predicate

package
v0.25.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 19, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// github
	EnvGitHubRepository      = "GITHUB_REPOSITORY"
	EnvGitHubRepositoryID    = "GITHUB_REPOSITORY_ID"
	EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER"
	EnvGitHubOwnerID         = "GITHUB_REPOSITORY_OWNER_ID"
	EnvGitHubServerURL       = "GITHUB_SERVER_URL"
	EnvGitHubSHA             = "GITHUB_SHA"
	EnvGitHubRefName         = "GITHUB_REF_NAME"
	EnvGitHubEventName       = "GITHUB_EVENT_NAME"
	EnvGitHubActor           = "GITHUB_ACTOR"
	EnvGitHubRunID           = "GITHUB_RUN_ID"
	EnvGitHubRunNumber       = "GITHUB_RUN_NUMBER"
	EnvGitHubWorkflowRef     = "GITHUB_WORKFLOW_REF"
	EnvGitHubEventPath       = "GITHUB_EVENT_PATH"
	EnvGitHubWorkflowInputs  = "GITHUB_WORKFLOW_INPUTS"
	EnvGitHubJobStatus       = "GITHUB_JOB_STATUS"

	// runner
	EnvRunnerOS          = "RUNNER_OS"
	EnvRunnerArch        = "RUNNER_ARCH"
	EnvRunnerEnvironment = "RUNNER_ENVIRONMENT"

	// tokens
	//nolint:gosec // These are environment variable names, not credentials
	EnvGitHubToken = "GITHUB_TOKEN"
	//nolint:gosec // These are environment variable names, not credentials
	EnvGHToken = "GH_TOKEN"

	// config
	EnvPolicyRepoOwner = "POLICY_REPO_OWNER"
	EnvPolicyRepoName  = "POLICY_REPO_NAME"
	EnvPolicyVersion   = "POLICY_VERSION"
	EnvSchemasPath     = "SCHEMAS_PATH"

	// permissions
	EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS"
)

environment variable names

View Source
const (
	ArtifactTypeBlob           ArtifactType = "blob"
	ArtifactTypeContainerImage ArtifactType = "container-image"

	// MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations.
	MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1"

	// DepscanPredicateTypeURI is the in-toto vulnerability predicate type.
	DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2"
)

Variables

This section is empty.

Functions

func CalculateDigest

func CalculateDigest(path string) (string, error)

CalculateDigest calculates the sha256 digest of a file or directory.

func GenerateDepscan

func GenerateDepscan(opts DependencyScanOptions, outputFile string) error

GenerateDepscan generates a dependency scan attestation predicate.

func GenerateMetadata

func GenerateMetadata(opts Options, outputFile string) error

GenerateMetadata generates a metadata attestation predicate.

func GetEnvOrDefault

func GetEnvOrDefault(key, defaultValue string) string

GetEnvOrDefault returns the value of the environment variable or the default value.

func GetGitHubToken

func GetGitHubToken() (string, error)

GetGitHubToken returns the GitHub token from environment variables.

func GetRequiredEnv

func GetRequiredEnv(key string) (string, error)

GetRequiredEnv returns the value of a required environment variable or an error.

func ValidateDepscan

func ValidateDepscan(data []byte) error

ValidateDepscan validates dependency scan attestation data against its schema.

func ValidateJSON

func ValidateJSON(data []byte, schemaName string) error

ValidateJSON validates JSON data against a named schema.

func ValidateMetadata

func ValidateMetadata(data []byte) error

ValidateMetadata validates metadata attestation data against its schema.

Types

type ArtifactType

type ArtifactType string

ArtifactType represents the type of artifact being attested.

type Config

type Config struct {
	PolicyRepo  PolicyRepo
	SchemasPath string
}

Config holds application configuration.

func LoadConfig

func LoadConfig() (*Config, error)

LoadConfig loads configuration from environment variables.

type Context

type Context struct {
	Repository        string `json:"repository"`
	RepositoryOwner   string `json:"repository_owner"`
	RepositoryID      string `json:"repository_id"`
	ServerURL         string `json:"server_url"`
	RepositoryOwnerID string `json:"repository_owner_id"`
	WorkflowRef       string `json:"workflow_ref"`
	RefName           string `json:"ref_name"`
	EventName         string `json:"event_name"`
	SHA               string `json:"sha"`
	RunNumber         string `json:"run_number"`
	RunID             string `json:"run_id"`
	Actor             string `json:"actor"`

	Event struct {
		WorkflowRun struct {
			CreatedAt string `json:"created_at"`
		} `json:"workflow_run"`
		HeadCommit struct {
			Timestamp string `json:"timestamp"`
		} `json:"head_commit"`
	} `json:"event"`

	Inputs    map[string]any `json:"inputs"`
	JobStatus string         `json:"job_status"`
	Runner    *Runner        `json:"runner"`

	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
}

Context represents the GitHub Actions runtime context.

func LoadGitHubContext

func LoadGitHubContext() (*Context, error)

LoadGitHubContext loads GitHub Actions context from environment variables.

type DependencyScan

type DependencyScan struct {
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`
	Scanner     struct {
		Name    string `json:"name"`
		URI     string `json:"uri"`
		Version string `json:"version"`
		DB      struct {
			URI        string `json:"uri"`
			Version    string `json:"version,omitempty"`
			LastUpdate string `json:"lastUpdate,omitempty"`
		} `json:"db"`
		Result []ScanResult `json:"result"`
	} `json:"scanner"`
	Metadata struct {
		ScanStartedOn  string `json:"scanStartedOn"`
		ScanFinishedOn string `json:"scanFinishedOn"`
	} `json:"metadata,omitempty"`
}

DependencyScan represents the predicate portion of a dependency scan attestation.

func NewDependencyScan

func NewDependencyScan(opts DependencyScanOptions) *DependencyScan

NewDependencyScan creates a new DependencyScan from options.

func (*DependencyScan) Generate

func (s *DependencyScan) Generate() ([]byte, error)

Generate produces the JSON representation of the dependency scan predicate.

type DependencyScanOptions

type DependencyScanOptions struct {
	Type        ArtifactType
	SubjectName string
	SubjectPath string
	Digest      string
	ResultsPath string
	StartedAt   time.Time
	FinishedAt  time.Time
}

DependencyScanOptions contains options for creating a new dependency scan.

type GrypeResult

type GrypeResult struct {
	Descriptor struct {
		Version   string `json:"version"`
		Timestamp string `json:"timestamp"`
		DB        struct {
			Status *struct {
				Built         string `json:"built"`
				SchemaVersion string `json:"schemaVersion"`
				From          string `json:"from,omitempty"`
			} `json:"status,omitempty"`
		} `json:"db"`
	} `json:"descriptor"`
	Matches []struct {
		Vulnerability struct {
			ID       string `json:"id"`
			Severity string `json:"severity"`
			CVSS     []struct {
				Metrics struct {
					BaseScore float64 `json:"baseScore"`
				} `json:"metrics"`
			} `json:"cvss"`
		} `json:"vulnerability"`
	} `json:"matches"`
}

GrypeResult represents Grype scan results.

type Metadata

type Metadata struct {
	Artifact struct {
		Version  string `json:"version"`
		Created  string `json:"created"`
		Type     string `json:"type"`
		Registry string `json:"registry,omitempty"`
		FullName string `json:"fullName,omitempty"`
		Digest   string `json:"digest,omitempty"`
		Path     string `json:"path,omitempty"`
	} `json:"artifact"`
	RepositoryData struct {
		Repository      string `json:"repository"`
		RepositoryID    string `json:"repositoryId"`
		GitHubServerURL string `json:"githubServerURL"`
	} `json:"repositoryData"`
	OwnerData struct {
		Owner   string `json:"owner"`
		OwnerID string `json:"ownerId"`
	} `json:"ownerData"`
	RunnerData struct {
		OS          string `json:"os"`
		Arch        string `json:"arch"`
		Environment string `json:"environment"`
	} `json:"runnerData"`
	WorkflowData struct {
		WorkflowRefPath string         `json:"workflowRefPath"`
		Inputs          map[string]any `json:"inputs,omitempty"`
		Branch          string         `json:"branch"`
		Event           string         `json:"event"`
	} `json:"workflowData"`
	JobData struct {
		RunNumber   string `json:"runNumber"`
		RunID       string `json:"runId"`
		Status      string `json:"status"`
		TriggeredBy string `json:"triggeredBy"`
		StartedAt   string `json:"startedAt"`
		CompletedAt string `json:"completedAt"`
	} `json:"jobData"`
	CommitData struct {
		SHA       string `json:"sha"`
		Timestamp string `json:"timestamp"`
	} `json:"commitData"`
	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
	Compliance struct {
		PolicyRef  string   `json:"policyRef"`
		ControlIds []string `json:"controlIds"`
	} `json:"compliance"`
	Security struct {
		Permissions map[string]string `json:"permissions"`
	} `json:"security"`
}

Metadata represents the predicate portion of a metadata attestation.

func NewFromOptions

func NewFromOptions(opts Options) *Metadata

NewFromOptions creates a new Metadata from the given options.

func (*Metadata) Generate

func (m *Metadata) Generate() ([]byte, error)

Generate produces the JSON representation of the metadata predicate.

type Options

type Options struct {
	// artifact fields
	Version     string
	Created     time.Time
	Type        ArtifactType
	Registry    string
	FullName    string
	SubjectPath string
	Digest      string

	// repo fields
	Repository      string
	RepositoryID    string
	GitHubServerURL string

	// owner fields
	Owner   string
	OwnerID string

	// runner fields
	OS          string
	Arch        string
	Environment string

	// workflow fields
	WorkflowRefPath string
	Inputs          map[string]any
	Branch          string
	Event           string

	// job fields
	RunNumber   string
	RunID       string
	Status      string
	TriggeredBy string
	StartedAt   time.Time
	CompletedAt time.Time

	// commit fields
	SHA       string
	Timestamp time.Time

	// org fields
	OrgName string

	// compliance fields
	PolicyRef  string
	ControlIds []string

	// permissions fields
	Permissions map[string]string
}

Options contains all fields needed to generate a metadata predicate.

type PolicyRepo

type PolicyRepo struct {
	Owner string
	Name  string
	Ref   string
}

PolicyRepo represents policy repository configuration.

type Runner

type Runner struct {
	OS          string `json:"os"`
	Arch        string `json:"arch"`
	Environment string `json:"environment"`
}

Runner represents GitHub Actions runner info.

type ScanResult

type ScanResult struct {
	ID       string     `json:"id"`
	Severity []Severity `json:"severity"`
}

ScanResult represents a single vulnerability finding.

type Severity

type Severity struct {
	Method string `json:"method"`
	Score  string `json:"score"`
}

Severity represents a vulnerability severity score.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL