Documentation
¶
Overview ¶
Package source provides verification of SLSA source provenance attestations. It validates Sigstore bundles containing source provenance predicates, checking repository URI, commit SHA, and computing SLSA Source Track levels.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComputeSLSASourceLevel ¶
func ComputeSLSASourceLevel(signatureVerified bool, pred SourceProvenancePredicate) string
ComputeSLSASourceLevel evaluates the SLSA Source Track level based on the predicate.
L1: Version controlled + provenance exists L2: Provenance is cryptographically verified (signatureVerified must be true) L3: Verified provenance from two-party review (branch protection claims)
Types ¶
type SourceProvenancePredicate ¶
type SourceProvenancePredicate struct {
BuildDefinition struct {
BuildType string `json:"buildType"`
ExternalParameters struct {
Repository string `json:"repository"`
Ref string `json:"ref"`
Workflow struct {
Repository string `json:"repository"`
Ref string `json:"ref"`
Path string `json:"path"`
} `json:"workflow"`
} `json:"externalParameters"`
ResolvedDependencies []struct {
URI string `json:"uri"`
Digest map[string]string `json:"digest"`
} `json:"resolvedDependencies"`
} `json:"buildDefinition"`
RunDetails struct {
Builder struct {
ID string `json:"id"`
} `json:"builder"`
Metadata struct {
InvocationID string `json:"invocationId"`
StartedOn string `json:"startedOn"`
} `json:"metadata"`
} `json:"runDetails"`
}
SourceProvenancePredicate represents relevant fields from a SLSA provenance predicate used for source provenance verification.
type VerificationResult ¶
type VerificationResult struct {
Verified bool `json:"verified"`
RepoURI string `json:"repo_uri,omitempty"`
Commit string `json:"commit,omitempty"`
SourceRef string `json:"source_ref,omitempty"`
SLSASourceLevel string `json:"slsa_source_level,omitempty"`
BuilderID string `json:"builder_id,omitempty"`
Claims map[string]string `json:"claims,omitempty"`
ErrorMsg string `json:"error,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
VerificationResult holds the outcome of source provenance verification.
func VerifySourceProvenance ¶
func VerifySourceProvenance(bundlePath string, opts VerifyOptions) (*VerificationResult, error)
VerifySourceProvenance verifies a Sigstore bundle containing source provenance. It validates the bundle signature, extracts the in-toto statement, and checks that the repo URI and commit SHA match the expected values.
type VerifyOptions ¶
type VerifyOptions struct {
// RepoURI is the expected source repository URI.
RepoURI string
// Commit is the expected source commit SHA.
Commit string
// SourceRef is the expected source ref (e.g., refs/heads/main). Optional.
SourceRef string
// CertIdentity is the expected OIDC subject in the signing certificate.
CertIdentity string
// CertIssuer is the expected OIDC issuer URL.
CertIssuer string
}
VerifyOptions configures source provenance verification.