Documentation
¶
Overview ¶
Package source provides verification of SLSA source provenance attestations. It validates Sigstore bundles containing source provenance predicates, checking repository URI, commit SHA, and computing SLSA Source Track levels.
Index ¶
Constants ¶
const ( SLSASourceLevel0 = "SLSA_SOURCE_LEVEL_0" SLSASourceLevel1 = "SLSA_SOURCE_LEVEL_1" SLSASourceLevel2 = "SLSA_SOURCE_LEVEL_2" SLSASourceLevel3 = "SLSA_SOURCE_LEVEL_3" )
Canonical SLSA source-track levels (https://slsa.dev/spec/v1.2/source-requirements). The numeric ceiling is L3; two-party review (the v1.2 "L4" tier) has no numbered token and is recorded only as a non-numbered annotation.
Variables ¶
This section is empty.
Functions ¶
func MapToCanonicalSourceLevel ¶ added in v0.30.0
MapToCanonicalSourceLevel maps the verification evidence to the canonical SLSA source-track level the evidence actually proves, staying deliberately conservative to avoid overclaiming.
The SLSA source track (v1.2) grants:
- L1: source is in a modern VCS and a Source VSA/provenance is issued.
- L2: change history is continuous, immutable, and retained.
- L3: the org's technical controls (branch protection, force-push blocked, required status checks, bypass disabled or narrowly declared) are continuously enforced and recorded in attestations. No human review is required for L3.
- Two-party review is a separate, higher control (the v1.2 "L4" tier), recorded as a non-numbered annotation — never as a numbered level (there is no SLSA_SOURCE_LEVEL_4 token).
A verified source-provenance signature proves L1: the revision is version controlled and provenance exists. It does NOT by itself prove the continuity (L2) or continuous-enforcement (L3) controls — those require recorded + enforced branch-protection evidence, which this verify path does not yet receive. So provenance evidence alone maps to L1 here, and the level is never inferred from the builder identity (that conflated L3 with the build platform and over-claimed).
Types ¶
type SourceProvenancePredicate ¶
type SourceProvenancePredicate struct {
BuildDefinition struct {
BuildType string `json:"buildType"`
ExternalParameters struct {
Repository string `json:"repository"`
Ref string `json:"ref"`
Workflow struct {
Repository string `json:"repository"`
Ref string `json:"ref"`
Path string `json:"path"`
} `json:"workflow"`
} `json:"externalParameters"`
ResolvedDependencies []struct {
URI string `json:"uri"`
Digest map[string]string `json:"digest"`
} `json:"resolvedDependencies"`
} `json:"buildDefinition"`
RunDetails struct {
Builder struct {
ID string `json:"id"`
} `json:"builder"`
Metadata struct {
InvocationID string `json:"invocationId"`
StartedOn string `json:"startedOn"`
} `json:"metadata"`
} `json:"runDetails"`
}
SourceProvenancePredicate represents relevant fields from a SLSA provenance predicate used for source provenance verification.
type VerificationResult ¶
type VerificationResult struct {
Verified bool `json:"verified"`
RepoURI string `json:"repo_uri,omitempty"`
Commit string `json:"commit,omitempty"`
SourceRef string `json:"source_ref,omitempty"`
SLSASourceLevel string `json:"slsa_source_level,omitempty"`
BuilderID string `json:"builder_id,omitempty"`
Claims map[string]string `json:"claims,omitempty"`
ErrorMsg string `json:"error,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
VerificationResult holds the outcome of source provenance verification.
func VerifySourceProvenance ¶
func VerifySourceProvenance(bundlePath string, opts VerifyOptions) (*VerificationResult, error)
VerifySourceProvenance verifies a Sigstore bundle containing source provenance. It validates the bundle signature, extracts the in-toto statement, and checks that the repo URI and commit SHA match the expected values.
type VerifyOptions ¶
type VerifyOptions struct {
// RepoURI is the expected source repository URI.
RepoURI string
// Commit is the expected source commit SHA.
Commit string
// SourceRef is the expected source ref (e.g., refs/heads/main). Optional.
SourceRef string
// CertIdentity is the expected OIDC subject in the signing certificate.
CertIdentity string
// CertIssuer is the expected OIDC issuer URL.
CertIssuer string
}
VerifyOptions configures source provenance verification.