predicate

package
v0.32.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 26, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// github
	EnvGitHubRepository      = "GITHUB_REPOSITORY"
	EnvGitHubRepositoryID    = "GITHUB_REPOSITORY_ID"
	EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER"
	EnvGitHubOwnerID         = "GITHUB_REPOSITORY_OWNER_ID"
	EnvGitHubServerURL       = "GITHUB_SERVER_URL"
	EnvGitHubSHA             = "GITHUB_SHA"
	EnvGitHubRefName         = "GITHUB_REF_NAME"
	EnvGitHubEventName       = "GITHUB_EVENT_NAME"
	EnvGitHubActor           = "GITHUB_ACTOR"
	EnvGitHubRunID           = "GITHUB_RUN_ID"
	EnvGitHubRunNumber       = "GITHUB_RUN_NUMBER"
	EnvGitHubWorkflowRef     = "GITHUB_WORKFLOW_REF"
	EnvGitHubEventPath       = "GITHUB_EVENT_PATH"
	EnvGitHubWorkflowInputs  = "GITHUB_WORKFLOW_INPUTS"
	EnvGitHubJobStatus       = "GITHUB_JOB_STATUS"

	// runner
	EnvRunnerOS          = "RUNNER_OS"
	EnvRunnerArch        = "RUNNER_ARCH"
	EnvRunnerEnvironment = "RUNNER_ENVIRONMENT"

	// tokens
	//nolint:gosec // These are environment variable names, not credentials
	EnvGitHubToken = "GITHUB_TOKEN"
	//nolint:gosec // These are environment variable names, not credentials
	EnvGHToken = "GH_TOKEN"

	// config
	EnvPolicyRepoOwner = "POLICY_REPO_OWNER"
	EnvPolicyRepoName  = "POLICY_REPO_NAME"
	EnvPolicyVersion   = "POLICY_VERSION"
	EnvSchemasPath     = "SCHEMAS_PATH"

	// permissions
	EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS"
)

environment variable names

View Source
const (
	TestResultPassed = "PASSED"
	TestResultWarned = "WARNED"
	TestResultFailed = "FAILED"
)

Result values for the in-toto test-result predicate.

View Source
const (
	ArtifactTypeBlob           ArtifactType = "blob"
	ArtifactTypeContainerImage ArtifactType = "container-image"

	// MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations.
	MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1"

	// DepscanPredicateTypeURI is the in-toto vulnerability predicate type.
	DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2"

	// CodeScanPredicateTypeURI is the custom autogov code-scan predicate type.
	// No in-toto standard exists for SARIF/code-scanning results, so this mirrors
	// the metadata predicate precedent. Kept at v0.1 until the SARIF mapping soaks
	// against real scanner output — the URI is permanent once published.
	CodeScanPredicateTypeURI = "https://autogov.dev/attestation/code-scan/v0.1"
)
View Source
const SourceReviewPredicateTypeURI = "https://autogov.dev/attestation/source-review/v0.1"

SourceReviewPredicateTypeURI is the custom autogov source-review predicate type. It records the human PR-review/approval evidence for the source revision that produced an artifact (SLSA source-track / two-person review). No in-toto or SLSA standard predicate exists for source review — SLSA's source track leaves it vendor-specific and gittuf/liatr.io both namespace their own — so this mirrors the metadata/code-scan precedent. Kept at v0.1 until the GitHub review mapping soaks; the URI is permanent once published.

View Source
const TestResultPredicateTypeURI = "https://in-toto.io/attestation/test-result/v0.1"

TestResultPredicateTypeURI is the in-toto test-result predicate type.

Variables

This section is empty.

