Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.
Decided to not enable image-signature verification by default for now.
We'll need to make sure we have sufficient egress policies in place that ideally don't open up too much. We could also implement this issue: big-bang/product/packages/kyverno-policies#9 (closed) which set the failurePolicy to ignore where we only audit or warn on a policy. A failurePolicy of ignore would not prevent installs in the event of an i/o timeout where the policy is in audit or warn
