docs: setup enforce digest rule

misc/hashitalk_secure2024/demos/digest/digest.rego

@@ -0,0 +1,14 @@
+package digest
+
+import rego.v1
+
+
+errors contains err_msg if {
+    some g, t
+	input.TaskGroups[g].Tasks[t].Driver == "docker"
+	image := input.TaskGroups[g].Tasks[t].Config.image
+
+    not regex.match( "@sha256:[a-f0-9]{64}$", image)
+
+    err_msg := sprintf("Invalid image reference: %v", [image])
+}

misc/hashitalk_secure2024/demos/digest/digest_test.rego

@@ -0,0 +1,22 @@
+package digest_test
+
+import rego.v1
+
+import data.digest
+
+test_has_error_when_image_is_tagged if {
+	result := digest.errors with input as {"TaskGroups": [{"Tasks": [{
+		"Driver": "docker",
+		"Config": {"image": "alpine:3.19.1"},
+	}]}]}
+	result == { "Invalid image reference: alpine:3.19.1" }
+}
+
+test_has_no_errors_if_image_uses_digest if {
+	result := digest.errors with input as {"TaskGroups": [{"Tasks": [{
+		"Driver": "docker",
+		"Config": {"image": "alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b"},
+	}]}]}
+
+	result == set()
+}