
+| [4.2.1-registry-enforce-https](rules/images/enforce-https-registry.md) | [4.2.1 Registry Connection Enforcement](rules/images/enforce-https-registry.md) | Ensures that images are only pulled from registries using HTTPS. |
+| [4.2.2-registry-fresh-base](rules/images/fresh-base-image.md) | [4.2.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. |
+| [4.2.2-registry-fresh-image](rules/images/fresh-image.md) | [4.2.2 Up-to-Date Derived Images](rules/images/fresh-image.md) | Ensures that derived images are refreshed regularly and not outdated. |
diff --git a/docs/configuration/initiatives/sspb-gh.md b/docs/configuration/initiatives/sspb-gh.md
index 90d5a22ae..1381a0408 100644
--- a/docs/configuration/initiatives/sspb-gh.md
+++ b/docs/configuration/initiatives/sspb-gh.md
@@ -153,6 +153,7 @@ Teams should be aware of implicit runtime dependencies as well as explicit build
| Rule ID | Rule Name | Rule Description |
|---------|-----------|------------------|
| [allowed-base-image](rules/images/allowed-base-image.md) | [Ensure that base images are from an approved source](rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. |
+| [allowed-npm-registries](rules/images/allowed-npm-registries.md) | [Verify NPM Packages Origin](rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. |
## [CTL-6] Any critical or high severity vulnerability breaks the build
diff --git a/docs/configuration/initiatives/sspb-gl.md b/docs/configuration/initiatives/sspb-gl.md
index 44e5e0faa..e35c7bf53 100644
--- a/docs/configuration/initiatives/sspb-gl.md
+++ b/docs/configuration/initiatives/sspb-gl.md
@@ -156,6 +156,7 @@ Teams should be aware of implicit runtime dependencies as well as explicit build
| Rule ID | Rule Name | Rule Description |
|---------|-----------|------------------|
| [allowed-base-image](rules/images/allowed-base-image.md) | [Ensure that base images are from an approved source](rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. |
+| [allowed-npm-registries](rules/images/allowed-npm-registries.md) | [Verify NPM Packages Origin](rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. |
## [CTL-6] Any critical or high severity vulnerability breaks the build
diff --git a/docs/guides/enforcing-sdlc-initiative.md b/docs/guides/enforcing-sdlc-initiative.md
index e14462cfd..77e47aba3 100644
--- a/docs/guides/enforcing-sdlc-initiative.md
+++ b/docs/guides/enforcing-sdlc-initiative.md
@@ -35,7 +35,7 @@ For a detailed initiative description, see the **[initiatives](../valint/initiat
See [Getting started with valint](../valint/getting-started-valint.md) for more information on the `bom` command.
-Alternatively, you can use GitHub actions, as described in detail in [Setting up an integration in GitHub](../quick-start/set-up-integration/set-up-github.md).
+Alternatively, you can use GitHub actions, as described in detail in [Setting up an integration in GitHub](../../integrating-scribe/ci-integrations/github).
### Verifying an initiative
@@ -449,7 +449,8 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| [SLSA L1 Framework](/docs/configuration/initiatives/slsa.l1.md) | Evaluate SLSA Level 1 |
| [SLSA L2 Framework](/docs/configuration/initiatives/slsa.l2.md) | Evaluate SLSA Level 2 |
| [SSDF Client Initiative](/docs/configuration/initiatives/ssdf.md) | Evaluate PS rules from the SSDF initiative |
-| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb.md) | Blueprint for secure pipelines - Gitlab |
+| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb-gl.md) | Blueprint for secure pipelines - Gitlab |
+| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb-gh.md) | Blueprint for secure pipelines - GitHub |
## Rules
@@ -461,6 +462,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
|-----------|-------------|
| [Apply Scribe Template Policy](/docs/configuration/initiatives/rules/api/scribe-api.md) | Verify XX using the Scribe API template rule. |
| [Scribe Published Policy](/docs/configuration/initiatives/rules/api/scribe-api-published.md) | Verify image Scribe Publish flag is set for container image. |
+| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [NTIA SBOM Compliance Check](/docs/configuration/initiatives/rules/sbom/NTIA-compliance.md) | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. |
| [Enforce SBOM Freshness](/docs/configuration/initiatives/rules/sbom/fresh-sbom.md) | Verify the SBOM is not older than the specified duration. |
| [Require SBOM Existence](/docs/configuration/initiatives/rules/sbom/evidence-exists.md) | Verify the SBOM exists as evidence. |
@@ -473,7 +475,6 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
-| [Verify File Integrity](/docs/configuration/initiatives/rules/multievidence/files_integrity.md) | Verify the checksum of each file in one SBOM matches the checksum in a second SBOM. |
| [Verify Image Labels](/docs/configuration/initiatives/rules/images/verify-labels.md) | Verify specified labels key-value pairs exist in the image. |
| [Forbid Large Images](/docs/configuration/initiatives/rules/images/forbid-large-images.md) | Verify the image size is below the specified threshold. |
| [Disallow Container Shell Entrypoint](/docs/configuration/initiatives/rules/images/restrict-shell-entrypoint.md) | Verify the container image disallows shell entrypoint. |
@@ -482,13 +483,13 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/images/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Restrict Build Scripts](/docs/configuration/initiatives/rules/images/blocklist-build-scripts.md) | Verify no build scripts commands appear in block list. |
| [Registry Connection HTTPS](/docs/configuration/initiatives/rules/images/enforce-https-registry.md) | Checks if the container's registry scheme is HTTPS |
+| [Verify NPM Packages Origin](/docs/configuration/initiatives/rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. |
| [Require Image Labels](/docs/configuration/initiatives/rules/images/verify-labels-exist.md) | Verify the image has the specified labels. |
