Documentation
¶
Index ¶
- Constants
- func CalculateDigest(path string) (string, error)
- func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
- func GenerateMetadata(opts Options, outputFile string) error
- func GenerateTestResult(opts TestResultOptions, outputFile string) error
- func GetEnvOrDefault(key, defaultValue string) string
- func GetGitHubToken() (string, error)
- func GetRequiredEnv(key string) (string, error)
- func ValidateDepscan(data []byte) error
- func ValidateJSON(data []byte, schemaName string) error
- func ValidateMetadata(data []byte) error
- func ValidateTestResult(data []byte) error
- type ArtifactType
- type Config
- type Context
- type DependencyScan
- type DependencyScanOptions
- type GrypeResult
- type Metadata
- type Options
- type PolicyRepo
- type ResourceDescriptor
- type Runner
- type ScanResult
- type Severity
- type TestResult
- type TestResultOptions
Constants ¶
const ( // github EnvGitHubRepository = "GITHUB_REPOSITORY" EnvGitHubRepositoryID = "GITHUB_REPOSITORY_ID" EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER" EnvGitHubOwnerID = "GITHUB_REPOSITORY_OWNER_ID" EnvGitHubServerURL = "GITHUB_SERVER_URL" EnvGitHubSHA = "GITHUB_SHA" EnvGitHubRefName = "GITHUB_REF_NAME" EnvGitHubEventName = "GITHUB_EVENT_NAME" EnvGitHubActor = "GITHUB_ACTOR" EnvGitHubRunID = "GITHUB_RUN_ID" EnvGitHubRunNumber = "GITHUB_RUN_NUMBER" EnvGitHubWorkflowRef = "GITHUB_WORKFLOW_REF" EnvGitHubEventPath = "GITHUB_EVENT_PATH" EnvGitHubWorkflowInputs = "GITHUB_WORKFLOW_INPUTS" EnvGitHubJobStatus = "GITHUB_JOB_STATUS" // runner EnvRunnerOS = "RUNNER_OS" EnvRunnerArch = "RUNNER_ARCH" EnvRunnerEnvironment = "RUNNER_ENVIRONMENT" // tokens //nolint:gosec // These are environment variable names, not credentials EnvGitHubToken = "GITHUB_TOKEN" //nolint:gosec // These are environment variable names, not credentials EnvGHToken = "GH_TOKEN" // config EnvPolicyRepoOwner = "POLICY_REPO_OWNER" EnvPolicyRepoName = "POLICY_REPO_NAME" EnvPolicyVersion = "POLICY_VERSION" EnvSchemasPath = "SCHEMAS_PATH" // permissions EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS" )
environment variable names
const ( TestResultPassed = "PASSED" TestResultWarned = "WARNED" TestResultFailed = "FAILED" )
Result values for the in-toto test-result predicate.
const ( ArtifactTypeBlob ArtifactType = "blob" ArtifactTypeContainerImage ArtifactType = "container-image" // MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations. MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1" // DepscanPredicateTypeURI is the in-toto vulnerability predicate type. DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2" )
const TestResultPredicateTypeURI = "https://in-toto.io/attestation/test-result/v0.1"
TestResultPredicateTypeURI is the in-toto test-result predicate type.
Variables ¶
This section is empty.
Functions ¶
func CalculateDigest ¶
CalculateDigest calculates the sha256 digest of a file or directory.
func GenerateDepscan ¶
func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
GenerateDepscan generates a dependency scan attestation predicate.
func GenerateMetadata ¶
GenerateMetadata generates a metadata attestation predicate.
func GenerateTestResult ¶ added in v0.26.0
func GenerateTestResult(opts TestResultOptions, outputFile string) error
GenerateTestResult generates an in-toto test-result attestation predicate from JUnit XML.
func GetEnvOrDefault ¶
GetEnvOrDefault returns the value of the environment variable or the default value.
func GetGitHubToken ¶
GetGitHubToken returns the GitHub token from environment variables.
func GetRequiredEnv ¶
GetRequiredEnv returns the value of a required environment variable or an error.
func ValidateDepscan ¶
ValidateDepscan validates dependency scan attestation data against its schema.
func ValidateJSON ¶
ValidateJSON validates JSON data against a named schema.
func ValidateMetadata ¶
ValidateMetadata validates metadata attestation data against its schema.
func ValidateTestResult ¶ added in v0.26.0
ValidateTestResult validates test-result attestation data against its schema.
