I see in the policies you have hardcoded the image digest values. But, Lets say the pipeline has triggers. Which can be triggered up on a new image. Then the image digest will be different. In this case, how do you ensure it pass the policy enforcement knowingly the image is signed and verified but the image digest will not be matching to the one hardcoded?
Hi @keka406, great question! You'll need to update the JSON payload like this (expectedDigest is the SHA coming from each trigger): ``` { "expectedDigest": "", "actualDigest": "", "env": "" } ``` and then update the image digest policy as follows: ``` package main deny { not input.actualDigest == input.expectedDigest } ```
![[TH] 2024 PMSL SEA W2D5 | Fall | พลาดวันนี้ จะต้องเสียใจ](http://i.ytimg.com/vi/A5-Cuo12p6A/mqdefault.jpg)
I see in the policies you have hardcoded the image digest values. But, Lets say the pipeline has triggers. Which can be triggered up on a new image. Then the image digest will be different. In this case, how do you ensure it pass the policy enforcement knowingly the image is signed and verified but the image digest will not be matching to the one hardcoded?
Hi @keka406, great question! You'll need to update the JSON payload like this (expectedDigest is the SHA coming from each trigger):
```
{
"expectedDigest": "",
"actualDigest": "",
"env": ""
}
```
and then update the image digest policy as follows:
```
package main
deny {
not input.actualDigest == input.expectedDigest
}
```
Can we create free account in sigstore?