Documentation
¶
Index ¶
- Constants
- func CalculateDigest(path string) (string, error)
- func GenerateCodeScan(opts CodeScanOptions, outputFile string) error
- func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
- func GenerateMetadata(opts Options, outputFile string) error
- func GenerateSourceReview(opts SourceReviewOptions, outputFile string) error
- func GenerateTestResult(opts TestResultOptions, outputFile string) error
- func GetEnvOrDefault(key, defaultValue string) string
- func GetGitHubToken() (string, error)
- func GetRequiredEnv(key string) (string, error)
- func ValidateCodeScan(data []byte) error
- func ValidateDepscan(data []byte) error
- func ValidateJSON(data []byte, schemaName string) error
- func ValidateMetadata(data []byte) error
- func ValidateSourceReview(data []byte) error
- func ValidateTestResult(data []byte) error
- type ArtifactType
- type CodeScan
- type CodeScanContext
- type CodeScanFinding
- type CodeScanInvocation
- type CodeScanLevelCounts
- type CodeScanLocation
- type CodeScanOptions
- type CodeScanSeverityCounts
- type CodeScanSummary
- type CodeScanTool
- type Config
- type Context
- type DependencyScan
- type DependencyScanOptions
- type GrypeResult
- type Metadata
- type Options
- type PolicyRepo
- type ResourceDescriptor
- type ReviewService
- type Runner
- type ScanResult
- type Severity
- type SourceReview
- type SourceReviewApprover
- type SourceReviewBranchProtection
- type SourceReviewOptions
- type SourceReviewPR
- type SourceReviewSummary
- type TestResult
- type TestResultOptions
Constants ¶
const ( // github EnvGitHubRepository = "GITHUB_REPOSITORY" EnvGitHubRepositoryID = "GITHUB_REPOSITORY_ID" EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER" EnvGitHubOwnerID = "GITHUB_REPOSITORY_OWNER_ID" EnvGitHubServerURL = "GITHUB_SERVER_URL" EnvGitHubSHA = "GITHUB_SHA" EnvGitHubRefName = "GITHUB_REF_NAME" EnvGitHubEventName = "GITHUB_EVENT_NAME" EnvGitHubActor = "GITHUB_ACTOR" EnvGitHubRunID = "GITHUB_RUN_ID" EnvGitHubRunNumber = "GITHUB_RUN_NUMBER" EnvGitHubWorkflowRef = "GITHUB_WORKFLOW_REF" EnvGitHubEventPath = "GITHUB_EVENT_PATH" EnvGitHubWorkflowInputs = "GITHUB_WORKFLOW_INPUTS" EnvGitHubJobStatus = "GITHUB_JOB_STATUS" // runner EnvRunnerOS = "RUNNER_OS" EnvRunnerArch = "RUNNER_ARCH" EnvRunnerEnvironment = "RUNNER_ENVIRONMENT" // tokens //nolint:gosec // These are environment variable names, not credentials EnvGitHubToken = "GITHUB_TOKEN" //nolint:gosec // These are environment variable names, not credentials EnvGHToken = "GH_TOKEN" // config EnvPolicyRepoOwner = "POLICY_REPO_OWNER" EnvPolicyRepoName = "POLICY_REPO_NAME" EnvPolicyVersion = "POLICY_VERSION" EnvSchemasPath = "SCHEMAS_PATH" // permissions EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS" )
environment variable names
const ( TestResultPassed = "PASSED" TestResultWarned = "WARNED" TestResultFailed = "FAILED" )
Result values for the in-toto test-result predicate.