Types ¶
type ArtifactType ¶
type ArtifactType string
ArtifactType represents the type of artifact being attested.
type Config ¶
type Config struct {
PolicyRepo PolicyRepo
SchemasPath string
}
Config holds application configuration.
func LoadConfig ¶
LoadConfig loads configuration from environment variables.
type Context ¶
type Context struct {
Repository string `json:"repository"`
RepositoryOwner string `json:"repository_owner"`
RepositoryID string `json:"repository_id"`
ServerURL string `json:"server_url"`
RepositoryOwnerID string `json:"repository_owner_id"`
WorkflowRef string `json:"workflow_ref"`
RefName string `json:"ref_name"`
EventName string `json:"event_name"`
SHA string `json:"sha"`
RunNumber string `json:"run_number"`
RunID string `json:"run_id"`
Actor string `json:"actor"`
Event struct {
WorkflowRun struct {
CreatedAt string `json:"created_at"`
} `json:"workflow_run"`
HeadCommit struct {
Timestamp string `json:"timestamp"`
} `json:"head_commit"`
} `json:"event"`
Inputs map[string]any `json:"inputs"`
JobStatus string `json:"job_status"`
Runner *Runner `json:"runner"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
}
Context represents the GitHub Actions runtime context.
func LoadGitHubContext ¶
LoadGitHubContext loads GitHub Actions context from environment variables.
type DependencyScan ¶
type DependencyScan struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
Scanner struct {
Name string `json:"name"`
URI string `json:"uri"`
Version string `json:"version"`
DB struct {
URI string `json:"uri"`
Version string `json:"version,omitempty"`
LastUpdate string `json:"lastUpdate,omitempty"`
} `json:"db"`
Result []ScanResult `json:"result"`
} `json:"scanner"`
Metadata struct {
ScanStartedOn string `json:"scanStartedOn"`
ScanFinishedOn string `json:"scanFinishedOn"`
} `json:"metadata,omitempty"`
}
DependencyScan represents the predicate portion of a dependency scan attestation.
func NewDependencyScan ¶
func NewDependencyScan(opts DependencyScanOptions) *DependencyScan
NewDependencyScan creates a new DependencyScan from options.
func (*DependencyScan) Generate ¶
func (s *DependencyScan) Generate() ([]byte, error)
Generate produces the JSON representation of the dependency scan predicate.
type DependencyScanOptions ¶
type DependencyScanOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
StartedAt time.Time
FinishedAt time.Time
}
DependencyScanOptions contains options for creating a new dependency scan.
type GrypeResult ¶
type GrypeResult struct {
Descriptor struct {
Version string `json:"version"`
Timestamp string `json:"timestamp"`
DB struct {
Status *struct {
Built string `json:"built"`
SchemaVersion string `json:"schemaVersion"`
From string `json:"from,omitempty"`
} `json:"status,omitempty"`
} `json:"db"`
} `json:"descriptor"`
Matches []struct {
Vulnerability struct {
ID string `json:"id"`
Severity string `json:"severity"`
CVSS []struct {
Metrics struct {
BaseScore float64 `json:"baseScore"`
} `json:"metrics"`
} `json:"cvss"`
} `json:"vulnerability"`
} `json:"matches"`
}
GrypeResult represents Grype scan results.