| [Require Healthcheck](/docs/configuration/initiatives/rules/images/require-healthcheck.md) | Checks that the container image includes at least one healthcheck property. |
| [Allowed Base Image](/docs/configuration/initiatives/rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. |
| [Fresh Image](/docs/configuration/initiatives/rules/images/fresh-image.md) | Verify the image is not older than the specified threshold. |
| [Allowed Main Image Source](/docs/configuration/initiatives/rules/images/allowed-image-source.md) | Ensures the main container image referenced in the SBOM is from an approved source. |
| [Require Signed Container Image](/docs/configuration/initiatives/rules/images/image-signed.md) | Enforces that container images (target_type=container) are cryptographically signed. |
-| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/sbom/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Enforce SBOM Dependencies](/docs/configuration/initiatives/rules/sbom/required-packages.md) | Verify the artifact includes all required dependencies. |
| [Enforce SBOM License Completeness](/docs/configuration/initiatives/rules/sbom/complete-licenses.md) | Verify all dependencies in the artifact have a license. |
@@ -536,6 +537,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
+| [3rd Party Scanner Violations](/docs/configuration/initiatives/rules/generic/3rd-pty.md) | Limit allowed violations in 3rd party scanner reports |
| [Required Trivy Evidence Exists](/docs/configuration/initiatives/rules/generic/trivy-exists.md) | Verify required Trivy evidence exists |
| [Required Generic Evidence Exists](/docs/configuration/initiatives/rules/generic/evidence-exists.md) | Verify required evidence exists. |
| [Generic Artifact Signed](/docs/configuration/initiatives/rules/generic/artifact-signed.md) | Verify required evidence is signed. |
@@ -553,6 +555,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| [Verify `secret_scanning` Setting in `security_and_analysis`](/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md) | Verify secret scanning is configured in the GitHub repository. |
| [Limit Admin Number in GitHub Organization](/docs/configuration/initiatives/rules/github/org/max-admins.md) | Verify the maximum number of GitHub organization admins is restricted. |
| [Verify `advanced_security_enabled_for_new_repositories` setting](/docs/configuration/initiatives/rules/github/org/advanced-security.md) | Verify Advanced Security is enabled for new repositories in the GitHub organization. |
+| [Require GitHub Organization Discovery Evidence](/docs/configuration/initiatives/rules/github/org/evidence-exists.md) | Verify the GitHub Organization exists as evidence. |
| [Verify dependency_graph_enabled_for_new_repositories setting](/docs/configuration/initiatives/rules/github/org/dependency-graph.md) | Verify dependency graph is enabled for new repositories in the GitHub organization. |
| [Verify GitHub Organization Requires Signoff on Web Commits](/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md) | Verify contributors sign commits through the GitHub web interface. |
| [Verify Two-Factor Authentication (2FA) Requirement Enabled](/docs/configuration/initiatives/rules/github/org/2fa.md) | Verify Two-factor Authentication is required in the GitHub organization. |
@@ -574,9 +577,11 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
+| [Pull request approval policy check for GitHub repository](/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md) | Verify the repository's pull request approval policy |
| [Verify secret scanning.](/docs/configuration/initiatives/rules/github/repository/validity-checks.md) | Verify both `secret_scanning_validity_checks` and `security_and_analysis` are set in GitHub organization and all the repositories. |
| [Verify Dependabot security updates setting](/docs/configuration/initiatives/rules/github/repository/dependabot.md) | Verify Dependabot security updates are configured in the GitHub repository. |
| [Verify Repository Is Private](/docs/configuration/initiatives/rules/github/repository/repo-private.md) | Verify the GitHub repository is private. |
+| [Require GitHub Repository Discovery Evidence](/docs/configuration/initiatives/rules/github/repository/evidence-exists.md) | Verify the GitHub Repository exists as evidence. |
| [Verify Repository Requires Commit Signoff](/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md) | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. |
| [Verify Default Branch Protection](/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md) | Verify the default branch protection is configured in the GitHub repository. |
| [Verify No Old Secrets Exist in Repository](/docs/configuration/initiatives/rules/github/repository/old-secrets.md) | Verify secrets in the GitHub repository are not older than the specified threshold. |
@@ -662,6 +667,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
|-----------|-------------|
| [Allowed Container Images](/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md) | Verify only container images specified in the Allowed List run within the Kubernetes namespace. |
| [Verify Namespace Termination](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md) | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. |
+| [Require K8s Namespace Discovery Evidence](/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md) | Verify the K8s Namespace exists as evidence. |
| [Allowed Namespaces](/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md) | Verify only namespaces specified in the Allowed List are allowed within the cluster. |
| [Verify Namespace Runtime Duration](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md) | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. |
| [Allowed Namespace Registries](/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md) | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. |
@@ -674,6 +680,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
| [Verify Pod Runtime Duration](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md) | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. |
