predicate

package
v0.26.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 19, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// github
	EnvGitHubRepository      = "GITHUB_REPOSITORY"
	EnvGitHubRepositoryID    = "GITHUB_REPOSITORY_ID"
	EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER"
	EnvGitHubOwnerID         = "GITHUB_REPOSITORY_OWNER_ID"
	EnvGitHubServerURL       = "GITHUB_SERVER_URL"
	EnvGitHubSHA             = "GITHUB_SHA"
	EnvGitHubRefName         = "GITHUB_REF_NAME"
	EnvGitHubEventName       = "GITHUB_EVENT_NAME"
	EnvGitHubActor           = "GITHUB_ACTOR"
	EnvGitHubRunID           = "GITHUB_RUN_ID"
	EnvGitHubRunNumber       = "GITHUB_RUN_NUMBER"
	EnvGitHubWorkflowRef     = "GITHUB_WORKFLOW_REF"
	EnvGitHubEventPath       = "GITHUB_EVENT_PATH"
	EnvGitHubWorkflowInputs  = "GITHUB_WORKFLOW_INPUTS"
	EnvGitHubJobStatus       = "GITHUB_JOB_STATUS"

	// runner
	EnvRunnerOS          = "RUNNER_OS"
	EnvRunnerArch        = "RUNNER_ARCH"
	EnvRunnerEnvironment = "RUNNER_ENVIRONMENT"

	// tokens
	//nolint:gosec // These are environment variable names, not credentials
	EnvGitHubToken = "GITHUB_TOKEN"
	//nolint:gosec // These are environment variable names, not credentials
	EnvGHToken = "GH_TOKEN"

	// config
	EnvPolicyRepoOwner = "POLICY_REPO_OWNER"
	EnvPolicyRepoName  = "POLICY_REPO_NAME"
	EnvPolicyVersion   = "POLICY_VERSION"
	EnvSchemasPath     = "SCHEMAS_PATH"

	// permissions
	EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS"
)

environment variable names

View Source
const (
	TestResultPassed = "PASSED"
	TestResultWarned = "WARNED"
	TestResultFailed = "FAILED"
)

Result values for the in-toto test-result predicate.

View Source
const (
	ArtifactTypeBlob           ArtifactType = "blob"
	ArtifactTypeContainerImage ArtifactType = "container-image"

	// MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations.
	MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1"

	// DepscanPredicateTypeURI is the in-toto vulnerability predicate type.
	DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2"
)
View Source
const TestResultPredicateTypeURI = "https://in-toto.io/attestation/test-result/v0.1"

TestResultPredicateTypeURI is the in-toto test-result predicate type.

Variables

This section is empty.

Functions

func CalculateDigest

func CalculateDigest(path string) (string, error)

CalculateDigest calculates the sha256 digest of a file or directory.

func GenerateDepscan

func GenerateDepscan(opts DependencyScanOptions, outputFile string) error

GenerateDepscan generates a dependency scan attestation predicate.

func GenerateMetadata

func GenerateMetadata(opts Options, outputFile string) error

GenerateMetadata generates a metadata attestation predicate.

func GenerateTestResult added in v0.26.0

func GenerateTestResult(opts TestResultOptions, outputFile string) error

GenerateTestResult generates an in-toto test-result attestation predicate from JUnit XML.

func GetEnvOrDefault

func GetEnvOrDefault(key, defaultValue string) string

GetEnvOrDefault returns the value of the environment variable or the default value.

func GetGitHubToken

func GetGitHubToken() (string, error)

GetGitHubToken returns the GitHub token from environment variables.

func GetRequiredEnv

func GetRequiredEnv(key string) (string, error)

GetRequiredEnv returns the value of a required environment variable or an error.

func ValidateDepscan

func ValidateDepscan(data []byte) error

ValidateDepscan validates dependency scan attestation data against its schema.

func ValidateJSON

func ValidateJSON(data []byte, schemaName string) error

ValidateJSON validates JSON data against a named schema.

func ValidateMetadata

func ValidateMetadata(data []byte) error

ValidateMetadata validates metadata attestation data against its schema.

func ValidateTestResult added in v0.26.0

func ValidateTestResult(data []byte) error

ValidateTestResult validates test-result attestation data against its schema.

Types

type ArtifactType

type ArtifactType string

ArtifactType represents the type of artifact being attested.

type Config

type Config struct {
	PolicyRepo  PolicyRepo
	SchemasPath string
}

Config holds application configuration.

func LoadConfig

func LoadConfig() (*Config, error)

LoadConfig loads configuration from environment variables.

type Context

type Context struct {
	Repository        string `json:"repository"`
	RepositoryOwner   string `json:"repository_owner"`
	RepositoryID      string `json:"repository_id"`
	ServerURL         string `json:"server_url"`
	RepositoryOwnerID string `json:"repository_owner_id"`
	WorkflowRef       string `json:"workflow_ref"`
	RefName           string `json:"ref_name"`
	EventName         string `json:"event_name"`
	SHA               string `json:"sha"`
	RunNumber         string `json:"run_number"`
	RunID             string `json:"run_id"`
	Actor             string `json:"actor"`

	Event struct {
		WorkflowRun struct {
			CreatedAt string `json:"created_at"`
		} `json:"workflow_run"`
		HeadCommit struct {
			Timestamp string `json:"timestamp"`
		} `json:"head_commit"`
	} `json:"event"`

	Inputs    map[string]any `json:"inputs"`
	JobStatus string         `json:"job_status"`
	Runner    *Runner        `json:"runner"`

	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
}

Context represents the GitHub Actions runtime context.

func LoadGitHubContext

func LoadGitHubContext() (*Context, error)

LoadGitHubContext loads GitHub Actions context from environment variables.

type DependencyScan

type DependencyScan struct {
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`
	Scanner     struct {
		Name    string `json:"name"`
		URI     string `json:"uri"`
		Version string `json:"version"`
		DB      struct {
			URI        string `json:"uri"`
			Version    string `json:"version,omitempty"`
			LastUpdate string `json:"lastUpdate,omitempty"`
		} `json:"db"`
		Result []ScanResult `json:"result"`
	} `json:"scanner"`
	Metadata struct {
		ScanStartedOn  string `json:"scanStartedOn"`
		ScanFinishedOn string `json:"scanFinishedOn"`
	} `json:"metadata,omitempty"`
}

DependencyScan represents the predicate portion of a dependency scan attestation.

func NewDependencyScan

func NewDependencyScan(opts DependencyScanOptions) *DependencyScan

NewDependencyScan creates a new DependencyScan from options.

func (*DependencyScan) Generate

func (s *DependencyScan) Generate() ([]byte, error)

Generate produces the JSON representation of the dependency scan predicate.

type DependencyScanOptions

type DependencyScanOptions struct {
	Type        ArtifactType
	SubjectName string
	SubjectPath string
	Digest      string
	ResultsPath string
	StartedAt   time.Time
	FinishedAt  time.Time
}

DependencyScanOptions contains options for creating a new dependency scan.

type GrypeResult

type GrypeResult struct {
	Descriptor struct {
		Version   string `json:"version"`
		Timestamp string `json:"timestamp"`
		DB        struct {
			Status *struct {
				Built         string `json:"built"`
				SchemaVersion string `json:"schemaVersion"`
				From          string `json:"from,omitempty"`
			} `json:"status,omitempty"`
		} `json:"db"`
	} `json:"descriptor"`
	Matches []struct {
		Vulnerability struct {
			ID       string `json:"id"`
			Severity string `json:"severity"`
			CVSS     []struct {
				Metrics struct {
					BaseScore float64 `json:"baseScore"`
				} `json:"metrics"`
			} `json:"cvss"`
		} `json:"vulnerability"`
	} `json:"matches"`
}

GrypeResult represents Grype scan results.

type Metadata

type Metadata struct {
	Artifact struct {
		Version  string `json:"version"`
		Created  string `json:"created"`
		Type     string `json:"type"`
		Registry string `json:"registry,omitempty"`
		FullName string `json:"fullName,omitempty"`
		Digest   string `json:"digest,omitempty"`
		Path     string `json:"path,omitempty"`
	} `json:"artifact"`
	RepositoryData struct {
		Repository      string `json:"repository"`
		RepositoryID    string `json:"repositoryId"`
		GitHubServerURL string `json:"githubServerURL"`
	} `json:"repositoryData"`
	OwnerData struct {
		Owner   string `json:"owner"`
		OwnerID string `json:"ownerId"`
	} `json:"ownerData"`
	RunnerData struct {
		OS          string `json:"os"`
		Arch        string `json:"arch"`
		Environment string `json:"environment"`
	} `json:"runnerData"`
	WorkflowData struct {
		WorkflowRefPath string         `json:"workflowRefPath"`
		Inputs          map[string]any `json:"inputs,omitempty"`
		Branch          string         `json:"branch"`
		Event           string         `json:"event"`
	} `json:"workflowData"`
	JobData struct {
		RunNumber   string `json:"runNumber"`
		RunID       string `json:"runId"`
		Status      string `json:"status"`
		TriggeredBy string `json:"triggeredBy"`
		StartedAt   string `json:"startedAt"`
		CompletedAt string `json:"completedAt"`
	} `json:"jobData"`
	CommitData struct {
		SHA       string `json:"sha"`
		Timestamp string `json:"timestamp"`
	} `json:"commitData"`
	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
	Compliance struct {
		PolicyRef  string   `json:"policyRef"`
		ControlIds []string `json:"controlIds"`
	} `json:"compliance"`
	Security struct {
		Permissions map[string]string `json:"permissions"`
	} `json:"security"`
}