type Metadata ¶
type Metadata struct {
Artifact struct {
Version string `json:"version"`
Created string `json:"created"`
Type string `json:"type"`
Registry string `json:"registry,omitempty"`
FullName string `json:"fullName,omitempty"`
Digest string `json:"digest,omitempty"`
Path string `json:"path,omitempty"`
} `json:"artifact"`
RepositoryData struct {
Repository string `json:"repository"`
RepositoryID string `json:"repositoryId"`
GitHubServerURL string `json:"githubServerURL"`
} `json:"repositoryData"`
OwnerData struct {
Owner string `json:"owner"`
OwnerID string `json:"ownerId"`
} `json:"ownerData"`
RunnerData struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
} `json:"runnerData"`
WorkflowData struct {
WorkflowRefPath string `json:"workflowRefPath"`
Inputs map[string]any `json:"inputs,omitempty"`
Branch string `json:"branch"`
Event string `json:"event"`
} `json:"workflowData"`
JobData struct {
RunNumber string `json:"runNumber"`
RunID string `json:"runId"`
Status string `json:"status"`
TriggeredBy string `json:"triggeredBy"`
StartedAt string `json:"startedAt"`
CompletedAt string `json:"completedAt"`
} `json:"jobData"`
CommitData struct {
SHA string `json:"sha"`
Timestamp string `json:"timestamp"`
} `json:"commitData"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
Compliance struct {
PolicyRef string `json:"policyRef"`
ControlIds []string `json:"controlIds"`
} `json:"compliance"`
Security struct {
Permissions map[string]string `json:"permissions"`
} `json:"security"`
}
Metadata represents the predicate portion of a metadata attestation.
func NewFromOptions ¶
NewFromOptions creates a new Metadata from the given options.
type Options ¶
type Options struct {
// artifact fields
Version string
Created time.Time
Type ArtifactType
Registry string
FullName string
SubjectPath string
Digest string
// repo fields
Repository string
RepositoryID string
GitHubServerURL string
// owner fields
Owner string
OwnerID string
// runner fields
OS string
Arch string
Environment string
// workflow fields
WorkflowRefPath string
Inputs map[string]any
Branch string
Event string
// job fields
RunNumber string
RunID string
Status string
TriggeredBy string
StartedAt time.Time
CompletedAt time.Time
// commit fields
SHA string
Timestamp time.Time
// org fields
OrgName string
// compliance fields
PolicyRef string
ControlIds []string
// permissions fields
Permissions map[string]string
}
Options contains all fields needed to generate a metadata predicate.
type PolicyRepo ¶
PolicyRepo represents policy repository configuration.
type ResourceDescriptor ¶ added in v0.26.0
type ResourceDescriptor struct {
Name string `json:"name,omitempty"`
URI string `json:"uri,omitempty"`
Digest map[string]string `json:"digest,omitempty"`
Content string `json:"content,omitempty"`
DownloadLocation string `json:"downloadLocation,omitempty"`
MediaType string `json:"mediaType,omitempty"`
Annotations map[string]any `json:"annotations,omitempty"`
}
ResourceDescriptor is an in-toto v1 ResourceDescriptor. Per spec a descriptor must specify at least one of uri, digest, or content.
type Runner ¶
type Runner struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
}
Runner represents GitHub Actions runner info.
type ScanResult ¶
ScanResult represents a single vulnerability finding.
type TestResult ¶ added in v0.26.0
type TestResult struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
// Result is one of PASSED, WARNED, or FAILED.
Result string `json:"result"`
// Configuration references the configuration used for the test run. Required
// by the spec; may be an empty list when no configuration is referenced.
Configuration []ResourceDescriptor `json:"configuration"`
// URL optionally links to the test run (e.g. logs).
URL string `json:"url,omitempty"`
// PassedTests, WarnedTests, FailedTests hold test identifiers by outcome.
// Skipped tests map to warnedTests. Never null (empty arrays preferred).
PassedTests []string `json:"passedTests"`
WarnedTests []string `json:"warnedTests"`
FailedTests []string `json:"failedTests"`
}
TestResult represents the predicate portion of an in-toto test-result attestation (https://in-toto.io/attestation/test-result/v0.1).
func NewTestResult ¶ added in v0.26.0
func NewTestResult(opts TestResultOptions) (*TestResult, error)
NewTestResult builds an in-toto test-result predicate from JUnit XML.
func (*TestResult) Generate ¶ added in v0.26.0
func (t *TestResult) Generate() ([]byte, error)
Generate produces the JSON representation of the test-result predicate.
type TestResultOptions ¶ added in v0.26.0
type TestResultOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
URL string
ConfigURI string
}
TestResultOptions contains options for creating a test-result predicate.