Skip to content

THEN Directives

Then asserts on every entity in the stash. If any entity fails, the scenario fails and the compliance run exits with a non-zero code.

Reference

Then it must contain {property_name}

Every entity must define the property.

Then it must contain rules
Then it must contain image

Then it must not contain {property_name}

No entity may define the property.

Then it must not contain allow_failure

Then its {property_name} must be {expected}

Every entity's property must equal expected.

Then its value must be false
Then its protected must be true
Then its masked must be true

Then its {property_name} must match "{pattern}"

Every entity's property must match the value spec in pattern:

  • Literal — exact match (prod)
  • Comma list — actual must equal one listed value (prod,uat,dev)
  • Regex — full-string match (^(backend|frontend)$)
Then its image must match "^[^\\s]+(:[\\w.-]+|@sha256:[a-f0-9]{64})$"
Then its version must match "^\d+\.\d+\.\d+(-[\w.]+)?$"
Then its value must match "prod,uat,dev"
Then its rules must match "if:"

See Advanced scenarios for Examples table rules.

Then its {property_name} must not match "{pattern}"

Every entity's property must not match the pattern.

Then its image must not match ":latest$"

Then its {property_name} must not be null

Property must be present and non-empty after normalization.

Then its image must not be null

Then its extends must include "{template}"

Job extends must reference the template job name.

Then its extends must include ".org:security"

Then it must use valid semver

Every include in the stash must use a valid semver ref (offline check).

Then it must use valid semver

Then a newer release must not be available

API: pinned semver must not be behind the latest semver tag on the included project.

Then a newer release must not be available

Then a newer release must not be available for more than {days} days

API: fail when a newer semver exists and the latest tag was published more than {days} days ago. Gives teams a grace period to adopt new upstream releases.

Then a newer release must not be available for more than 30 days

Then its release lag must not exceed {days} days

API: fail when a newer semver exists and the pinned tag trails the latest by more than {days} days (by tag commit dates).

Then its release lag must not exceed 90 days

Then it must be within the latest {count} tags

API: pinned semver must rank among the top {count} semver tags on the included project (1 = latest).

Then it must be within the latest 3 tags

Then it must use sha256 digest

Container images must use an immutable @sha256: digest (default supply-chain pin).

Then a newer image release must not be available

API: pinned image tag must not be behind the latest registry tag.

Then it must be within the latest {count} image tags

API: image tag must rank among the top {count} semver tags on the registry.

Then it must track the latest release

API: pinned semver must equal the latest semver tag.

Then it must track the latest release

Failure output

Failed assertions include entity name, property, expected condition, and source location in the pipeline file when line metadata is available.

Next: Using AND.