Functions

func CalculateDigest

func CalculateDigest(path string) (string, error)

CalculateDigest calculates the sha256 digest of a file or directory.

func GenerateCodeScan added in v0.27.0

func GenerateCodeScan(opts CodeScanOptions, outputFile string) error

GenerateCodeScan generates and validates a code-scan attestation predicate.

func GenerateDepscan

func GenerateDepscan(opts DependencyScanOptions, outputFile string) error

GenerateDepscan generates a dependency scan attestation predicate.

func GenerateMetadata

func GenerateMetadata(opts Options, outputFile string) error

GenerateMetadata generates a metadata attestation predicate.

func GenerateSourceReview added in v0.28.0

func GenerateSourceReview(opts SourceReviewOptions, outputFile string) error

GenerateSourceReview generates and validates a source-review attestation predicate, fetching review evidence from the GitHub API.

func GenerateTestResult added in v0.26.0

func GenerateTestResult(opts TestResultOptions, outputFile string) error

GenerateTestResult generates an in-toto test-result attestation predicate from JUnit XML.

func GetEnvOrDefault

func GetEnvOrDefault(key, defaultValue string) string

GetEnvOrDefault returns the value of the environment variable or the default value.

func GetGitHubToken

func GetGitHubToken() (string, error)

GetGitHubToken returns the GitHub token from environment variables.

func GetRequiredEnv

func GetRequiredEnv(key string) (string, error)

GetRequiredEnv returns the value of a required environment variable or an error.

func ValidateCodeScan added in v0.27.0

func ValidateCodeScan(data []byte) error

ValidateCodeScan validates code-scan attestation data against its schema.

func ValidateDepscan

func ValidateDepscan(data []byte) error

ValidateDepscan validates dependency scan attestation data against its schema.

func ValidateJSON

func ValidateJSON(data []byte, schemaName string) error

ValidateJSON validates JSON data against a named schema.

func ValidateMetadata

func ValidateMetadata(data []byte) error

ValidateMetadata validates metadata attestation data against its schema.

func ValidateSourceReview added in v0.28.0

func ValidateSourceReview(data []byte) error

ValidateSourceReview validates source-review attestation data against its schema.

func ValidateTestResult added in v0.26.0

func ValidateTestResult(data []byte) error

ValidateTestResult validates test-result attestation data against its schema.

Types

type ArtifactType

type ArtifactType string

ArtifactType represents the type of artifact being attested.

type CodeScan added in v0.27.0

type CodeScan struct {
	// subject-binding fields, not part of the predicate body
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`

	Tools         []CodeScanTool       `json:"tools"`
	Summary       CodeScanSummary      `json:"summary"`
	Configuration []ResourceDescriptor `json:"configuration"`
	Invocation    CodeScanInvocation   `json:"invocation"`
	// FindingsIncluded is true when results[] is authoritative (every fail-kind
	// finding is present). A policy may recompute over results[] only when
	// findingsIncluded is true AND truncated is false; otherwise it must fall
	// back to the summary counts.
	FindingsIncluded bool `json:"findingsIncluded"`
	// Truncated is true when results[] omits findings (excluded by default, or
	// capped by --max-findings).
	Truncated bool `json:"truncated"`
	// ResultCount is the total number of fail-kind findings discovered, equal to
	// summary.byLevel.total + summary.suppressed, regardless of how many findings
	// are emitted in results[].
	ResultCount int `json:"resultCount"`

	Results        []CodeScanFinding `json:"results,omitempty"`
	ScanContext    *CodeScanContext  `json:"scanContext,omitempty"`
	ScanStartedOn  string            `json:"scanStartedOn,omitempty"`
	ScanFinishedOn string            `json:"scanFinishedOn,omitempty"`
}

CodeScan is the predicate portion of an autogov code-scan attestation built from a SARIF 2.1.0 report (https://autogov.dev/attestation/code-scan/v0.1).

func NewCodeScan added in v0.27.0

func NewCodeScan(opts CodeScanOptions) (*CodeScan, error)

NewCodeScan builds a code-scan predicate from a SARIF 2.1.0 report.

func (*CodeScan) Generate added in v0.27.0

func (c *CodeScan) Generate() ([]byte, error)

Generate produces the JSON representation of the code-scan predicate.

type CodeScanContext added in v0.27.0

type CodeScanContext struct {
	CommitSHA string `json:"commitSha,omitempty"`
	Ref       string `json:"ref,omitempty"`
	URL       string `json:"url,omitempty"`
}

CodeScanContext records the scanned source context.

