README
¶
in-toto SCAI Generator and Demos
The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), framework is a succinct data format specification for claims and evidence about attributes and integrity about a software artifact and its supply chain.
For more details read our intro doc or the full SCAI spec doc.
In this repo
This repo provides Go and Python implementations of CLI tools for automatically generating SCAI metadata compliant with the in-toto Attestation Framework.
A number of sample use cases for SCAI are implemented in examples/.
In addition, our Go scai-gen CLI tool supports policy checking of SCAI attestations against evidence. Example policies can be found in policies/.
The SCAI specification is hosted under the in-toto Attestation Framework as an attestation predicate.
All documentation can be found under docs/.
Usage
Read the usage doc for instructions on setup and tool invocation for Python and Go environments.
We encourage you to gain a basic understanding of the SCAI specification before using the scai-generator CLI tools in this repo.
For a full demo of how to use the Go scai-gen tools, read our [KubeCon + CloudNativeCon NA '23 doc].
Disclaimer
While the tools in this repo are conformant to the in-toto Attestation Framework, they do not generate authenticated SCAI attestations. The example use cases in this repo are only provided for illustrative purposes, and should not be used in production.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
adapted from https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/fulcio.go and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/attest.go
|
adapted from https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/fulcio.go and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/attest.go |