+| [Require K8s Pod Discovery Evidence](/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md) | Verify the K8s Pod exists as evidence. |
| [Verify Pod Termination](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md) | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| [Allowed Pods](/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md) | Verify only pods explicitly listed in the Allowed List are allowed to run. |
@@ -684,6 +691,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
| [Prevent Long-Lived Tokens](/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md) | Verify Bitbucket API tokens expire before the maximum time to live. |
+| [Require Bitbucket Project Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md) | Verify the Bitbucket Project exists as evidence. |
| [Allowed Project Admins](/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. |
| [Allowed Project Users](/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket project. |
| [Prevent Credential Exposure](/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md) | Verify access to the Bitbucket project is blocked if exposed credentials are detected. |
@@ -694,6 +702,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
+| [Require Bitbucket Repository Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md) | Verify the Bitbucket Repository exists as evidence. |
| [Allowed Repository Admins](/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. |
| [Verify Default Branch Protection Setting Is Configured](/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md) | Verify the default branch protection is enabled in the Bitbucket repository. |
| [Allowed Repository Users](/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket repository. |
@@ -704,27 +713,27 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
+| [Require Bitbucket Workspace Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md) | Verify the Bitbucket Workspace exists as evidence. |
| [Allowed Workspace Admins](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. |
| [Allowed Workspace Users](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. |
-### Discovery Evidence
+### Dockerhub Project Discovery Evidence
-**Evidence Type:** [Discovery Evidence](/docs/platforms/discover)
+**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery)
| Rule Name | Description |
|-----------|-------------|
-| [Verify GitLab Pipeline Labels](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md) | Verify the pipeline includes all required label keys and values. |
-| [GitLab pipeline verify labels exist](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md) | Verify the pipeline has all required label keys and values. |
-| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |
+| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. |
+| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. |
-### Dockerhub Project Discovery Evidence
+### Jenkins Folder Discovery Evidence
-**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery)
+**Evidence Type:** [Jenkins Folder Discovery Evidence](/docs/platforms/discover#jenkins-discovery)
| Rule Name | Description |
|-----------|-------------|
-| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. |
-| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. |
+| [Require Jenkins Folder Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md) | Verify the Jenkins Folder exists as evidence. |
+| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |
### Jenkins Instance Discovery Evidence
@@ -732,6 +741,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
+| [Require Jenkins Instance Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md) | Verify the Jenkins Instance exists as evidence. |
| [Disallow Unused Users](/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md) | Verify there are no users with zero activity. |
| [Verify Inactive Users](/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md) | Verify there are no inactive users. |
@@ -741,7 +751,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| Rule Name | Description |
|-----------|-------------|
-| [SLSA External Parameters Match in Provenance Document](/docs/configuration/initiatives/rules/slsa/verify-external-parameters.md) | Verify the specified exterenal parameters value match in the provenance document. |
+| [SLSA External Parameters Match in Provenance Document](/docs/configuration/initiatives/rules/slsa/verify-external-parameters.md) | Verify the specified external parameters value match in the provenance document. |
| [Verify that provenance is authenticated](/docs/configuration/initiatives/rules/slsa/l2-provenance-authenticated.md) | Verify the artifact is signed. |
| [SLSA Field Exists in Provenance Document](/docs/configuration/initiatives/rules/slsa/field-exists.md) | Verify the specified field exists in the provenance document. |
| [Verify Provenance Document Exists](/docs/configuration/initiatives/rules/slsa/l1-provenance-exists.md) | Verify that the Provenance document evidence exists. |
@@ -763,6 +773,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo
| [Sign Selected Commits in GitLab](/docs/configuration/initiatives/rules/gitlab/api/signed-commits-list.md) | Verify the selected commits are signed in the GitLab organization. |
| [Set Push Rules in GitLab](/docs/configuration/initiatives/rules/gitlab/api/push-rules.md) | Verify GitLab push rules are configured via the API. |
| [Sign Selected Commit Range in GitLab](/docs/configuration/initiatives/rules/gitlab/api/signed-commits-range.md) | Verify the selected range of commits is signed via the GitLab API. |
+| [Verify No 3rd Party Findings via Scribe API](/docs/configuration/initiatives/rules/api/scribe-api-findings.md) | Verify via Scribe API that there are no findings reported by 3rd party tools in the target product. |
| [Verify No Critical or High Vulnerabilities in Product](/docs/configuration/initiatives/rules/api/scribe-api-cve-product.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in any deliverable component of the product. |