type CodeScanFinding added in v0.27.0

type CodeScanFinding struct {
	RuleID                string            `json:"ruleId"`
	Tool                  string            `json:"tool,omitempty"`
	Level                 string            `json:"level"`
	Kind                  string            `json:"kind"`
	SecuritySeverity      string            `json:"securitySeverity,omitempty"`
	SecuritySeverityLevel string            `json:"securitySeverityLevel,omitempty"`
	Message               string            `json:"message,omitempty"`
	Location              *CodeScanLocation `json:"location,omitempty"`
	BaselineState         string            `json:"baselineState,omitempty"`
	Suppressed            bool              `json:"suppressed"`
	SuppressionKind       string            `json:"suppressionKind,omitempty"`
	PartialFingerprints   map[string]string `json:"partialFingerprints,omitempty"`
}

CodeScanFinding is a normalized SARIF result. Emitted only when findings are explicitly included (--include-findings); off by default so file paths, line numbers, and scanner messages are not baked into a permanent public artifact.

type CodeScanInvocation added in v0.27.0

type CodeScanInvocation struct {
	ExecutionSuccessful bool `json:"executionSuccessful"`
}

CodeScanInvocation reports whether every SARIF invocation completed. executionSuccessful is the AND of all invocations; absent invocations are treated as successful (no evidence of an incomplete scan).

type CodeScanLevelCounts added in v0.27.0

type CodeScanLevelCounts struct {
	Error   int `json:"error"`
	Warning int `json:"warning"`
	Note    int `json:"note"`
	None    int `json:"none"`
	Total   int `json:"total"`
}

CodeScanLevelCounts counts fail-kind findings by resolved SARIF level.

type CodeScanLocation added in v0.27.0

type CodeScanLocation struct {
	URI       string `json:"uri,omitempty"`
	StartLine int    `json:"startLine,omitempty"`
	EndLine   int    `json:"endLine,omitempty"`
}

CodeScanLocation is the primary physical location of a finding.

type CodeScanOptions added in v0.27.0

type CodeScanOptions struct {
	Type            ArtifactType
	SubjectName     string
	SubjectPath     string
	Digest          string
	ResultsPath     string
	IncludeFindings bool
	MaxFindings     int
	ConfigURI       string
	CommitSHA       string
	Ref             string
	URL             string
}

CodeScanOptions contains options for creating a code-scan predicate.

type CodeScanSeverityCounts added in v0.27.0

type CodeScanSeverityCounts struct {
	Critical int `json:"critical"`
	High     int `json:"high"`
	Medium   int `json:"medium"`
	Low      int `json:"low"`
	None     int `json:"none"`
	Total    int `json:"total"`
}

CodeScanSeverityCounts counts fail-kind findings by security-severity bucket. None counts fail-kind findings lacking a numeric security-severity property.

type CodeScanSummary added in v0.27.0

type CodeScanSummary struct {
	ByLevel            CodeScanLevelCounts    `json:"byLevel"`
	BySecuritySeverity CodeScanSeverityCounts `json:"bySecuritySeverity"`
	Suppressed         int                    `json:"suppressed"`
	New                int                    `json:"new,omitempty"`
}

CodeScanSummary aggregates findings. byLevel and bySecuritySeverity count the SAME set (non-suppressed fail-kind findings) on two independent axes, so their totals are equal. suppressed counts fail-kind findings that were suppressed. new counts non-suppressed fail-kind findings whose baselineState is new or updated (the set gate_new_only would act on).

type CodeScanTool added in v0.27.0

type CodeScanTool struct {
	Name           string `json:"name"`
	Version        string `json:"version,omitempty"`
	InformationURI string `json:"informationUri,omitempty"`
}

CodeScanTool identifies a scanner (one per SARIF run driver).

type Config

type Config struct {
	PolicyRepo  PolicyRepo
	SchemasPath string
}

Config holds application configuration.

func LoadConfig

func LoadConfig() (*Config, error)

LoadConfig loads configuration from environment variables.

type Context

type Context struct {
	Repository        string `json:"repository"`
	RepositoryOwner   string `json:"repository_owner"`
	RepositoryID      string `json:"repository_id"`
	ServerURL         string `json:"server_url"`
	RepositoryOwnerID string `json:"repository_owner_id"`
	WorkflowRef       string `json:"workflow_ref"`
	RefName           string `json:"ref_name"`
	EventName         string `json:"event_name"`
	SHA               string `json:"sha"`
	RunNumber         string `json:"run_number"`
	RunID             string `json:"run_id"`
	Actor             string `json:"actor"`

	Event struct {
		WorkflowRun struct {
			CreatedAt string `json:"created_at"`
		} `json:"workflow_run"`
		HeadCommit struct {
			Timestamp string `json:"timestamp"`
		} `json:"head_commit"`
	} `json:"event"`

	Inputs    map[string]any `json:"inputs"`
	JobStatus string         `json:"job_status"`
	Runner    *Runner        `json:"runner"`

	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
}

Context represents the GitHub Actions runtime context.

func LoadGitHubContext

func LoadGitHubContext() (*Context, error)

LoadGitHubContext loads GitHub Actions context from environment variables.

type DependencyScan

type DependencyScan struct {
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`
	Scanner     struct {
		Name    string `json:"name"`
		URI     string `json:"uri"`
		Version string `json:"version"`
		DB      struct {
			URI        string `json:"uri"`
			Version    string `json:"version,omitempty"`
			LastUpdate string `json:"lastUpdate,omitempty"`
		} `json:"db"`
		Result []ScanResult `json:"result"`
	} `json:"scanner"`
	Metadata struct {
		ScanStartedOn  string `json:"scanStartedOn"`
		ScanFinishedOn string `json:"scanFinishedOn"`
	} `json:"metadata,omitempty"`
}

DependencyScan represents the predicate portion of a dependency scan attestation.

func NewDependencyScan

func NewDependencyScan(opts DependencyScanOptions) *DependencyScan

NewDependencyScan creates a new DependencyScan from options.

func (*DependencyScan) Generate

func (s *DependencyScan) Generate() ([]byte, error)

Generate produces the JSON representation of the dependency scan predicate.

type DependencyScanOptions

type DependencyScanOptions struct {
	Type        ArtifactType
	SubjectName string
	SubjectPath string
	Digest      string
	ResultsPath string
	StartedAt   time.Time
	FinishedAt  time.Time
}

DependencyScanOptions contains options for creating a new dependency scan.

type GrypeResult

type GrypeResult struct {
	Descriptor struct {
		Version   string `json:"version"`
		Timestamp string `json:"timestamp"`
		DB        struct {
			Status *struct {
				Built         string `json:"built"`
				SchemaVersion string `json:"schemaVersion"`
				From          string `json:"from,omitempty"`
			} `json:"status,omitempty"`
		} `json:"db"`
	} `json:"descriptor"`
	Matches []struct {
		Vulnerability struct {
			ID       string `json:"id"`
			Severity string `json:"severity"`
			CVSS     []struct {
				Metrics struct {
					BaseScore float64 `json:"baseScore"`
				} `json:"metrics"`
			} `json:"cvss"`
		} `json:"vulnerability"`
	} `json:"matches"`
}

GrypeResult represents Grype scan results.

type Metadata

type Metadata struct {
	Artifact struct {
		Version  string `json:"version"`
		Created  string `json:"created"`
		Type     string `json:"type"`
		Registry string `json:"registry,omitempty"`
		FullName string `json:"fullName,omitempty"`
		Digest   string `json:"digest,omitempty"`
		Path     string `json:"path,omitempty"`
	} `json:"artifact"`
	RepositoryData struct {
		Repository      string `json:"repository"`
		RepositoryID    string `json:"repositoryId"`
		GitHubServerURL string `json:"githubServerURL"`
	} `json:"repositoryData"`
	OwnerData struct {
		Owner   string `json:"owner"`
		OwnerID string `json:"ownerId"`
	} `json:"ownerData"`
	RunnerData struct {
		OS          string `json:"os"`
		Arch        string `json:"arch"`
		Environment string `json:"environment"`
	} `json:"runnerData"`
	WorkflowData struct {
		WorkflowRefPath string         `json:"workflowRefPath"`
		Inputs          map[string]any `json:"inputs,omitempty"`
		Branch          string         `json:"branch"`
		Event           string         `json:"event"`
	} `json:"workflowData"`
	JobData struct {
		RunNumber   string `json:"runNumber"`
		RunID       string `json:"runId"`
		Status      string `json:"status"`
		TriggeredBy string `json:"triggeredBy"`
		StartedAt   string `json:"startedAt"`
		CompletedAt string `json:"completedAt"`
	} `json:"jobData"`
	CommitData struct {
		SHA       string `json:"sha"`
		Timestamp string `json:"timestamp"`
	} `json:"commitData"`
	Organization struct {
		Name string `json:"name"`
	} `json:"organization"`
	Compliance struct {
		PolicyRef  string   `json:"policyRef"`
		ControlIds []string `json:"controlIds"`
	} `json:"compliance"`
	Security struct {
		Permissions map[string]string `json:"permissions"`
	} `json:"security"`
}