const ( ArtifactTypeBlob ArtifactType = "blob" ArtifactTypeContainerImage ArtifactType = "container-image" // MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations. MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1" // DepscanPredicateTypeURI is the in-toto vulnerability predicate type. DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2" // CodeScanPredicateTypeURI is the custom autogov code-scan predicate type. // No in-toto standard exists for SARIF/code-scanning results, so this mirrors // the metadata predicate precedent. Kept at v0.1 until the SARIF mapping soaks // against real scanner output — the URI is permanent once published. CodeScanPredicateTypeURI = "https://autogov.dev/attestation/code-scan/v0.1" )
const SourceReviewPredicateTypeURI = "https://autogov.dev/attestation/source-review/v0.1"
SourceReviewPredicateTypeURI is the custom autogov source-review predicate type. It records the human PR-review/approval evidence for the source revision that produced an artifact (SLSA source-track / two-person review). No in-toto or SLSA standard predicate exists for source review — SLSA's source track leaves it vendor-specific and gittuf/liatr.io both namespace their own — so this mirrors the metadata/code-scan precedent. Kept at v0.1 until the GitHub review mapping soaks; the URI is permanent once published.
const TestResultPredicateTypeURI = "https://in-toto.io/attestation/test-result/v0.1"
TestResultPredicateTypeURI is the in-toto test-result predicate type.
Variables ¶
This section is empty.
Functions ¶
func CalculateDigest ¶
CalculateDigest calculates the sha256 digest of a file or directory.
func GenerateCodeScan ¶ added in v0.27.0
func GenerateCodeScan(opts CodeScanOptions, outputFile string) error
GenerateCodeScan generates and validates a code-scan attestation predicate.
func GenerateDepscan ¶
func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
GenerateDepscan generates a dependency scan attestation predicate.
func GenerateMetadata ¶
GenerateMetadata generates a metadata attestation predicate.
func GenerateSourceReview ¶ added in v0.28.0
func GenerateSourceReview(opts SourceReviewOptions, outputFile string) error
GenerateSourceReview generates and validates a source-review attestation predicate, fetching review evidence from the GitHub API.
func GenerateTestResult ¶ added in v0.26.0
func GenerateTestResult(opts TestResultOptions, outputFile string) error
GenerateTestResult generates an in-toto test-result attestation predicate from JUnit XML.
func GetEnvOrDefault ¶
GetEnvOrDefault returns the value of the environment variable or the default value.
func GetGitHubToken ¶
GetGitHubToken returns the GitHub token from environment variables.
func GetRequiredEnv ¶
GetRequiredEnv returns the value of a required environment variable or an error.
func ValidateCodeScan ¶ added in v0.27.0
ValidateCodeScan validates code-scan attestation data against its schema.
func ValidateDepscan ¶
ValidateDepscan validates dependency scan attestation data against its schema.
func ValidateJSON ¶
ValidateJSON validates JSON data against a named schema.
func ValidateMetadata ¶
ValidateMetadata validates metadata attestation data against its schema.
func ValidateSourceReview ¶ added in v0.28.0
ValidateSourceReview validates source-review attestation data against its schema.
func ValidateTestResult ¶ added in v0.26.0
ValidateTestResult validates test-result attestation data against its schema.
Types ¶
type ArtifactType ¶
type ArtifactType string
ArtifactType represents the type of artifact being attested.
type CodeScan ¶ added in v0.27.0
type CodeScan struct {
// subject-binding fields, not part of the predicate body
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
Tools []CodeScanTool `json:"tools"`
Summary CodeScanSummary `json:"summary"`
Configuration []ResourceDescriptor `json:"configuration"`
Invocation CodeScanInvocation `json:"invocation"`
// FindingsIncluded is true when results[] is authoritative (every fail-kind
// finding is present). A policy may recompute over results[] only when
// findingsIncluded is true AND truncated is false; otherwise it must fall
// back to the summary counts.
FindingsIncluded bool `json:"findingsIncluded"`
// Truncated is true when results[] omits findings (excluded by default, or
// capped by --max-findings).
Truncated bool `json:"truncated"`
// ResultCount is the total number of fail-kind findings discovered, equal to
// summary.byLevel.total + summary.suppressed, regardless of how many findings
// are emitted in results[].