Metadata represents the predicate portion of a metadata attestation.

func NewFromOptions

func NewFromOptions(opts Options) *Metadata

NewFromOptions creates a new Metadata from the given options.

func (*Metadata) Generate

func (m *Metadata) Generate() ([]byte, error)

Generate produces the JSON representation of the metadata predicate.

type Options

type Options struct {
	// artifact fields
	Version     string
	Created     time.Time
	Type        ArtifactType
	Registry    string
	FullName    string
	SubjectPath string
	Digest      string

	// repo fields
	Repository      string
	RepositoryID    string
	GitHubServerURL string

	// owner fields
	Owner   string
	OwnerID string

	// runner fields
	OS          string
	Arch        string
	Environment string

	// workflow fields
	WorkflowRefPath string
	Inputs          map[string]any
	Branch          string
	Event           string

	// job fields
	RunNumber   string
	RunID       string
	Status      string
	TriggeredBy string
	StartedAt   time.Time
	CompletedAt time.Time

	// commit fields
	SHA       string
	Timestamp time.Time

	// org fields
	OrgName string

	// compliance fields
	PolicyRef  string
	ControlIds []string

	// permissions fields
	Permissions map[string]string
}

Options contains all fields needed to generate a metadata predicate.

type PolicyRepo

type PolicyRepo struct {
	Owner string
	Name  string
	Ref   string
}

PolicyRepo represents policy repository configuration.

type ResourceDescriptor added in v0.26.0

type ResourceDescriptor struct {
	Name             string            `json:"name,omitempty"`
	URI              string            `json:"uri,omitempty"`
	Digest           map[string]string `json:"digest,omitempty"`
	Content          string            `json:"content,omitempty"`
	DownloadLocation string            `json:"downloadLocation,omitempty"`
	MediaType        string            `json:"mediaType,omitempty"`
	Annotations      map[string]any    `json:"annotations,omitempty"`
}

ResourceDescriptor is an in-toto v1 ResourceDescriptor. Per spec a descriptor must specify at least one of uri, digest, or content.

type Runner

type Runner struct {
	OS          string `json:"os"`
	Arch        string `json:"arch"`
	Environment string `json:"environment"`
}

Runner represents GitHub Actions runner info.

type ScanResult

type ScanResult struct {
	ID       string     `json:"id"`
	Severity []Severity `json:"severity"`
}

ScanResult represents a single vulnerability finding.

type Severity

type Severity struct {
	Method string `json:"method"`
	Score  string `json:"score"`
}

Severity represents a vulnerability severity score.

type TestResult added in v0.26.0

type TestResult struct {
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`

	// Result is one of PASSED, WARNED, or FAILED.
	Result string `json:"result"`
	// Configuration references the configuration used for the test run. Required
	// by the spec; may be an empty list when no configuration is referenced.
	Configuration []ResourceDescriptor `json:"configuration"`
	// URL optionally links to the test run (e.g. logs).
	URL string `json:"url,omitempty"`
	// PassedTests, WarnedTests, FailedTests hold test identifiers by outcome.
	// Skipped tests map to warnedTests. Never null (empty arrays preferred).
	PassedTests []string `json:"passedTests"`
	WarnedTests []string `json:"warnedTests"`
	FailedTests []string `json:"failedTests"`
}

TestResult represents the predicate portion of an in-toto test-result attestation (https://in-toto.io/attestation/test-result/v0.1).

func NewTestResult added in v0.26.0

func NewTestResult(opts TestResultOptions) (*TestResult, error)

NewTestResult builds an in-toto test-result predicate from JUnit XML.

func (*TestResult) Generate added in v0.26.0

func (t *TestResult) Generate() ([]byte, error)

Generate produces the JSON representation of the test-result predicate.

type TestResultOptions added in v0.26.0

type TestResultOptions struct {
	Type        ArtifactType
	SubjectName string
	SubjectPath string
	Digest      string
	ResultsPath string
	URL         string
	ConfigURI   string
}

TestResultOptions contains options for creating a test-result predicate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL