From 22142f231fd09fad72a15a193764f843867eacae Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Tue, 13 Aug 2024 20:34:52 +0530
Subject: [PATCH 1/2] feat(docs): regexp support in cosign keyless verification

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../verify-images/sigstore/_index.md          | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 0f700de58..5509744c1 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -464,6 +464,35 @@ spec:
                 url: https://rekor.sigstore.dev
 ```
 
+The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) and verified using subject and issuer regular expressions:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-keyless
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-image-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/kyverno/test-verify-image:signed-keyless"
+        attestors:
+        - entries:
+          - keyless:
+              subjectRegExp: https://github\.com/.+
+              issuerRegExp: https://token\.actions\.githubusercontent.+
+              rekor:
+                url: https://rekor.sigstore.dev
+```
+
 ### Keyless signing
 
 To sign images using the keyless flow, use the following cosign command:
@@ -497,6 +526,7 @@ attestors:
         url: https://rekor.sigstore.dev
 ```
 
+
 ## Using a Key Management Service (KMS)
 
 Kyverno and Cosign support using Key Management Services (KMS) such as AWS, GCP, Azure, and HashiCorp Vault. This integration allows referencing public and private keys using a URI syntax, instead of embedding the key directly in the policy.

From 38c782a29ad8a309a9bf98093066950245b852f9 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Tue, 13 Aug 2024 20:38:39 +0530
Subject: [PATCH 2/2] fix: grammatical errors

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../en/docs/writing-policies/verify-images/sigstore/_index.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 5509744c1..0e4ff1e02 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -464,7 +464,7 @@ spec:
                 url: https://rekor.sigstore.dev
 ```
 
-The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) and verified using subject and issuer regular expressions:
+The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) with regular expressions for subject and issuer:
 
 ```yaml
 apiVersion: kyverno.io/v1