ResultCount int `json:"resultCount"`
Results []CodeScanFinding `json:"results,omitempty"`
ScanContext *CodeScanContext `json:"scanContext,omitempty"`
ScanStartedOn string `json:"scanStartedOn,omitempty"`
ScanFinishedOn string `json:"scanFinishedOn,omitempty"`
}
CodeScan is the predicate portion of an autogov code-scan attestation built from a SARIF 2.1.0 report (https://autogov.dev/attestation/code-scan/v0.1).
func NewCodeScan ¶ added in v0.27.0
func NewCodeScan(opts CodeScanOptions) (*CodeScan, error)
NewCodeScan builds a code-scan predicate from a SARIF 2.1.0 report.
type CodeScanContext ¶ added in v0.27.0
type CodeScanContext struct {
CommitSHA string `json:"commitSha,omitempty"`
Ref string `json:"ref,omitempty"`
URL string `json:"url,omitempty"`
}
CodeScanContext records the scanned source context.
type CodeScanFinding ¶ added in v0.27.0
type CodeScanFinding struct {
RuleID string `json:"ruleId"`
Tool string `json:"tool,omitempty"`
Level string `json:"level"`
Kind string `json:"kind"`
SecuritySeverity string `json:"securitySeverity,omitempty"`
SecuritySeverityLevel string `json:"securitySeverityLevel,omitempty"`
Message string `json:"message,omitempty"`
Location *CodeScanLocation `json:"location,omitempty"`
BaselineState string `json:"baselineState,omitempty"`
Suppressed bool `json:"suppressed"`
SuppressionKind string `json:"suppressionKind,omitempty"`
PartialFingerprints map[string]string `json:"partialFingerprints,omitempty"`
}
CodeScanFinding is a normalized SARIF result. Emitted only when findings are explicitly included (--include-findings); off by default so file paths, line numbers, and scanner messages are not baked into a permanent public artifact.
type CodeScanInvocation ¶ added in v0.27.0
type CodeScanInvocation struct {
ExecutionSuccessful bool `json:"executionSuccessful"`
}
CodeScanInvocation reports whether every SARIF invocation completed. executionSuccessful is the AND of all invocations; absent invocations are treated as successful (no evidence of an incomplete scan).
type CodeScanLevelCounts ¶ added in v0.27.0
type CodeScanLevelCounts struct {
Error int `json:"error"`
Warning int `json:"warning"`
Note int `json:"note"`
None int `json:"none"`
Total int `json:"total"`
}
CodeScanLevelCounts counts fail-kind findings by resolved SARIF level.
type CodeScanLocation ¶ added in v0.27.0
type CodeScanLocation struct {
URI string `json:"uri,omitempty"`
StartLine int `json:"startLine,omitempty"`
EndLine int `json:"endLine,omitempty"`
}
CodeScanLocation is the primary physical location of a finding.
type CodeScanOptions ¶ added in v0.27.0
type CodeScanOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
IncludeFindings bool
MaxFindings int
ConfigURI string
CommitSHA string
Ref string
URL string
}
CodeScanOptions contains options for creating a code-scan predicate.
type CodeScanSeverityCounts ¶ added in v0.27.0
type CodeScanSeverityCounts struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
None int `json:"none"`
Total int `json:"total"`
}
CodeScanSeverityCounts counts fail-kind findings by security-severity bucket. None counts fail-kind findings lacking a numeric security-severity property.
type CodeScanSummary ¶ added in v0.27.0
type CodeScanSummary struct {
ByLevel CodeScanLevelCounts `json:"byLevel"`
BySecuritySeverity CodeScanSeverityCounts `json:"bySecuritySeverity"`
Suppressed int `json:"suppressed"`
New int `json:"new,omitempty"`
}
CodeScanSummary aggregates findings. byLevel and bySecuritySeverity count the SAME set (non-suppressed fail-kind findings) on two independent axes, so their totals are equal. suppressed counts fail-kind findings that were suppressed. new counts non-suppressed fail-kind findings whose baselineState is new or updated (the set gate_new_only would act on).
type CodeScanTool ¶ added in v0.27.0
type CodeScanTool struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
}
CodeScanTool identifies a scanner (one per SARIF run driver).
type Config ¶
type Config struct {
PolicyRepo PolicyRepo
SchemasPath string
}
Config holds application configuration.
func LoadConfig ¶
LoadConfig loads configuration from environment variables.
type Context ¶
type Context struct {
Repository string `json:"repository"`
RepositoryOwner string `json:"repository_owner"`
RepositoryID string `json:"repository_id"`
ServerURL string `json:"server_url"`
RepositoryOwnerID string `json:"repository_owner_id"`
WorkflowRef string `json:"workflow_ref"`
RefName string `json:"ref_name"`
EventName string `json:"event_name"`
SHA string `json:"sha"`
RunNumber string `json:"run_number"`
RunID string `json:"run_id"`
Actor string `json:"actor"`
Event struct {
WorkflowRun struct {
CreatedAt string `json:"created_at"`
} `json:"workflow_run"`
HeadCommit struct {
Timestamp string `json:"timestamp"`
} `json:"head_commit"`
} `json:"event"`
Inputs map[string]any `json:"inputs"`
JobStatus string `json:"job_status"`
Runner *Runner `json:"runner"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
}
Context represents the GitHub Actions runtime context.
func LoadGitHubContext ¶
LoadGitHubContext loads GitHub Actions context from environment variables.
type DependencyScan ¶
type DependencyScan struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
Scanner struct {
Name string `json:"name"`
URI string `json:"uri"`
Version string `json:"version"`
DB struct {
URI string `json:"uri"`
Version string `json:"version,omitempty"`
LastUpdate string `json:"lastUpdate,omitempty"`
} `json:"db"`
Result []ScanResult `json:"result"`
} `json:"scanner"`
Metadata struct {
ScanStartedOn string `json:"scanStartedOn"`
ScanFinishedOn string `json:"scanFinishedOn"`
} `json:"metadata,omitempty"`
}
DependencyScan represents the predicate portion of a dependency scan attestation.
func NewDependencyScan ¶
func NewDependencyScan(opts DependencyScanOptions) *DependencyScan
NewDependencyScan creates a new DependencyScan from options.
func (*DependencyScan) Generate ¶
func (s *DependencyScan) Generate() ([]byte, error)
Generate produces the JSON representation of the dependency scan predicate.
type DependencyScanOptions ¶
type DependencyScanOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
StartedAt time.Time
FinishedAt time.Time
}
DependencyScanOptions contains options for creating a new dependency scan.
type GrypeResult ¶
type GrypeResult struct {
Descriptor struct {
Version string `json:"version"`
Timestamp string `json:"timestamp"`
DB struct {
Status *struct {
Built string `json:"built"`
SchemaVersion string `json:"schemaVersion"`
From string `json:"from,omitempty"`
} `json:"status,omitempty"`
} `json:"db"`
} `json:"descriptor"`
Matches []struct {
Vulnerability struct {
ID string `json:"id"`
Severity string `json:"severity"`
CVSS []struct {
Metrics struct {
BaseScore float64 `json:"baseScore"`
} `json:"metrics"`
} `json:"cvss"`
} `json:"vulnerability"`
} `json:"matches"`
}
GrypeResult represents Grype scan results.
type Metadata ¶
type Metadata struct {
Artifact struct {
Version string `json:"version"`
Created string `json:"created"`
Type string `json:"type"`
Registry string `json:"registry,omitempty"`
FullName string `json:"fullName,omitempty"`
Digest string `json:"digest,omitempty"`
Path string `json:"path,omitempty"`
} `json:"artifact"`
RepositoryData struct {
Repository string `json:"repository"`
RepositoryID string `json:"repositoryId"`
GitHubServerURL string `json:"githubServerURL"`
} `json:"repositoryData"`
OwnerData struct {
Owner string `json:"owner"`
OwnerID string `json:"ownerId"`
} `json:"ownerData"`
RunnerData struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
} `json:"runnerData"`
WorkflowData struct {
WorkflowRefPath string `json:"workflowRefPath"`
Inputs map[string]any `json:"inputs,omitempty"`
Branch string `json:"branch"`
Event string `json:"event"`
} `json:"workflowData"`
JobData struct {
RunNumber string `json:"runNumber"`
RunID string `json:"runId"`
Status string `json:"status"`
TriggeredBy string `json:"triggeredBy"`
StartedAt string `json:"startedAt"`
CompletedAt string `json:"completedAt"`
} `json:"jobData"`
CommitData struct {
SHA string `json:"sha"`
Timestamp string `json:"timestamp"`
} `json:"commitData"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
Compliance struct {
PolicyRef string `json:"policyRef"`
ControlIds []string `json:"controlIds"`
} `json:"compliance"`
Security struct {
Permissions map[string]string `json:"permissions"`
} `json:"security"`
}
Metadata represents the predicate portion of a metadata attestation.
func NewFromOptions ¶
NewFromOptions creates a new Metadata from the given options.
type Options ¶
type Options struct {
// artifact fields
Version string
Created time.Time
Type ArtifactType
Registry string
FullName string
SubjectPath string
Digest string
// repo fields
Repository string
RepositoryID string
GitHubServerURL string
// owner fields
Owner string
OwnerID string
// runner fields
OS string
Arch string
Environment string
// workflow fields
WorkflowRefPath string
Inputs map[string]any
Branch string
Event string
// job fields
RunNumber string
RunID string
Status string
TriggeredBy string
StartedAt time.Time
CompletedAt time.Time
// commit fields
SHA string
Timestamp time.Time
// org fields
OrgName string
// compliance fields
PolicyRef string
ControlIds []string
// permissions fields
Permissions map[string]string
}
Options contains all fields needed to generate a metadata predicate.
type PolicyRepo ¶
PolicyRepo represents policy repository configuration.
type ResourceDescriptor ¶ added in v0.26.0
type ResourceDescriptor struct {
Name string `json:"name,omitempty"`
URI string `json:"uri,omitempty"`
Digest map[string]string `json:"digest,omitempty"`
Content string `json:"content,omitempty"`
DownloadLocation string `json:"downloadLocation,omitempty"`
MediaType string `json:"mediaType,omitempty"`
Annotations map[string]any `json:"annotations,omitempty"`
}
ResourceDescriptor is an in-toto v1 ResourceDescriptor. Per spec a descriptor must specify at least one of uri, digest, or content.
type ReviewService ¶ added in v0.28.0
type ReviewService interface {
// ListPullRequestsWithCommit returns pull requests associated with a commit
// SHA. Documented quirk (go-github v88): if the SHA is not present in the
// repository's default branch, the result includes ONLY open pull requests —
// so a release-branch/tag build can return zero merged PRs even though the
// change was reviewed. NewSourceReview treats that as incompleteness, not a
// definitive direct push.
ListPullRequestsWithCommit(ctx context.Context, owner, repo, sha string, opts *gh.ListOptions) ([]*gh.PullRequest, *gh.Response, error)
// ListReviews lists all reviews on a pull request (paginated).
ListReviews(ctx context.Context, owner, repo string, number int, opts *gh.ListOptions) ([]*gh.PullRequestReview, *gh.Response, error)
// GetBranchProtection returns classic branch protection. Needs admin /
// Administration:read; a 404 means no protection (not an error condition).
GetBranchProtection(ctx context.Context, owner, repo, branch string) (*gh.Protection, *gh.Response, error)
// ListRulesForBranch returns the repository rules (rulesets) active for a
// branch. Readable without admin — the no-admin path to the required-review
// threshold.
ListRulesForBranch(ctx context.Context, owner, repo, branch string, opts *gh.ListOptions) (*gh.BranchRules, *gh.Response, error)
}
ReviewService abstracts the GitHub REST calls the source-review predicate needs, so NewSourceReview is unit-testable without a live API (mirrors ReleaseService in pkg/release/cut.go). All four methods are REST-only; v0.1 adds no GraphQL/githubv4 dependency (see the source-review design).
func NewGitHubReviewService ¶ added in v0.28.0
func NewGitHubReviewService(client *gh.Client) ReviewService
NewGitHubReviewService wraps a go-github client as a ReviewService.
type Runner ¶
type Runner struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
}
Runner represents GitHub Actions runner info.
type ScanResult ¶
ScanResult represents a single vulnerability finding.
type SourceReview ¶ added in v0.28.0
type SourceReview struct {
// subject-binding fields, not part of the predicate body
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
SourceRepository string `json:"sourceRepository"`
SourceRevision string `json:"sourceRevision"`
Ref string `json:"ref,omitempty"`
PullRequest *SourceReviewPR `json:"pullRequest,omitempty"`
Summary SourceReviewSummary `json:"summary"`
// ApproversIncluded is true when approvers[] is authoritative (every
// qualifying reviewer is present). The gate may recompute over approvers[]
// only when this is true; otherwise it must use the summary counts and fail
// closed if a per-reviewer filter it cannot satisfy is requested.
ApproversIncluded bool `json:"approversIncluded"`
Approvers []SourceReviewApprover `json:"approvers,omitempty"`
BranchProtection *SourceReviewBranchProtection `json:"branchProtection,omitempty"`
// ReviewDecision is reserved for an optional best-effort GraphQL enrichment
// (pullRequest.reviewDecision). It is INFORMATIONAL ONLY and never a basis for
// PASS. v0.1 adds no GraphQL client, so it is always empty here.
ReviewDecision string `json:"reviewDecision,omitempty"`
Configuration []ResourceDescriptor `json:"configuration"`
// ReviewToolingComplete is false when the review evidence could not be fully
// gathered (PRs/reviews unfetchable, or no merged PR resolved — which covers
// both a genuine direct push and the ListPullRequestsWithCommit default-branch
// quirk). Mirrors code-scan's invocation.executionSuccessful: the gate fails
// this closed by default.
ReviewToolingComplete bool `json:"reviewToolingComplete"`
}
SourceReview is the predicate portion of an autogov source-review attestation (https://autogov.dev/attestation/source-review/v0.1).
func NewSourceReview ¶ added in v0.28.0
func NewSourceReview(ctx context.Context, svc ReviewService, opts SourceReviewOptions) (*SourceReview, error)
NewSourceReview builds a source-review predicate from GitHub review evidence, implementing the locked review algorithm + GATE SEMANTICS. svc is injected for testability.
func (*SourceReview) Generate ¶ added in v0.28.0
func (c *SourceReview) Generate() ([]byte, error)
Generate produces the JSON representation of the source-review predicate.
type SourceReviewApprover ¶ added in v0.28.0
type SourceReviewApprover struct {
Login string `json:"login"`
Association string `json:"association,omitempty"`
SubmittedAt string `json:"submittedAt,omitempty"`
CommitID string `json:"commitId,omitempty"`
Stale bool `json:"stale"`
IsBot bool `json:"isBot"`
}
SourceReviewApprover is one distinct reviewer whose latest opinionated review state is APPROVED (the PR author is never included). stale and isBot are recorded so the gate can recompute/verify the count rather than trust a producer-asserted summary boolean.
type SourceReviewBranchProtection ¶ added in v0.28.0
type SourceReviewBranchProtection struct {
RequireReviews bool `json:"requireReviews"`
RequiredApprovingReviewCount int `json:"requiredApprovingReviewCount"`
DismissStaleReviews bool `json:"dismissStaleReviews"`
RequireCodeownerReview bool `json:"requireCodeownerReview"`
// RequireLastPushApproval records GitHub's "last push must be approved by
// someone other than the pusher" control. v0.1 enforces the on-head-commit
// half via staleness (an approval not on the PR head does not count); the
// "approver != last pusher" nuance requires push authorship not fetched here,
// so it is recorded as evidence and left for a future version.
RequireLastPushApproval bool `json:"requireLastPushApproval"`
}
SourceReviewBranchProtection records the review controls discovered on the target branch (best-effort; omitted when none is visible). Evidence for the required count; the gate bars on its own configured min_approvals.
type SourceReviewOptions ¶ added in v0.28.0
type SourceReviewOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
Owner string
Repo string
CommitSHA string // the canonical source revision (merge/squash commit on the target branch)
Ref string // target branch ref of the artifact build
PRNumber int // optional disambiguation hint; 0 = auto-discover from the commit
IncludeApprovers bool // default on; embeds the per-approver list
ConfigURI string
}
SourceReviewOptions contains options for creating a source-review predicate.
type SourceReviewPR ¶ added in v0.28.0
type SourceReviewPR struct {
Number int `json:"number"`
URL string `json:"url,omitempty"`
Author string `json:"author,omitempty"`
MergedAt string `json:"mergedAt,omitempty"`
MergeCommitSha string `json:"mergeCommitSha,omitempty"`
}
SourceReviewPR captures the pull request whose merge produced the source revision. Omitted entirely when no merged PR is resolved.
type SourceReviewSummary ¶ added in v0.28.0
type SourceReviewSummary struct {
Approvals int `json:"approvals"`
DistinctApprovers int `json:"distinctApprovers"`
ChangesRequested int `json:"changesRequested"`
RequiredApprovals int `json:"requiredApprovals"`
RequirementMet bool `json:"requirementMet"`
SelfApprovalExcluded bool `json:"selfApprovalExcluded"`
// CodeownerReviewMet is tri-state: a nil pointer (JSON null) means "not
// authoritatively determinable" — REST-only cannot reliably evaluate
// CODEOWNERS, so v0.1 always leaves it null. The gate treats null as
// undetermined and fails closed when codeowner review is required.
CodeownerReviewMet *bool `json:"codeownerReviewMet"`
}
SourceReviewSummary is always populated, even when approvers[] is omitted, so an operator can gate without the approver list. The booleans are EVIDENCE, never gate inputs: pass/fail derives only from the numeric counts (see the gating policy). distinctApprovers is the STRICTEST count (author, stale, dismissed, changes-requested, and bot reviewers excluded).
type TestResult ¶ added in v0.26.0
type TestResult struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
// Result is one of PASSED, WARNED, or FAILED.
Result string `json:"result"`
// Configuration references the configuration used for the test run. Required
// by the spec; may be an empty list when no configuration is referenced.
Configuration []ResourceDescriptor `json:"configuration"`
// URL optionally links to the test run (e.g. logs).
URL string `json:"url,omitempty"`
// PassedTests, WarnedTests, FailedTests hold test identifiers by outcome.
// Skipped tests map to warnedTests. Never null (empty arrays preferred).
PassedTests []string `json:"passedTests"`
WarnedTests []string `json:"warnedTests"`
FailedTests []string `json:"failedTests"`
}
TestResult represents the predicate portion of an in-toto test-result attestation (https://in-toto.io/attestation/test-result/v0.1).
func NewTestResult ¶ added in v0.26.0
func NewTestResult(opts TestResultOptions) (*TestResult, error)
NewTestResult builds an in-toto test-result predicate from JUnit XML.
func (*TestResult) Generate ¶ added in v0.26.0
func (t *TestResult) Generate() ([]byte, error)
Generate produces the JSON representation of the test-result predicate.
type TestResultOptions ¶ added in v0.26.0
type TestResultOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
URL string
ConfigURI string
}
TestResultOptions contains options for creating a test-result predicate.