Documentation ¶
Index ¶
- Constants
- func ShaSum256HexEncoded(b []byte) string
- type BuildConfig
- type Builder
- type Completeness
- type ConfigSource
- type DigestSet
- type Envelope
- type FilePathSubjecter
- type Invocation
- type Item
- type Metadata
- type Predicate
- type Provenancer
- type Statement
- type StatementOption
- func WithBuilder(id string) StatementOption
- func WithInvocation(buildType, entryPoint string, environment json.RawMessage, ...) StatementOption
- func WithMaterials(materials []Item) StatementOption
- func WithMetadata(buildInvocationID string) StatementOption
- func WithSubject(s []Subject) StatementOption
- type Subject
- type Subjecter
Constants ¶
const ( // SlsaPredicateType the predicate type for SLSA intoto statements SlsaPredicateType = "https://slsa.dev/provenance/v0.2" // StatementType the type of the intoto statement StatementType = "https://in-toto.io/Statement/v0.1" )
Variables ¶
This section is empty.
Functions ¶
func ShaSum256HexEncoded ¶
ShaSum256HexEncoded calculates a SHA256 checksum from the content
Types ¶
type BuildConfig ¶
type BuildConfig struct { }
BuildConfig Lists the steps in the build. If invocation.sourceConfig is not available, buildConfig can be used to verify information about the build.
type Builder ¶
type Builder struct {
ID string `json:"id"`
}
Builder Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance. The identity MUST reflect the trust base that consumers care about. How detailed to be is a judgement call. For example, GitHub Actions supports both GitHub-hosted runners and self-hosted runners. The GitHub-hosted runner might be a single identity because, it's all GitHub from the consumer's perspective. Meanwhile, each self-hosted runner might have its own identity because not all runners are trusted by all consumers.
Consumers MUST accept only specific (signer, builder) pairs. For example, the "GitHub" can sign provenance for the "GitHub Actions" builder, and "Google" can sign provenance for the "Google Cloud Build" builder, but "GitHub" cannot sign for the "Google Cloud Build" builder.
Design rationale: The builder is distinct from the signer because one signer may generate attestations for more than one builder, as in the GitHub Actions example above. The field is required, even if it is implicit from the signer, to aid readability and debugging. It is an object to allow additional fields in the future, in case one URI is not sufficient.
type Completeness ¶
type Completeness struct { Parameters bool `json:"parameters"` Environment bool `json:"environment"` Materials bool `json:"materials"` }
Completeness Indicates that the builder claims certain fields in this message to be complete.
type ConfigSource ¶
type ConfigSource struct { EntryPoint string `json:"entryPoint"` URI string `json:"uri,omitempty"` Digest DigestSet `json:"digest,omitempty"` }
ConfigSource Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.
type Envelope ¶
type Envelope struct { PayloadType string `json:"payloadType"` Payload string `json:"payload"` Signatures []interface{} `json:"signatures"` }
Envelope wraps an in-toto statement to be able to attach signatures to the Statement
type FilePathSubjecter ¶
type FilePathSubjecter struct {
// contains filtered or unexported fields
}
FilePathSubjecter implements Subjector to retrieve Subject from filepath
func NewFilePathSubjecter ¶
func NewFilePathSubjecter(root string) *FilePathSubjecter
NewFilePathSubjecter walks the file or directory at "root" and hashes all files.
func (*FilePathSubjecter) Subjects ¶
func (f *FilePathSubjecter) Subjects() ([]Subject, error)
Subjects walks the file or directory at "root" and hashes all files.
type Invocation ¶
type Invocation struct { ConfigSource ConfigSource `json:"configSource"` Parameters json.RawMessage `json:"parameters"` Environment json.RawMessage `json:"environment"` }
Invocation Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible).
type Metadata ¶
type Metadata struct { BuildInvocationID string `json:"buildInvocationId"` // BuildStartedOn not defined as it's not available from a GitHub Action. BuildFinishedOn string `json:"buildFinishedOn"` Completeness `json:"completeness"` Reproducible bool `json:"reproducible"` }
Metadata Other properties of the build.
type Predicate ¶
type Predicate struct { Builder `json:"builder"` BuildType string `json:"buildType"` Invocation `json:"invocation"` BuildConfig *BuildConfig `json:"build_config,omitempty"` Metadata `json:"metadata,omitempty"` Materials []Item `json:"materials"` }
Predicate This predicate follows the in-toto attestation parsing rules.
https://github.com/in-toto/attestation/blob/main/spec/README.md#parsing-rules
The Predicate is the innermost layer of the attestation, containing arbitrary metadata about the Statement's subject.
A predicate has a required predicateType (TypeURI) identifying what the predicate means, plus an optional predicate (object) containing additional, type-dependent parameters.
type Provenancer ¶
type Provenancer interface { GenerateProvenanceStatement(ctx context.Context, subjecter Subjecter) (*Statement, error) PersistProvenanceStatement(ctx context.Context, stmt *Statement, path string) error }
Provenancer generates provenance statements for given artifacts
type Statement ¶
type Statement struct { Type string `json:"_type"` Subject []Subject `json:"subject"` PredicateType string `json:"predicateType"` Predicate Predicate `json:"predicate"` }
Statement The Statement is the middle layer of the attestation, binding it to a particular subject and unambiguously identifying the types of the predicate.
func SLSAProvenanceStatement ¶
func SLSAProvenanceStatement(opts ...StatementOption) *Statement
SLSAProvenanceStatement builds a in-toto statement with predicate type https://slsa.dev/provenance/v0.1
type StatementOption ¶
type StatementOption func(*Statement)
StatementOption option flag to build the Statement
func WithBuilder ¶
func WithBuilder(id string) StatementOption
WithBuilder sets the Statement builder with the given ID
func WithInvocation ¶
func WithInvocation(buildType, entryPoint string, environment json.RawMessage, parameters json.RawMessage, materials []Item) StatementOption
WithInvocation sets the Predicate Invocation and Materials
func WithMaterials ¶
func WithMaterials(materials []Item) StatementOption
WithMaterials adds additional materials to the predicate
func WithMetadata ¶
func WithMetadata(buildInvocationID string) StatementOption
WithMetadata sets the Predicate Metadata using the buildInvocationID and the current time
func WithSubject ¶
func WithSubject(s []Subject) StatementOption
WithSubject sets the Statement subject to the provided value