---
id: weekly-sbom-staleness
name: Weekly SBOM Staleness Check
enabled: true
owner: custodian-agent
governance: custodian
status: active
trigger:
  type: cron
  cron_expression: "0 9 * * 1"
  timezone: Europe/Berlin
  misfire_policy: skip
context_sources:
  - type: state-hub
    query: repo_sbom_status
    params:
      repos: all
    bind_to: context.repos
# Resolver returns a summary keyed off the worst repo so the rule expression
# below can match without comprehensions (the sandboxed evaluator does not
# support them). See _repo_sbom_status in context_resolvers/state_hub.py.
---

# Weekly SBOM Staleness Check

Runs every Monday at 09:00 Berlin time. Checks all tracked repositories for
SBOM staleness and flags any repository whose SBOM is older than 30 days.

```rule
id: flag-stale-sbom
for_each: context.repos.repos
bind_as: repo
condition: 'context.repo.sbom_age_days > 30'
action:
  task_template: Run SBOM rescan for {context.repo.repo_slug}
  target_repo: context.repo.repo_slug
  priority: medium
  labels: ["sbom", "security", "automated"]
```

The bulk resolver exposes the per-repo entries under `context.repos.repos`.
The rule uses explicit `for_each` binding so the workflow evaluates the
condition once per repository and emits one task per stale repo. Action fields
may reference the bound item with `context.repo.*`.