Metadata represents the predicate portion of a metadata attestation.

func NewFromOptions

func NewFromOptions(opts Options) *Metadata

NewFromOptions creates a new Metadata from the given options.

func (*Metadata) Generate

func (m *Metadata) Generate() ([]byte, error)

Generate produces the JSON representation of the metadata predicate.

type Options

type Options struct {
	// artifact fields
	Version     string
	Created     time.Time
	Type        ArtifactType
	Registry    string
	FullName    string
	SubjectPath string
	Digest      string

	// repo fields
	Repository      string
	RepositoryID    string
	GitHubServerURL string

	// owner fields
	Owner   string
	OwnerID string

	// runner fields
	OS          string
	Arch        string
	Environment string

	// workflow fields
	WorkflowRefPath string
	Inputs          map[string]any
	Branch          string
	Event           string

	// job fields
	RunNumber   string
	RunID       string
	Status      string
	TriggeredBy string
	StartedAt   time.Time
	CompletedAt time.Time

	// commit fields
	SHA       string
	Timestamp time.Time

	// org fields
	OrgName string

	// compliance fields
	PolicyRef  string
	ControlIds []string

	// permissions fields
	Permissions map[string]string
}

Options contains all fields needed to generate a metadata predicate.

type PolicyRepo

type PolicyRepo struct {
	Owner string
	Name  string
	Ref   string
}

PolicyRepo represents policy repository configuration.

type ResourceDescriptor added in v0.26.0

type ResourceDescriptor struct {
	Name             string            `json:"name,omitempty"`
	URI              string            `json:"uri,omitempty"`
	Digest           map[string]string `json:"digest,omitempty"`
	Content          string            `json:"content,omitempty"`
	DownloadLocation string            `json:"downloadLocation,omitempty"`
	MediaType        string            `json:"mediaType,omitempty"`
	Annotations      map[string]any    `json:"annotations,omitempty"`
}

ResourceDescriptor is an in-toto v1 ResourceDescriptor. Per spec a descriptor must specify at least one of uri, digest, or content.

type ReviewService added in v0.28.0

type ReviewService interface {
	// ListPullRequestsWithCommit returns pull requests associated with a commit
	// SHA. Documented quirk (go-github v88): if the SHA is not present in the
	// repository's default branch, the result includes ONLY open pull requests —
	// so a release-branch/tag build can return zero merged PRs even though the
	// change was reviewed. NewSourceReview treats that as incompleteness, not a
	// definitive direct push.
	ListPullRequestsWithCommit(ctx context.Context, owner, repo, sha string, opts *gh.ListOptions) ([]*gh.PullRequest, *gh.Response, error)
	// ListReviews lists all reviews on a pull request (paginated).
	ListReviews(ctx context.Context, owner, repo string, number int, opts *gh.ListOptions) ([]*gh.PullRequestReview, *gh.Response, error)
	// GetBranchProtection returns classic branch protection. Needs admin /
	// Administration:read; a 404 means no protection (not an error condition).
	GetBranchProtection(ctx context.Context, owner, repo, branch string) (*gh.Protection, *gh.Response, error)
	// ListRulesForBranch returns the repository rules (rulesets) active for a
	// branch. Readable without admin — the no-admin path to the required-review
	// threshold.
	ListRulesForBranch(ctx context.Context, owner, repo, branch string, opts *gh.ListOptions) (*gh.BranchRules, *gh.Response, error)
}

ReviewService abstracts the GitHub REST calls the source-review predicate needs, so NewSourceReview is unit-testable without a live API (mirrors ReleaseService in pkg/release/cut.go). All four methods are REST-only; v0.1 adds no GraphQL/githubv4 dependency (see the source-review design).

func NewGitHubReviewService added in v0.28.0

func NewGitHubReviewService(client *gh.Client) ReviewService

NewGitHubReviewService wraps a go-github client as a ReviewService.

type Runner

type Runner struct {
	OS          string `json:"os"`
	Arch        string `json:"arch"`
	Environment string `json:"environment"`
}

Runner represents GitHub Actions runner info.

type ScanResult

type ScanResult struct {
	ID       string     `json:"id"`
	Severity []Severity `json:"severity"`
}

ScanResult represents a single vulnerability finding.

type Severity

type Severity struct {
	Method string `json:"method"`
	Score  string `json:"score"`
}

Severity represents a vulnerability severity score.

type SourceReview added in v0.28.0

type SourceReview struct {
	// subject-binding fields, not part of the predicate body
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`

	SourceRepository string          `json:"sourceRepository"`
	SourceRevision   string          `json:"sourceRevision"`
	Ref              string          `json:"ref,omitempty"`
	PullRequest      *SourceReviewPR `json:"pullRequest,omitempty"`

	Summary SourceReviewSummary `json:"summary"`

	// ApproversIncluded is true when approvers[] is authoritative (every
	// qualifying reviewer is present). The gate may recompute over approvers[]
	// only when this is true; otherwise it must use the summary counts and fail
	// closed if a per-reviewer filter it cannot satisfy is requested.
	ApproversIncluded bool                   `json:"approversIncluded"`
	Approvers         []SourceReviewApprover `json:"approvers,omitempty"`

	BranchProtection *SourceReviewBranchProtection `json:"branchProtection,omitempty"`

	// ReviewDecision is reserved for an optional best-effort GraphQL enrichment
	// (pullRequest.reviewDecision). It is INFORMATIONAL ONLY and never a basis for
	// PASS. v0.1 adds no GraphQL client, so it is always empty here.
	ReviewDecision string `json:"reviewDecision,omitempty"`

	Configuration []ResourceDescriptor `json:"configuration"`

	// ReviewToolingComplete is false when the review evidence could not be fully
	// gathered (PRs/reviews unfetchable, or no merged PR resolved — which covers
	// both a genuine direct push and the ListPullRequestsWithCommit default-branch
	// quirk). Mirrors code-scan's invocation.executionSuccessful: the gate fails
	// this closed by default.
	ReviewToolingComplete bool `json:"reviewToolingComplete"`
}

SourceReview is the predicate portion of an autogov source-review attestation (https://autogov.dev/attestation/source-review/v0.1).

func NewSourceReview added in v0.28.0

func NewSourceReview(ctx context.Context, svc ReviewService, opts SourceReviewOptions) (*SourceReview, error)

NewSourceReview builds a source-review predicate from GitHub review evidence, implementing the locked review algorithm + GATE SEMANTICS. svc is injected for testability.

func (*SourceReview) Generate added in v0.28.0

func (c *SourceReview) Generate() ([]byte, error)

Generate produces the JSON representation of the source-review predicate.

type SourceReviewApprover added in v0.28.0

type SourceReviewApprover struct {
	Login       string `json:"login"`
	Association string `json:"association,omitempty"`
	SubmittedAt string `json:"submittedAt,omitempty"`
	CommitID    string `json:"commitId,omitempty"`
	Stale       bool   `json:"stale"`
	IsBot       bool   `json:"isBot"`
}

SourceReviewApprover is one distinct reviewer whose latest opinionated review state is APPROVED (the PR author is never included). stale and isBot are recorded so the gate can recompute/verify the count rather than trust a producer-asserted summary boolean.

type SourceReviewBranchProtection added in v0.28.0

type SourceReviewBranchProtection struct {
	RequireReviews               bool `json:"requireReviews"`
	RequiredApprovingReviewCount int  `json:"requiredApprovingReviewCount"`
	DismissStaleReviews          bool `json:"dismissStaleReviews"`
	RequireCodeownerReview       bool `json:"requireCodeownerReview"`
	// RequireLastPushApproval records GitHub's "last push must be approved by
	// someone other than the pusher" control. v0.1 enforces the on-head-commit
	// half via staleness (an approval not on the PR head does not count); the
	// "approver != last pusher" nuance requires push authorship not fetched here,
	// so it is recorded as evidence and left for a future version.
	RequireLastPushApproval bool `json:"requireLastPushApproval"`
}

SourceReviewBranchProtection records the review controls discovered on the target branch (best-effort; omitted when none is visible). Evidence for the required count; the gate bars on its own configured min_approvals.

type SourceReviewOptions added in v0.28.0

type SourceReviewOptions struct {
	Type             ArtifactType
	SubjectName      string
	SubjectPath      string
	Digest           string
	Owner            string
	Repo             string
	CommitSHA        string // the canonical source revision (merge/squash commit on the target branch)
	Ref              string // target branch ref of the artifact build
	PRNumber         int    // optional disambiguation hint; 0 = auto-discover from the commit
	IncludeApprovers bool   // default on; embeds the per-approver list
	ConfigURI        string
}

SourceReviewOptions contains options for creating a source-review predicate.

type SourceReviewPR added in v0.28.0

type SourceReviewPR struct {
	Number         int    `json:"number"`
	URL            string `json:"url,omitempty"`
	Author         string `json:"author,omitempty"`
	MergedAt       string `json:"mergedAt,omitempty"`
	MergeCommitSha string `json:"mergeCommitSha,omitempty"`
}

SourceReviewPR captures the pull request whose merge produced the source revision. Omitted entirely when no merged PR is resolved.

type SourceReviewSummary added in v0.28.0

type SourceReviewSummary struct {
	Approvals            int  `json:"approvals"`
	DistinctApprovers    int  `json:"distinctApprovers"`
	ChangesRequested     int  `json:"changesRequested"`
	RequiredApprovals    int  `json:"requiredApprovals"`
	RequirementMet       bool `json:"requirementMet"`
	SelfApprovalExcluded bool `json:"selfApprovalExcluded"`
	// CodeownerReviewMet is tri-state: a nil pointer (JSON null) means "not
	// authoritatively determinable" — REST-only cannot reliably evaluate
	// CODEOWNERS, so v0.1 always leaves it null. The gate treats null as
	// undetermined and fails closed when codeowner review is required.
	CodeownerReviewMet *bool `json:"codeownerReviewMet"`
}

SourceReviewSummary is always populated, even when approvers[] is omitted, so an operator can gate without the approver list. The booleans are EVIDENCE, never gate inputs: pass/fail derives only from the numeric counts (see the gating policy). distinctApprovers is the STRICTEST count (author, stale, dismissed, changes-requested, and bot reviewers excluded).

type TestResult added in v0.26.0

type TestResult struct {
	Type        ArtifactType `json:"-"`
	SubjectName string       `json:"-"`
	SubjectPath string       `json:"-"`
	Digest      string       `json:"-"`

	// Result is one of PASSED, WARNED, or FAILED.
	Result string `json:"result"`
	// Configuration references the configuration used for the test run. Required
	// by the spec; may be an empty list when no configuration is referenced.
	Configuration []ResourceDescriptor `json:"configuration"`
	// URL optionally links to the test run (e.g. logs).
	URL string `json:"url,omitempty"`
	// PassedTests, WarnedTests, FailedTests hold test identifiers by outcome.
	// Skipped tests map to warnedTests. Never null (empty arrays preferred).
	PassedTests []string `json:"passedTests"`
	WarnedTests []string `json:"warnedTests"`
	FailedTests []string `json:"failedTests"`
}

TestResult represents the predicate portion of an in-toto test-result attestation (https://in-toto.io/attestation/test-result/v0.1).

func NewTestResult added in v0.26.0

func NewTestResult(opts TestResultOptions) (*TestResult, error)

NewTestResult builds an in-toto test-result predicate from JUnit XML.

func (*TestResult) Generate added in v0.26.0

func (t *TestResult) Generate() ([]byte, error)

Generate produces the JSON representation of the test-result predicate.

type TestResultOptions added in v0.26.0

type TestResultOptions struct {
	Type        ArtifactType
	SubjectName string
	SubjectPath string
	Digest      string
	ResultsPath string
	URL         string
	ConfigURI   string
}

TestResultOptions contains options for creating a test-result predicate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL