attestation

package

v2.2.4 Latest Latest Go to latest Published: Apr 10, 2024 License: Apache-2.0 Imports: 9 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sigstore/cosign

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GenerateStatement(opts GenerateOpts) (interface{}, error)
type CosignPredicate
type CosignVulnPredicate
type CosignVulnStatement
type DB
type GenerateOpts
type Invocation
type Metadata
type Scanner

Constants ¶

View Source

const (
	// CosignCustomProvenanceV01 specifies the type of the Predicate.
	CosignCustomProvenanceV01 = "https://cosign.sigstore.dev/attestation/v1"

	// CosignVulnProvenanceV01 specifies the type of VulnerabilityScan Predicate
	CosignVulnProvenanceV01 = "https://cosign.sigstore.dev/attestation/vuln/v1"

	// OpenVexNamespace holds the URI of the OpenVEX context to identify its
	// predicate type. More info about the specification can be found at
	// https://github.com/openvex/spec and the attestation spec is found here:
	// https://github.com/openvex/spec/blob/main/ATTESTING.md
	OpenVexNamespace = "https://openvex.dev/ns"
)

Variables ¶

This section is empty.

Functions ¶

func GenerateStatement ¶

func GenerateStatement(opts GenerateOpts) (interface{}, error)

Types ¶

type CosignPredicate ¶

type CosignPredicate struct {
	Data      interface{}
	Timestamp string
}

CosignPredicate specifies the format of the Custom Predicate.

type CosignVulnPredicate ¶

type CosignVulnPredicate struct {
	Invocation Invocation `json:"invocation"`
	Scanner    Scanner    `json:"scanner"`
	Metadata   Metadata   `json:"metadata"`
}

VulnPredicate specifies the format of the Vulnerability Scan Predicate

type CosignVulnStatement ¶

type CosignVulnStatement struct {
	in_toto.StatementHeader
	Predicate CosignVulnPredicate `json:"predicate"`
}

I think this will be moving to upstream in-toto in the fullness of time but creating it here for now so that we have a way to deserialize it as a InToto Statement https://github.com/in-toto/attestation/issues/58

type DB ¶

type DB struct {
	URI     string `json:"uri"`
	Version string `json:"version"`
}

type GenerateOpts ¶

type GenerateOpts struct {
	// Predicate is the source of bytes (e.g. a file) to use as the statement's predicate.
	Predicate io.Reader
	// Type is the pre-defined enums (provenance|link|spdx).
	// default: custom
	Type string
	// Digest of the Image reference.
	Digest string
	// Repo context of the reference.
	Repo string

	// Function to return the time to set
	Time func() time.Time
}

GenerateOpts specifies the options of the Statement generator.

type Invocation ¶

type Invocation struct {
	Parameters interface{} `json:"parameters"`
	URI        string      `json:"uri"`
	EventID    string      `json:"event_id"`
	BuilderID  string      `json:"builder.id"`
}

type Metadata ¶

type Metadata struct {
	ScanStartedOn  time.Time `json:"scanStartedOn"`
	ScanFinishedOn time.Time `json:"scanFinishedOn"`
}

type Scanner ¶

type Scanner struct {
	URI     string      `json:"uri"`
	Version string      `json:"version"`
	DB      DB          `json:"db"`
	Result  interface{} `json:"result"`
}

Source Files ¶

View all Source files

attestation.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL