stackrox · vladbologa · Jun 16, 2026 · Jun 16, 2026 · Jun 17, 2026
@@ -554,6 +554,40 @@ spec:
       operator: in
       values: [ "false" ]
 
+  - name: verify-crypto-policies
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+    taskSpec:
+      description: >-
+        Verify that OpenSSL in the built collector image is configured to support post-quantum
+        cryptography (more specifically, the ML-KEM algorithm group). Regressions can occur e.g.
+        if the crypto-policy setting is removed from the Dockerfile, or the base image is changed
+        to one that does not support post-quantum cryptography.
+      steps:
+      - name: check-pq-crypto-policy
+        image: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
+        env:
+        - name: EXPECTED_GROUP
+          value: X25519MLKEM768
+        - name: CONFIG_FILE
+          value: /etc/crypto-policies/back-ends/opensslcnf.config
+        script: |
+          #!/bin/bash
+          set -euo pipefail
+          echo "Verifying post-quantum crypto policy configuration..."
+          if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
+            echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
+          else
+            echo "Contents of ${CONFIG_FILE}:"
+            cat "${CONFIG_FILE}"
+            echo
+            echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
+            echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
+            exit 1
+          fi
+
   - name: push-dockerfile
     params:
     - name: IMAGE