vsa

package
v0.8.80 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 29, 2025 License: Apache-2.0 Imports: 51 Imported by: 0

Documentation

Overview

attest.go

Index

Constants

View Source 
const (
	ErrorTypeVSA       = "vsa"
	ErrorTypeFallback  = "fallback"
	ErrorTypeNetwork   = "network"
	ErrorTypePolicy    = "policy"
	ErrorTypeSignature = "signature"
	ErrorTypeTimeout   = "timeout"
	ErrorTypeRetrieval = "retrieval"
)

ErrorType constants

View Source 
const (
	SeverityError   = "error"
	SeverityWarning = "warning"
	SeverityInfo    = "info"
)

Severity constants

View Source 
const (
	PredicateType = "https://conforma.dev/verification_summary/v1"
)

Predicate type URL

Variables

View Source 
var LoadPrivateKey = cosign.LoadPrivateKey

LoadPrivateKey is aliased to allow easy testing.

Functions

func AttestVSA added in v0.7.108 

func AttestVSA(ctx context.Context, attestor PredicateAttestor) (string, error)

AttestVSA handles VSA attestation and envelope writing for the target component.

func CompareVSAPolicyWithDetails added in v0.8.39 

func CompareVSAPolicyWithDetails(vsaPolicy ecapi.EnterpriseContractPolicySpec, suppliedPolicy ecapi.EnterpriseContractPolicySpec, effectiveTime time.Time, imageInfo *equivalence.ImageInfo) (bool, []equivalence.PolicyDifference, error)

CompareVSAPolicyWithDetails compares VSA policy with supplied policy and returns detailed differences

func ConvertYAMLToJSON added in v0.8.39 

func ConvertYAMLToJSON(data interface{}) interface{}

ConvertYAMLToJSON converts YAML interface{} types to proper types for JSON marshaling

func ExtractDigestFromImageRef added in v0.8.39 

func ExtractDigestFromImageRef(imageRef string) (string, error)

ExtractDigestFromImageRef extracts the digest from an image reference

func ExtractImageDigest added in v0.8.39 

func ExtractImageDigest(identifier string) string

ExtractImageDigest extracts image digest from identifier

func ExtractPolicyFromVSA added in v0.8.39 

func ExtractPolicyFromVSA(predicate *Predicate) (ecapi.EnterpriseContractPolicySpec, error)

ExtractPolicyFromVSA extracts the policy from VSA predicate

func FormatPolicyDifferences added in v0.8.39 

func FormatPolicyDifferences(differences []equivalence.PolicyDifference) string

FormatPolicyDifferences formats policy differences using unified diff format

func GenerateAndWritePredicate added in v0.8.25 

func GenerateAndWritePredicate(ctx context.Context, generator *Generator, writer *Writer) (string, error)

GenerateAndWritePredicate generates a Predicate and writes it to a file, returning the written path.

func GenerateAndWriteSnapshotPredicate added in v0.8.25 

func GenerateAndWriteSnapshotPredicate(ctx context.Context, generator *applicationsnapshot.SnapshotPredicateGenerator, writer *applicationsnapshot.SnapshotPredicateWriter) (string, error)

GenerateAndWriteSnapshotPredicate generates a snapshot Predicate and writes it to a file, returning the written path.

func IsFilePathLike added in v0.8.44 

func IsFilePathLike(identifier string) bool

isFilePathLike checks if an identifier looks like a file path This handles the case where name.ParseReference incorrectly accepts file paths as valid image references

func IsImageReference added in v0.8.39 

func IsImageReference(identifier string) bool

IsImageReference checks if the identifier is an image reference

func IsVSAExpired added in v0.8.18 

func IsVSAExpired(vsaTimestamp time.Time, expirationThreshold time.Duration) bool

IsVSAExpired checks if a VSA is expired based on the timestamp and threshold

func IsValidVSAIdentifier added in v0.8.39 

func IsValidVSAIdentifier(identifier string) bool

IsValidVSAIdentifier validates VSA identifier format

func ParseEffectiveTime added in v0.8.39 

func ParseEffectiveTime(effectiveTime string) (time.Time, error)

ParseEffectiveTime parses the effective time string

func ParsePolicySpec added in v0.8.39 

func ParsePolicySpec(policyConfig string) (ecapi.EnterpriseContractPolicySpec, error)

ParsePolicySpec parses a policy configuration string to extract the EnterpriseContractPolicySpec

func ParseVSAExpirationDuration added in v0.8.39 

func ParseVSAExpirationDuration(s string) (time.Duration, error)

ParseVSAExpirationDuration parses a duration string with support for h, d, w, m suffixes

func ShouldTriggerFallback added in v0.8.44 

func ShouldTriggerFallback(err error, result *ValidationResult) bool

shouldTriggerFallback determines if fallback should be triggered based on VSA validation results

func UploadVSAEnvelope added in v0.7.148 

func UploadVSAEnvelope(ctx context.Context, envelopePath string, storageConfigs []string, signer *Signer) error

UploadVSAEnvelope uploads a VSA envelope to the configured storage backends

Types

type Attestor added in v0.7.108 

type Attestor struct {
	PredicatePath string  // path to the raw VSA (predicate) JSON
	PredicateType string  // e.g. "https://enterprisecontract.dev/attestations/vsa/v1" // TODO: make this configurable
	Digest        string  // sha256:abcd…  (as returned by `skopeo inspect --format {{.Digest}}`)
	Repo          string  // "quay.io/acme/widget" (hostname/namespace/repo)
	Signer        *Signer // Signer is the signer used to sign the VSA
}

func NewAttestor added in v0.7.108 

func NewAttestor(predicatePath, repo, digest string, signer *Signer) (*Attestor, error)

NewAttestor creates an Attestor with sensible defaults

func (Attestor) AttestPredicate added in v0.7.108 

func (a Attestor) AttestPredicate(ctx context.Context) ([]byte, error)

AttestPredicate builds an in‑toto Statement around the predicate and returns the fully‑signed **DSSE envelope** (identical to cosign's --no-upload output). Nothing is pushed to a registry or the TLog.

func (Attestor) TargetDigest added in v0.7.117 

func (a Attestor) TargetDigest() string

func (Attestor) WriteEnvelope added in v0.7.108 

func (a Attestor) WriteEnvelope(data []byte) (string, error)

WriteEnvelope is an optional convenience that mirrors cosign's --output‑signature flag; it emits <predicate>.intoto.jsonl next to the file.

type Cause added in v0.8.44 

type Cause struct {
	Type      string  `json:"type"` // "vsa", "fallback", "network", "policy", etc.
	Message   string  `json:"message"`
	Details   string  `json:"details,omitempty"`
	SubCauses []Cause `json:"sub_causes,omitempty"`
	Timestamp string  `json:"timestamp,omitempty"`
	Severity  string  `json:"severity,omitempty"` // "error", "warning", "info"
}

Cause represents a specific cause of validation failure

type ComponentDetail added in v0.8.25 

type ComponentDetail struct {
	Name       string `json:"Name"`
	ImageRef   string `json:"ImageRef"`
	Violations int    `json:"Violations"`
	Warnings   int    `json:"Warnings"`
	Successes  int    `json:"Successes"`
}

ComponentDetail represents detailed information about a component in the summary

type ComponentResult added in v0.8.39 

type ComponentResult struct {
	ComponentName  string
	ImageRef       string
	Result         *ValidationResult // VSA validation result
	Error          error
	FallbackResult *validate_utils.Result // Image validation result when fallback was used
}

ComponentResult represents the validation result for a snapshot component

type ComponentSummary added in v0.8.25 

type ComponentSummary struct {
	Name           string      `json:"name"`
	ContainerImage string      `json:"containerImage"`
	Source         interface{} `json:"source"`
}

ComponentSummary represents the summary information for a single component

type FallbackConfig added in v0.8.44 

type FallbackConfig struct {
	FallbackToImageValidation bool
	FallbackPublicKey         string
	PolicyConfig              string
	EffectiveTime             string
	Info                      interface{}
}

FallbackConfig holds configuration for fallback validation

type FallbackResult added in v0.8.44 

type FallbackResult struct {
	FallbackOutput *output.Output
	VSAResult      *ValidationResult
	Error          error
}

FallbackResult contains the results of fallback validation

func PerformFallbackValidation added in v0.8.44 

func PerformFallbackValidation(result *ValidationResult, predicateStatus string) *FallbackResult

performFallbackValidation performs the common fallback validation logic Note: This function now only handles the VSA result logic, image validation is handled in CLI layer

type FallbackValidationContext added in v0.8.44 

type FallbackValidationContext struct {
	PolicyConfiguration string
	FallbackPolicy      policy.Policy
}

FallbackValidationContext holds precomputed fallback validation resources

func CreateFallbackValidationContext added in v0.8.44 

func CreateFallbackValidationContext(ctx context.Context, config *FallbackConfig) (*FallbackValidationContext, error)

createFallbackValidationContext precomputes the fallback validation context once

type FileVSARetriever added in v0.8.23 

type FileVSARetriever struct {
	// contains filtered or unexported fields
}

FileVSARetriever implements VSARetriever using filesystem storage

func NewFileVSARetriever added in v0.8.23 

func NewFileVSARetriever(fs afero.Fs, basePath string) *FileVSARetriever

NewFileVSARetriever creates a new filesystem-based VSA retriever

func NewFileVSARetrieverWithOSFs added in v0.8.23 

func NewFileVSARetrieverWithOSFs(basePath string) *FileVSARetriever

NewFileVSARetrieverWithOSFs creates a new filesystem-based VSA retriever using the OS filesystem

func NewFileVSARetrieverWithOptions added in v0.8.23 

func NewFileVSARetrieverWithOptions(opts FileVSARetrieverOptions) *FileVSARetriever

NewFileVSARetrieverWithOptions creates a new filesystem-based VSA retriever with options

func (*FileVSARetriever) RetrieveVSA added in v0.8.23 

func (f *FileVSARetriever) RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)

RetrieveVSA retrieves VSA data as a DSSE envelope from a file path The identifier can be: - A direct file path (e.g., "/path/to/vsa.json") - A relative path that will be resolved against basePath - A filename that will be looked up in basePath

type FileVSARetrieverOptions added in v0.8.23 

type FileVSARetrieverOptions struct {
	BasePath string
	FS       afero.Fs
}

FileVSARetrieverOptions configures filesystem-based VSA retrieval behavior

type Generator 

type Generator struct {
	Report       applicationsnapshot.Report
	Component    applicationsnapshot.Component
	PolicySource string
	Policy       PublicKeyProvider
}

Generator handles VSA predicate generation

func NewGenerator 

func NewGenerator(report applicationsnapshot.Report, comp applicationsnapshot.Component, policySource string, policy PublicKeyProvider) *Generator

NewGenerator creates a new VSA predicate generator

func (*Generator) GeneratePredicate 

func (g *Generator) GeneratePredicate(ctx context.Context) (*Predicate, error)

GeneratePredicate creates a Predicate for a validated image/component.

type IdentifierType added in v0.8.39 

type IdentifierType int

IdentifierType represents the type of VSA identifier 

const (
	// IdentifierFile represents a local file path (absolute, relative, or files with extensions)
	IdentifierFile IdentifierType = iota
	// IdentifierImageDigest represents a container image digest (e.g., sha256:abc123...)
	IdentifierImageDigest
	// IdentifierImageReference represents a container image reference (e.g., nginx:latest, registry.io/repo:tag)
	IdentifierImageReference
)

func DetectIdentifierType added in v0.8.39 

func DetectIdentifierType(identifier string) IdentifierType

DetectIdentifierType detects the type of VSA identifier

type ImageValidationResult added in v0.8.44 

type ImageValidationResult struct {
	Passed     bool                    `json:"passed"`
	Violations []evaluator.Result      `json:"violations,omitempty"`
	Warnings   []evaluator.Result      `json:"warnings,omitempty"`
	Successes  []evaluator.Result      `json:"successes,omitempty"`
	Summary    *ImageValidationSummary `json:"summary,omitempty"`
}

ImageValidationResult represents the result of image validation

func ToImageValidationResult added in v0.8.44 

func ToImageValidationResult(
	output *output.Output,
	err error,
	comp app.SnapshotComponent,
	showSuccesses bool,
	outputFormats []string,
) *ImageValidationResult

ToImageValidationResult converts an image validation Output to the unified ImageValidationResult format. It uses the same processing pipeline as the validate image command to ensure consistency. showSuccesses and outputFormats are optional - if not provided, defaults are used.

type ImageValidationSummary added in v0.8.44 

type ImageValidationSummary struct {
	TotalViolations int `json:"total_violations"`
	TotalWarnings   int `json:"total_warnings"`
	TotalSuccesses  int `json:"total_successes"`
}

ImageValidationSummary represents the summary of image validation results

type InTotoStatement added in v0.8.39 

type InTotoStatement struct {
	Type          string    `json:"_type"`
	PredicateType string    `json:"predicateType"`
	Subject       []Subject `json:"subject"`
	Predicate     Predicate `json:"predicate"`
}

InTotoStatement represents an in-toto statement structure

type LocalBackend added in v0.7.148 

type LocalBackend struct {
	// contains filtered or unexported fields
}

LocalBackend implements VSA storage to local filesystem

func (*LocalBackend) Name added in v0.7.148 

func (l *LocalBackend) Name() string

Name returns the backend name

func (*LocalBackend) Upload added in v0.7.148 

func (l *LocalBackend) Upload(ctx context.Context, envelopeContent []byte) error

Upload saves the VSA envelope to a local file

type PolicyDiff added in v0.8.73 

type PolicyDiff struct {
	Added   int `json:"added"`
	Removed int `json:"removed"`
	Changed int `json:"changed"`
}

PolicyDiff represents policy difference counts

type Predicate 

type Predicate struct {
	Policy       ecapi.EnterpriseContractPolicySpec `json:"policy"`
	PolicySource string                             `json:"policySource"`
	ImageRefs    []string                           `json:"imageRefs"`
	Timestamp    string                             `json:"timestamp"`
	Status       string                             `json:"status"`
	Verifier     string                             `json:"verifier"`
	Summary      VSASummary                         `json:"summary"`
	PublicKey    string                             `json:"publicKey"`
}

func ParseVSAContent added in v0.8.39 

func ParseVSAContent(envelope *ssldsse.Envelope) (*Predicate, error)

ParseVSAContent parses VSA content from a DSSE envelope and returns a Predicate The function handles different payload formats: 1. In-toto Statement wrapped in DSSE envelope 2. Raw Predicate directly in DSSE payload

type PredicateAttestor added in v0.7.108 

type PredicateAttestor interface {
	AttestPredicate(ctx context.Context) ([]byte, error)
	WriteEnvelope(data []byte) (string, error)
	TargetDigest() string
}

PredicateAttestor interface for attesting VSA predicates and writing envelopes

type PredicateGenerator added in v0.7.108 

type PredicateGenerator[T any] interface {
	GeneratePredicate(ctx context.Context) (T, error)
}

PredicateGenerator interface for generating VSA predicates

type PredicateWriter added in v0.7.108 

type PredicateWriter[T any] interface {
	WritePredicate(pred T) (string, error)
}

PredicateWriter interface for writing VSA predicates to files

type PublicKeyProvider added in v0.8.25 

type PublicKeyProvider interface {
	PublicKeyPEM() ([]byte, error)
}

PublicKeyProvider defines the interface for accessing public key information

type RekorBackend added in v0.7.148 

type RekorBackend struct {
	// contains filtered or unexported fields
}

RekorBackend implements VSA storage in Rekor transparency log using single in-toto 0.0.2 entries

func (*RekorBackend) Name added in v0.7.148 

func (r *RekorBackend) Name() string

Name returns the backend name

func (*RekorBackend) Upload added in v0.7.148 

func (r *RekorBackend) Upload(ctx context.Context, envelopeContent []byte) error

Upload is not supported for Rekor backend - use UploadWithSigner instead

func (*RekorBackend) UploadWithSigner added in v0.7.148 

func (r *RekorBackend) UploadWithSigner(ctx context.Context, envelopeContent []byte, signer *Signer) (string, error)

UploadWithSigner uploads a VSA envelope to the Rekor transparency log with access to the signer for public key extraction

type RekorClient added in v0.7.134 

type RekorClient interface {
	SearchIndex(ctx context.Context, query *models.SearchIndex) ([]models.LogEntryAnon, error)
	SearchLogQuery(ctx context.Context, query *models.SearchLogQuery) ([]models.LogEntryAnon, error)
	GetLogEntryByIndex(ctx context.Context, index int64) (*models.LogEntryAnon, error)
	GetLogEntryByUUID(ctx context.Context, uuid string) (*models.LogEntryAnon, error)
}

RekorClient defines the interface for Rekor client operations This allows for easy mocking in tests

type RekorVSARetriever added in v0.7.134 

type RekorVSARetriever struct {
	// contains filtered or unexported fields
}

RekorVSARetriever implements VSARetriever using Rekor API

func NewRekorVSARetriever added in v0.7.134 

func NewRekorVSARetriever(opts RetrievalOptions) (*RekorVSARetriever, error)

NewRekorVSARetriever creates a new Rekor-based VSA retriever

func NewRekorVSARetrieverWithClient added in v0.7.134 

func NewRekorVSARetrieverWithClient(client RekorClient, opts RetrievalOptions) *RekorVSARetriever

NewRekorVSARetrieverWithClient creates a new Rekor-based VSA retriever with a custom client This is primarily for testing purposes

func (*RekorVSARetriever) RetrieveVSA added in v0.7.134 

func (r *RekorVSARetriever) RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)

RetrieveVSA retrieves the latest VSA data as a DSSE envelope for a given identifier The identifier can be an image digest, image reference with digest, or other string This is the main method used by validation functions to get VSA data for signature verification

type ResultSummary added in v0.8.44 

type ResultSummary struct {
	TotalViolations int `json:"total_violations"`
	TotalWarnings   int `json:"total_warnings"`
	TotalSuccesses  int `json:"total_successes"`
}

ResultSummary represents the overall summary of validation results

type RetrievalOptions added in v0.7.134 

type RetrievalOptions struct {
	URL     string
	Timeout time.Duration
}

RetrievalOptions configures VSA retrieval behavior

func DefaultRetrievalOptions added in v0.7.134 

func DefaultRetrievalOptions() RetrievalOptions

DefaultRetrievalOptions returns default options for VSA retrieval

type Service added in v0.7.117 

type Service struct {
	// contains filtered or unexported fields
}

Service encapsulates all VSA processing logic for both components and snapshots

func NewServiceWithFS added in v0.7.117 

func NewServiceWithFS(signer *Signer, fs afero.Fs, policySource string, policy PublicKeyProvider) *Service

NewServiceWithFS creates a new VSA service with the given signer and filesystem

func (*Service) ProcessAllVSAs added in v0.7.117 

func (s *Service) ProcessAllVSAs(ctx context.Context, report applicationsnapshot.Report, getGitURL func(applicationsnapshot.Component) string, getDigest func(applicationsnapshot.Component) (string, error)) (*VSAProcessingResult, error)

ProcessAllVSAs processes VSAs for all components and the snapshot, returning envelope paths

func (*Service) ProcessComponentVSA added in v0.7.117 

func (s *Service) ProcessComponentVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component, gitURL, digest string) (string, error)

ProcessComponentVSA processes VSA generation, writing, and attestation for a single component

func (*Service) ProcessSnapshotVSA added in v0.7.117 

func (s *Service) ProcessSnapshotVSA(ctx context.Context, report applicationsnapshot.Report) (string, error)

ProcessSnapshotVSA processes VSA generation, writing, and attestation for the application snapshot

type Signer 

type Signer struct {
	KeyPath        string
	FS             afero.Fs
	WrapSigner     signature.Signer
	SignerVerifier signature.SignerVerifier // Store the original signer for public key access
}

func NewSigner 

func NewSigner(ctx context.Context, keyRef string, fs afero.Fs) (*Signer, error)

NewSigner creates a new signer that can resolve keys from both files and Kubernetes secrets

type SignerAwareUploader added in v0.7.148 

type SignerAwareUploader interface {
	StorageBackend
	UploadWithSigner(ctx context.Context, envelopeContent []byte, signer *Signer) (string, error)
}

SignerAwareUploader extends StorageBackend for backends that need access to the signer (e.g., Rekor backend needs the public key for transparency log upload)

type StorageBackend added in v0.7.148 

type StorageBackend interface {
	Name() string
	Upload(ctx context.Context, envelopeContent []byte) error
}

StorageBackend defines the interface for VSA storage implementations

func CreateStorageBackend added in v0.7.148 

func CreateStorageBackend(config *StorageConfig) (StorageBackend, error)

CreateStorageBackend creates the appropriate storage backend based on config

func NewLocalBackend added in v0.7.148 

func NewLocalBackend(config *StorageConfig) (StorageBackend, error)

NewLocalBackend creates a new local file storage backend

func NewRekorBackend added in v0.7.148 

func NewRekorBackend(config *StorageConfig) (StorageBackend, error)

NewRekorBackend creates a new Rekor storage backend

type StorageConfig added in v0.7.148 

type StorageConfig struct {
	Backend    string            // rekor, local (maybe others in future)
	BaseURL    string            // Primary URL
	Parameters map[string]string // Additional parameters
}

StorageConfig represents parsed storage configuration

func ParseStorageFlag added in v0.7.148 

func ParseStorageFlag(storageFlag string) (*StorageConfig, error)

ParseStorageFlag parses the --vsa-upload flag format Supported formats:

type Subject added in v0.8.39 

type Subject struct {
	Name   string            `json:"name"`
	Digest map[string]string `json:"digest"`
}

Subject represents a subject in an in-toto statement

type VSAChecker added in v0.8.18 

type VSAChecker struct {
	// contains filtered or unexported fields
}

VSAChecker handles checking for existing VSAs using any VSARetriever

func CreateVSACheckerFromUploadFlags added in v0.8.18 

func CreateVSACheckerFromUploadFlags(vsaUpload []string) *VSAChecker

CreateVSACheckerFromUploadFlags creates a VSA checker based on available upload flags Returns nil if no suitable retriever can be created

func NewVSAChecker added in v0.8.18 

func NewVSAChecker(retriever VSARetriever) *VSAChecker

NewVSAChecker creates a new VSA checker with a VSARetriever

func (*VSAChecker) CheckExistingVSA added in v0.8.18 

func (c *VSAChecker) CheckExistingVSA(ctx context.Context, imageRef string, expirationThreshold time.Duration) (*VSALookupResult, error)

CheckExistingVSA looks up existing VSAs for an image and determines if they're valid/expired This method is kept for backward compatibility

func (*VSAChecker) CheckExistingVSAWithVerification added in v0.8.39 

func (c *VSAChecker) CheckExistingVSAWithVerification(ctx context.Context, imageRef string, expirationThreshold time.Duration, verifySignature bool, publicKeyPath string) (*VSALookupResult, error)

CheckExistingVSAWithVerification looks up existing VSAs for an image and performs all checks including optional signature verification

func (*VSAChecker) IsValidVSA added in v0.8.18 

func (c *VSAChecker) IsValidVSA(ctx context.Context, imageRef string, expirationThreshold time.Duration) (bool, error)

IsValidVSA checks if a VSA exists and is not expired for the given image Returns true if validation should be skipped, false if validation should proceed

type VSALookupResult added in v0.8.18 

type VSALookupResult struct {
	Found             bool
	Expired           bool
	VSA               *Predicate
	Timestamp         time.Time
	Envelope          *ssldsse.Envelope // Store the envelope for signature verification
	SignatureVerified bool              // Whether signature verification was performed and succeeded
}

VSALookupResult represents the result of looking up an existing VSA

type VSAPhaseResult added in v0.8.44 

type VSAPhaseResult struct {
	Passed           bool   `json:"passed"`
	Message          string `json:"message,omitempty"`
	Failed           string `json:"failed,omitempty"`
	Reason           string `json:"reason,omitempty"`            // Human-readable reason
	PredicateOutcome string `json:"predicate_outcome,omitempty"` // Outcome from VSA predicate
}

VSAPhaseResult represents the result of the VSA validation phase

func ToVSAPhaseResult added in v0.8.44 

func ToVSAPhaseResult(result *ValidationResult) *VSAPhaseResult

ToVSAPhaseResult converts a VSA ValidationResult to the unified VSAPhaseResult format

type VSAProcessingResult added in v0.7.148 

type VSAProcessingResult struct {
	ComponentEnvelopes map[string]string // imageRef -> envelopePath
	SnapshotEnvelope   string
}

VSAProcessingResult contains the results of VSA processing

type VSARetriever added in v0.7.134 

type VSARetriever interface {
	// RetrieveVSA retrieves VSA data as a DSSE envelope for a given identifier
	// The identifier can be a digest, image reference, file path, or any other string
	// that the specific retriever implementation understands
	RetrieveVSA(ctx context.Context, identifier string) (*ssldsse.Envelope, error)
}

VSARetriever defines the interface for retrieving VSA records from various sources

func CreateRetrieverFromUploadFlags added in v0.8.18 

func CreateRetrieverFromUploadFlags(vsaUpload []string) VSARetriever

CreateRetrieverFromUploadFlags creates a VSA retriever based on upload flags Currently supports Rekor, but can be extended for other retrievers

func CreateVSARetriever added in v0.8.39 

func CreateVSARetriever(vsaRetrieval []string, vsaIdentifier string, images string) (VSARetriever, error)

CreateVSARetriever creates the VSA retriever based on flags and identifier type

type VSASummary added in v0.8.25 

type VSASummary struct {
	Violations int               `json:"violations"`
	Warnings   int               `json:"warnings"`
	Successes  int               `json:"successes"`
	Components []ComponentDetail `json:"Components"`
	Component  ComponentSummary  `json:"component"`
}

VSASummary represents the summary information for a VSA predicate

type VSAValidationConfig added in v0.8.44 

type VSAValidationConfig struct {
	Retriever                   VSARetriever
	VSAExpiration               time.Duration
	IgnoreSignatureVerification bool
	PublicKeyPath               string
	PolicySpec                  ecapi.EnterpriseContractPolicySpec
	EffectiveTime               string
}

VSAValidationConfig represents the configuration needed for VSA validation

type VSAValidationResult added in v0.8.44 

type VSAValidationResult struct {
	// VSA-specific results
	VSAPhaseResult *VSAPhaseResult `json:"vsa_phase_result,omitempty"`

	// Image validation results
	ImageValidationResult *ImageValidationResult `json:"image_validation_result,omitempty"`

	// Overall status
	OverallSuccess bool   `json:"overall_success"`
	UsedFallback   bool   `json:"used_fallback"`
	ImageRef       string `json:"image_ref"`

	// Summary
	Summary *ResultSummary `json:"summary,omitempty"`

	// Structured error information
	Error *ValidationError `json:"error,omitempty"`
}

VSAValidationResult represents the unified result structure for VSA validation with optional fallback

func BuildUnifiedValidationResult added in v0.8.44 

func BuildUnifiedValidationResult(
	vsaResult *ValidationResult,
	fallbackOutput *output.Output,
	fallbackErr error,
	comp app.SnapshotComponent,
	usedFallback bool,
	imageRef string,
	showSuccesses bool,
	outputFormats []string,
) *VSAValidationResult

BuildUnifiedValidationResult creates a unified VSAValidationResult from VSA and image validation results

func (*VSAValidationResult) PrintConsole added in v0.8.44 

func (r *VSAValidationResult) PrintConsole(out io.Writer) error

PrintConsole outputs the unified result as console text

func (*VSAValidationResult) PrintJSON added in v0.8.44 

func (r *VSAValidationResult) PrintJSON(out io.Writer) error

PrintJSON outputs the unified result as JSON

type ValidationError added in v0.8.44 

type ValidationError struct {
	Message string  `json:"message"`
	Causes  []Cause `json:"causes"`
}

ValidationError represents a structured validation error with causes

func BuildNetworkError added in v0.8.44 

func BuildNetworkError(operation string, err error) *ValidationError

BuildNetworkError creates a structured error for network-related failures

func BuildTimeoutError added in v0.8.44 

func BuildTimeoutError(operation string, timeout time.Duration) *ValidationError

BuildTimeoutError creates a structured error for timeout failures

func BuildValidationError added in v0.8.44 

func BuildValidationError(vsaResult *ValidationResult, fallbackResult *ImageValidationResult, vsaErr, fallbackErr error) *ValidationError

BuildValidationError creates a structured error from VSA and fallback results

func (*ValidationError) Error added in v0.8.44 

func (ve *ValidationError) Error() string

Error implements the error interface

func (*ValidationError) HumanReadable added in v0.8.44 

func (ve *ValidationError) HumanReadable() string

HumanReadable returns a formatted human-readable version of the error

type ValidationResult added in v0.8.39 

type ValidationResult struct {
	Passed            bool   `json:"passed"`
	Message           string `json:"message,omitempty"`
	SignatureVerified bool   `json:"signature_verified,omitempty"`
	PredicateOutcome  string `json:"predicate_outcome,omitempty"` // Outcome from VSA predicate

	// Structured fields for reliable extraction (prefer over message parsing)
	ReasonCode string      `json:"reason_code,omitempty"` // Structured reason code: "policy_mismatch", "predicate_failed", "no_vsa", "expired", "retrieval_failed"
	PolicyDiff *PolicyDiff `json:"policy_diff,omitempty"` // Policy difference counts (only set when ReasonCode is "policy_mismatch")
}

ValidationResult represents the result of VSA validation

func ValidateVSAAndComparePolicy added in v0.8.44 

func ValidateVSAAndComparePolicy(ctx context.Context, identifier string, data *VSAValidationConfig) (*ValidationResult, error)

ValidateVSAAndComparePolicy performs optimized VSA validation with single retrieval

type WorkerFallbackContext added in v0.8.44 

type WorkerFallbackContext struct {
	Evaluators []evaluator.Evaluator
}

WorkerFallbackContext holds per-worker fallback resources

func CreateWorkerFallbackContext added in v0.8.44 

func CreateWorkerFallbackContext(ctx context.Context, fallbackPolicy policy.Policy) (*WorkerFallbackContext, error)

createWorkerFallbackContext creates evaluators once per worker thread This ensures thread safety while reusing evaluators within the worker

type Writer 

type Writer struct {
	FS            afero.Fs    // defaults to the package-level FS or afero.NewOsFs()
	TempDirPrefix string      // defaults to "vsa-"
	FilePerm      os.FileMode // defaults to 0600
}

Writer handles VSA file writing

func NewWriter 

func NewWriter() *Writer

NewWriter creates a new VSA file writer

func (*Writer) WritePredicate added in v0.7.108 

func (w *Writer) WritePredicate(predicate *Predicate) (string, error)

WritePredicate writes the Predicate as a JSON file to a temp directory and returns the path.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.