Documentation
¶
Overview ¶
provides types, structures, and generation functions for Verification Summary Attestations.
Index ¶
- Variables
- func ExtractSLSALevels(levels []string) []string
- func Generate(ctx context.Context, opts GenerateOptions) error
- func IsSLSATrackLevel(level string) bool
- func WriteToFile(vsa *VSA, outputPath string) error
- type Dependency
- type DigestSet
- type GenerateOptions
- type ResourceDescriptor
- type SLSATrackLevels
- type SourceVSAOptions
- type VSA
- func GenerateSourceVSA(opts SourceVSAOptions) (*VSA, error)
- func GenerateVSA(imageRef string, policyURI string, verificationResults map[string]bool) (*VSA, error)
- func GenerateVSAWithOptions(imageRef string, policyURI string, verificationResults map[string]bool, ...) (*VSA, error)
- func GenerateVSAWithSubjects(imageRef string, subjects []VSASubject, policyURI string, ...) (*VSA, error)
- func ValidateVSA(vsaBytes []byte) (*VSA, error)
- type VSAError
- type VSALevel
- type VSAOptions
- type VSAPolicy
- type VSAPredicate
- type VSASubject
- type VSAVerifier
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidDigest = &VSAError{Type: "validation", Field: "digest", Message: "invalid digest format or value"} ErrMismatchVerifier = &VSAError{Type: "validation", Field: "verifier", Message: "verifier ID mismatch"} ErrInvalidSLSALevel = &VSAError{Type: "validation", Field: "verifiedLevels", Message: "invalid SLSA level format"} ErrMissingRequiredField = &VSAError{Type: "validation", Field: "required", Message: "missing required field"} ErrInvalidVerificationResult = &VSAError{Type: "validation", Field: "verificationResult", Message: "invalid verification result"} ErrInvalidResourceURI = &VSAError{Type: "validation", Field: "resourceUri", Message: "invalid resource URI"} ErrInvalidPredicateType = &VSAError{Type: "validation", Field: "predicateType", Message: "invalid predicate type"} ErrInvalidStatementType = &VSAError{Type: "validation", Field: "_type", Message: "invalid statement type"} )
error types
Functions ¶
func ExtractSLSALevels ¶
extracts valid SLSA levels from a string slice
func Generate ¶
func Generate(ctx context.Context, opts GenerateOptions) error
creates a VSA after successful attestation verification
func IsSLSATrackLevel ¶
checks if a level string is a valid SLSA track level
func WriteToFile ¶
writes a VSA to a file in JSON format
Types ¶
type Dependency ¶
type Dependency struct {
Name string `json:"name"`
Digest map[string]string `json:"digest"`
URI string `json:"uri,omitempty"`
VerifiedLevel string `json:"verifiedLevel,omitempty"`
}
represents a software dependency for SLSA level analysis
type GenerateOptions ¶
type GenerateOptions struct {
ArtifactDigest string
VSASubjects []VSASubject
InputAttestations []ResourceDescriptor
AttestationTypes []string
Signatures []oci.Signature
PolicyURI string
VSAOutput string
PolicyBundlePath string
PolicySchemasPath string
PolicyDataPath string
Quiet bool
Version string
OpaVersion string
}
contains options for VSA generation
type ResourceDescriptor ¶
type ResourceDescriptor struct {
URI string `json:"uri,omitempty"`
Digest map[string]string `json:"digest,omitempty"`
}
a resource with URI and digest
type SLSATrackLevels ¶
SLSA tracks and their levels
func ExtractSLSATrackLevels ¶
func ExtractSLSATrackLevels(trackLevels []string) (SLSATrackLevels, error)
parses SLSA track levels from a list of strings
type SourceVSAOptions ¶ added in v0.30.0
type SourceVSAOptions struct {
// RepoURI is the source repository (becomes resourceUri and subject name).
RepoURI string
// Commit is the verified git revision SHA (becomes the subject gitCommit digest).
Commit string
// SourceLevel is the highest SLSA_SOURCE_LEVEL_n the evidence supports.
SourceLevel string
// AdditionalLevels are non-numbered source-track assertions the verifier can
// vouch for (e.g. a review-control annotation). These sit alongside the
// numbered level in verifiedLevels per the source-track VSA spec, which
// allows additional properties.
AdditionalLevels []string
// Passed is the overall verification result.
Passed bool
// PolicyURI identifies the policy the verification was performed against.
PolicyURI string
// PolicyDigest is the optional digest of that policy.
PolicyDigest map[string]string
// InputAttestations are the bundles this VSA summarizes.
InputAttestations []ResourceDescriptor
// AdditionalVerifiers records the verifying tool versions.
AdditionalVerifiers map[string]string
}
SourceVSAOptions configures a standards-shaped SLSA Source VSA.
A Source VSA is a verification_summary/v1 statement whose subject is the source revision (the repo at a git commit) rather than a build artifact. See https://slsa.dev/spec/v1.2-rc1/verifying-source and the source-track level definitions at https://slsa.dev/spec/v1.2/source-requirements.
type VSA ¶
type VSA struct {
Type string `json:"_type"`
PredicateType string `json:"predicateType"`
Subject []VSASubject `json:"subject"`
Predicate VSAPredicate `json:"predicate"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
Verification Summary Attestation based on the in-toto VSA specification / SLSA v1.1
func GenerateSourceVSA ¶ added in v0.30.0
func GenerateSourceVSA(opts SourceVSAOptions) (*VSA, error)
GenerateSourceVSA builds a standards-shaped SLSA Source VSA.
Per the source track, the subject is the revision (repo + gitCommit digest), resourceUri is the repository, and verifiedLevels MUST contain only the highest SLSA source level met. The source control system is the expected issuer of a Source VSA; autogov issues it here as a downstream verifier and records that in verifier.id (see the issuer note in the docs).
func GenerateVSA ¶
func GenerateVSA(imageRef string, policyURI string, verificationResults map[string]bool) (*VSA, error)
creates a VSA for successful AutoGov validation calls GenerateVSAWithOptions w/ default options
func GenerateVSAWithOptions ¶
func GenerateVSAWithOptions(imageRef string, policyURI string, verificationResults map[string]bool, opts VSAOptions) (*VSA, error)
creates a VSA w/ opts
func GenerateVSAWithSubjects ¶
func GenerateVSAWithSubjects(imageRef string, subjects []VSASubject, policyURI string, verificationResults map[string]bool, opts VSAOptions) (*VSA, error)
creates a VSA with multiple subjects
func ValidateVSA ¶
validates an existing VSA (SLSA v1.1 compliant)
func (*VSA) GetSupportedDigestAlgorithms ¶
returns the digest algorithms present in VSA subjects
func (*VSA) IsVerificationPassed ¶
checks if the VSA indicates successful verification
func (*VSA) ValidateComprehensive ¶
performs comprehensive VSA validation
func (*VSA) ValidateDigestFormats ¶
validates that all digests in VSA subjects have proper format
func (*VSA) ValidateDigests ¶
validates that expected digests are present in VSA subjects multiple digest formats: sha256:abc123, sha1:def456, etc. are supported
type VSAError ¶
structured error for VSA operations
func NewParsingError ¶
creates a parsing error
func NewVSAError ¶
creates a new VSA error with the specified details
func NewValidationError ¶
creates a validation error
type VSALevel ¶
type VSALevel struct {
Level string `json:"level"` // e.g., "SLSA_BUILD_LEVEL_3"
Track string `json:"track,omitempty"` // e.g., "BUILD", "SOURCE"
}
represents a verified SLSA level (for internal use only) actual VSA predicate uses string array for verifiedLevels per spec
func (*VSALevel) UnmarshalJSON ¶
implements custom JSON unmarshaling for backward compatibility both string format (legacy) and object format (new) are supported
type VSAOptions ¶
type VSAOptions struct {
Subjects []VSASubject `json:"subjects,omitempty"`
InputAttestations []ResourceDescriptor `json:"inputAttestations,omitempty"`
PolicyDigest map[string]string `json:"policyDigest,omitempty"`
Dependencies []Dependency `json:"dependencies,omitempty"`
AdditionalVerifiers map[string]string `json:"additionalVerifiers,omitempty"`
}
provides config
type VSAPolicy ¶
type VSAPolicy struct {
Content string `json:"content,omitempty"` // Policy content (e.g., Datalog, Rego)
URI string `json:"uri,omitempty"` // Policy URI
Digest map[string]string `json:"digest,omitempty"` // Policy digest
}
policy information (supports both content and URI)
type VSAPredicate ¶
type VSAPredicate struct {
Verifier VSAVerifier `json:"verifier"`
TimeVerified string `json:"timeVerified"`
ResourceURI string `json:"resourceUri"`
Policy VSAPolicy `json:"policy"`
InputAttestations []ResourceDescriptor `json:"inputAttestations,omitempty"`
VerificationResult string `json:"verificationResult"`
VerifiedLevels []string `json:"verifiedLevels,omitempty"`
DependencyLevels map[string]uint64 `json:"dependencyLevels,omitempty"`
SlsaVersion string `json:"slsaVersion,omitempty"`
}