vsa

package
v0.7.123 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 23, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

attest.go

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AttestVSA added in v0.7.108 

func AttestVSA(ctx context.Context, attestor PredicateAttestor) (string, error)

AttestVSA handles VSA attestation and envelope writing for the target component.

func GenerateAndWriteVSA added in v0.7.108 

func GenerateAndWriteVSA[T any](ctx context.Context, generator PredicateGenerator[T], writer PredicateWriter[T]) (string, error)

GenerateAndWriteVSA generates a VSA predicate and writes it to a file, returning the written path.

func NoopUploader 

func NoopUploader(ctx context.Context, att oci.Signature, location string) (string, error)

func OCIUploader 

func OCIUploader(ctx context.Context, att oci.Signature, location string) (string, error)

Built-in uploaders

func RekorUploader 

func RekorUploader(ctx context.Context, att oci.Signature, location string) (string, error)

Types

type AttestationUploader 

type AttestationUploader func(ctx context.Context, att oci.Signature, location string) (string, error)

AttestationUploader is a function that uploads an attestation and returns a result string or error This allows pluggable upload logic (OCI, Rekor, None, or custom)

type Attestor added in v0.7.108 

type Attestor struct {
	PredicatePath string // path to the raw VSA (predicate) JSON
	PredicateType string // e.g. "https://enterprisecontract.dev/attestations/vsa/v1" // TODO: make this configurable
	Digest        string // sha256:abcd…  (as returned by `skopeo inspect --format {{.Digest}}`)
	Repo          string // "quay.io/acme/widget" (hostname/namespace/repo)
	Signer        *Signer
}

func NewAttestor added in v0.7.108 

func NewAttestor(predicatePath, repo, digest string, signer *Signer) (*Attestor, error)

Add a constructor with sensible defaults

func (Attestor) AttestPredicate added in v0.7.108 

func (a Attestor) AttestPredicate(ctx context.Context) ([]byte, error)

AttestPredicate builds an in‑toto Statement around the predicate and returns the fully‑signed **DSSE envelope** (identical to cosign's --no-upload output). Nothing is pushed to a registry or the TLog.

func (Attestor) TargetDigest added in v0.7.117 

func (a Attestor) TargetDigest() string

func (Attestor) WriteEnvelope added in v0.7.108 

func (a Attestor) WriteEnvelope(data []byte) (string, error)

WriteEnvelope is an optional convenience that mirrors cosign's --output‑signature flag; it emits <predicate>.intoto.jsonl next to the file.

type Generator 

type Generator struct {
	Report    applicationsnapshot.Report
	Component applicationsnapshot.Component
}

Generator handles VSA predicate generation

func NewGenerator 

func NewGenerator(report applicationsnapshot.Report, comp applicationsnapshot.Component) *Generator

NewGenerator creates a new VSA predicate generator

func (*Generator) GeneratePredicate 

func (g *Generator) GeneratePredicate(ctx context.Context) (*Predicate, error)

GeneratePredicate creates a Predicate for a validated image/component.

type Predicate 

type Predicate struct {
	ImageRef         string                 `json:"imageRef"`
	ValidationResult string                 `json:"validationResult"`
	Timestamp        string                 `json:"timestamp"`
	Verifier         string                 `json:"verifier"`
	PolicySource     string                 `json:"policySource"`
	Component        map[string]interface{} `json:"component"`
	RuleResults      []evaluator.Result     `json:"ruleResults"`
}

Predicate represents a Verification Summary Attestation (VSA) predicate.

type PredicateAttestor added in v0.7.108 

type PredicateAttestor interface {
	AttestPredicate(ctx context.Context) ([]byte, error)
	WriteEnvelope(data []byte) (string, error)
	TargetDigest() string
}

PredicateAttestor interface for attesting VSA predicates and writing envelopes

type PredicateGenerator added in v0.7.108 

type PredicateGenerator[T any] interface {
	GeneratePredicate(ctx context.Context) (T, error)
}

PredicateGenerator interface for generating VSA predicates

type PredicateWriter added in v0.7.108 

type PredicateWriter[T any] interface {
	WritePredicate(pred T) (string, error)
}

PredicateWriter interface for writing VSA predicates to files

type Service added in v0.7.117 

type Service struct {
	// contains filtered or unexported fields
}

Service encapsulates all VSA processing logic for both components and snapshots

func NewServiceWithFS added in v0.7.117 

func NewServiceWithFS(signer *Signer, fs afero.Fs) *Service

NewServiceWithFS creates a new VSA service with the given signer and filesystem

func (*Service) ProcessAllVSAs added in v0.7.117 

func (s *Service) ProcessAllVSAs(ctx context.Context, report applicationsnapshot.Report, getGitURL func(applicationsnapshot.Component) string, getDigest func(applicationsnapshot.Component) (string, error)) error

ProcessAllVSAs processes VSAs for all components and the snapshot

func (*Service) ProcessComponentVSA added in v0.7.117 

func (s *Service) ProcessComponentVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component, gitURL, digest string) (string, error)

ProcessComponentVSA processes VSA generation, writing, and attestation for a single component

func (*Service) ProcessSnapshotVSA added in v0.7.117 

func (s *Service) ProcessSnapshotVSA(ctx context.Context, report applicationsnapshot.Report) (string, error)

ProcessSnapshotVSA processes VSA generation, writing, and attestation for the application snapshot

type Signer 

type Signer struct {
	KeyPath    string
	FS         afero.Fs
	WrapSigner signature.Signer
}

func NewSigner 

func NewSigner(keyPath string, fs afero.Fs) (*Signer, error)

type Writer 

type Writer struct {
	FS            afero.Fs    // defaults to the package-level FS or afero.NewOsFs()
	TempDirPrefix string      // defaults to "vsa-"
	FilePerm      os.FileMode // defaults to 0600
}

Writer handles VSA file writing

func NewWriter 

func NewWriter() *Writer

NewWriter creates a new VSA file writer

func (*Writer) WritePredicate added in v0.7.108 

func (w *Writer) WritePredicate(predicate *Predicate) (string, error)

WritePredicate writes the Predicate as a JSON file to a temp directory and returns the path.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.