source

package
v0.29.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 24, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package source provides verification of SLSA source provenance attestations. It validates Sigstore bundles containing source provenance predicates, checking repository URI, commit SHA, and computing SLSA Source Track levels.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeSLSASourceLevel

func ComputeSLSASourceLevel(signatureVerified bool, pred SourceProvenancePredicate) string

ComputeSLSASourceLevel evaluates the SLSA Source Track level based on the predicate.

L1: Version controlled + provenance exists L2: Provenance is cryptographically verified (signatureVerified must be true) L3: Verified provenance from two-party review (branch protection claims)

Types

type SourceProvenancePredicate

type SourceProvenancePredicate struct {
	BuildDefinition struct {
		BuildType          string `json:"buildType"`
		ExternalParameters struct {
			Repository string `json:"repository"`
			Ref        string `json:"ref"`
			Workflow   struct {
				Repository string `json:"repository"`
				Ref        string `json:"ref"`
				Path       string `json:"path"`
			} `json:"workflow"`
		} `json:"externalParameters"`
		ResolvedDependencies []struct {
			URI    string            `json:"uri"`
			Digest map[string]string `json:"digest"`
		} `json:"resolvedDependencies"`
	} `json:"buildDefinition"`
	RunDetails struct {
		Builder struct {
			ID string `json:"id"`
		} `json:"builder"`
		Metadata struct {
			InvocationID string `json:"invocationId"`
			StartedOn    string `json:"startedOn"`
		} `json:"metadata"`
	} `json:"runDetails"`
}

SourceProvenancePredicate represents relevant fields from a SLSA provenance predicate used for source provenance verification.

type VerificationResult

type VerificationResult struct {
	Verified        bool              `json:"verified"`
	RepoURI         string            `json:"repo_uri,omitempty"`
	Commit          string            `json:"commit,omitempty"`
	SourceRef       string            `json:"source_ref,omitempty"`
	SLSASourceLevel string            `json:"slsa_source_level,omitempty"`
	BuilderID       string            `json:"builder_id,omitempty"`
	Claims          map[string]string `json:"claims,omitempty"`
	ErrorMsg        string            `json:"error,omitempty"`
	Warnings        []string          `json:"warnings,omitempty"`
}

VerificationResult holds the outcome of source provenance verification.

func VerifySourceProvenance

func VerifySourceProvenance(bundlePath string, opts VerifyOptions) (*VerificationResult, error)

VerifySourceProvenance verifies a Sigstore bundle containing source provenance. It validates the bundle signature, extracts the in-toto statement, and checks that the repo URI and commit SHA match the expected values.

type VerifyOptions

type VerifyOptions struct {
	// RepoURI is the expected source repository URI.
	RepoURI string
	// Commit is the expected source commit SHA.
	Commit string
	// SourceRef is the expected source ref (e.g., refs/heads/main). Optional.
	SourceRef string
	// CertIdentity is the expected OIDC subject in the signing certificate.
	CertIdentity string
	// CertIssuer is the expected OIDC issuer URL.
	CertIssuer string
}

VerifyOptions configures source provenance verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL