Documentation
¶
Index ¶
- Constants
- func CalculateDigest(path string) (string, error)
- func GenerateCodeScan(opts CodeScanOptions, outputFile string) error
- func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
- func GenerateMetadata(opts Options, outputFile string) error
- func GenerateSourceReview(opts SourceReviewOptions, outputFile string) error
- func GenerateTestResult(opts TestResultOptions, outputFile string) error
- func GetEnvOrDefault(key, defaultValue string) string
- func GetGitHubToken() (string, error)
- func GetRequiredEnv(key string) (string, error)
- func ValidateCodeScan(data []byte) error
- func ValidateDepscan(data []byte) error
- func ValidateJSON(data []byte, schemaName string) error
- func ValidateMetadata(data []byte) error
- func ValidateSourceReview(data []byte) error
- func ValidateTestResult(data []byte) error
- type ArtifactType
- type CodeScan
- type CodeScanContext
- type CodeScanFinding
- type CodeScanInvocation
- type CodeScanLevelCounts
- type CodeScanLocation
- type CodeScanOptions
- type CodeScanSeverityCounts
- type CodeScanSummary
- type CodeScanTool
- type Config
- type Context
- type DependencyScan
- type DependencyScanOptions
- type GrypeResult
- type Metadata
- type Options
- type PolicyRepo
- type ResourceDescriptor
- type ReviewService
- type RulesetActor
- type RulesetVersion
- type RulesetVersionState
- type Runner
- type ScanResult
- type Severity
- type SourceReview
- type SourceReviewApprover
- type SourceReviewBranchProtection
- type SourceReviewContinuityEvidence
- type SourceReviewOptions
- type SourceReviewPR
- type SourceReviewSummary
- type SourceReviewTechnicalControls
- type TestResult
- type TestResultOptions
Constants ¶
const ( // github EnvGitHubRepository = "GITHUB_REPOSITORY" EnvGitHubRepositoryID = "GITHUB_REPOSITORY_ID" EnvGitHubRepositoryOwner = "GITHUB_REPOSITORY_OWNER" EnvGitHubOwnerID = "GITHUB_REPOSITORY_OWNER_ID" EnvGitHubServerURL = "GITHUB_SERVER_URL" EnvGitHubSHA = "GITHUB_SHA" EnvGitHubRefName = "GITHUB_REF_NAME" EnvGitHubEventName = "GITHUB_EVENT_NAME" EnvGitHubActor = "GITHUB_ACTOR" EnvGitHubRunID = "GITHUB_RUN_ID" EnvGitHubRunNumber = "GITHUB_RUN_NUMBER" EnvGitHubWorkflowRef = "GITHUB_WORKFLOW_REF" EnvGitHubEventPath = "GITHUB_EVENT_PATH" EnvGitHubWorkflowInputs = "GITHUB_WORKFLOW_INPUTS" EnvGitHubJobStatus = "GITHUB_JOB_STATUS" // runner EnvRunnerOS = "RUNNER_OS" EnvRunnerArch = "RUNNER_ARCH" EnvRunnerEnvironment = "RUNNER_ENVIRONMENT" // tokens //nolint:gosec // These are environment variable names, not credentials EnvGitHubToken = "GITHUB_TOKEN" //nolint:gosec // These are environment variable names, not credentials EnvGHToken = "GH_TOKEN" // config EnvPolicyRepoOwner = "POLICY_REPO_OWNER" EnvPolicyRepoName = "POLICY_REPO_NAME" EnvPolicyVersion = "POLICY_VERSION" EnvSchemasPath = "SCHEMAS_PATH" // permissions EnvWorkflowPermissions = "WORKFLOW_PERMISSIONS" )
environment variable names
const ( TestResultPassed = "PASSED" TestResultWarned = "WARNED" TestResultFailed = "FAILED" )
Result values for the in-toto test-result predicate.
const ( ArtifactTypeBlob ArtifactType = "blob" ArtifactTypeContainerImage ArtifactType = "container-image" // MetadataPredicateTypeURI is the custom autogov predicate type for metadata attestations. MetadataPredicateTypeURI = "https://autogov.dev/attestation/metadata/v1" // DepscanPredicateTypeURI is the in-toto vulnerability predicate type. DepscanPredicateTypeURI = "https://in-toto.io/attestation/vulns/v0.2" // CodeScanPredicateTypeURI is the custom autogov code-scan predicate type. // No in-toto standard exists for SARIF/code-scanning results, so this mirrors // the metadata predicate precedent. Kept at v0.1 until the SARIF mapping soaks // against real scanner output — the URI is permanent once published. CodeScanPredicateTypeURI = "https://autogov.dev/attestation/code-scan/v0.1" )
const SourceReviewPredicateTypeURI = "https://autogov.dev/attestation/source-review/v0.2"
SourceReviewPredicateTypeURI is the custom autogov source-review predicate type. It records the human PR-review/approval evidence for the source revision that produced an artifact (SLSA source-track / two-person review). No in-toto or SLSA standard predicate exists for source review — SLSA's source track leaves it vendor-specific and gittuf/liatr.io both namespace their own — so this mirrors the metadata/code-scan precedent.
v0.2 (current, only recognized version): adds fail-closed continuity evidence (continuityComplete + continuityEvidence) so continuityStartRevision becomes a genuine no-gap CLAIM rather than a placeholder. The bump to a NEW URI was deliberate: it stops an OLD (v0.1) verifier — which has no notion of continuityComplete — from misreading a v0.2 bundle's now-populated continuityStartRevision as a satisfied L3 continuity leg (an over-claim). v0.1 is no longer recognized; a missing continuityComplete still decodes false (dormant), so a v0.2 verifier can never over-claim L3 from an older bundle.
const TestResultPredicateTypeURI = "https://in-toto.io/attestation/test-result/v0.1"
TestResultPredicateTypeURI is the in-toto test-result predicate type.
Variables ¶
This section is empty.
Functions ¶
func CalculateDigest ¶
CalculateDigest calculates the sha256 digest of a file or directory.
func GenerateCodeScan ¶ added in v0.27.0
func GenerateCodeScan(opts CodeScanOptions, outputFile string) error
GenerateCodeScan generates and validates a code-scan attestation predicate.
func GenerateDepscan ¶
func GenerateDepscan(opts DependencyScanOptions, outputFile string) error
GenerateDepscan generates a dependency scan attestation predicate.
func GenerateMetadata ¶
GenerateMetadata generates a metadata attestation predicate.
func GenerateSourceReview ¶ added in v0.28.0
func GenerateSourceReview(opts SourceReviewOptions, outputFile string) error
GenerateSourceReview generates and validates a source-review attestation predicate, fetching review evidence from the GitHub API.
func GenerateTestResult ¶ added in v0.26.0
func GenerateTestResult(opts TestResultOptions, outputFile string) error
GenerateTestResult generates an in-toto test-result attestation predicate from JUnit XML.
func GetEnvOrDefault ¶
GetEnvOrDefault returns the value of the environment variable or the default value.
func GetGitHubToken ¶
GetGitHubToken returns the GitHub token from environment variables.
func GetRequiredEnv ¶
GetRequiredEnv returns the value of a required environment variable or an error.
func ValidateCodeScan ¶ added in v0.27.0
ValidateCodeScan validates code-scan attestation data against its schema.
func ValidateDepscan ¶
ValidateDepscan validates dependency scan attestation data against its schema.
func ValidateJSON ¶
ValidateJSON validates JSON data against a named schema.
func ValidateMetadata ¶
ValidateMetadata validates metadata attestation data against its schema.
func ValidateSourceReview ¶ added in v0.28.0
ValidateSourceReview validates source-review attestation data against its schema.
func ValidateTestResult ¶ added in v0.26.0
ValidateTestResult validates test-result attestation data against its schema.
Types ¶
type ArtifactType ¶
type ArtifactType string
ArtifactType represents the type of artifact being attested.
type CodeScan ¶ added in v0.27.0
type CodeScan struct {
// subject-binding fields, not part of the predicate body
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
Tools []CodeScanTool `json:"tools"`
Summary CodeScanSummary `json:"summary"`
Configuration []ResourceDescriptor `json:"configuration"`
Invocation CodeScanInvocation `json:"invocation"`
// FindingsIncluded is true when results[] is authoritative (every fail-kind
// finding is present). A policy may recompute over results[] only when
// findingsIncluded is true AND truncated is false; otherwise it must fall
// back to the summary counts.
FindingsIncluded bool `json:"findingsIncluded"`
// Truncated is true when results[] omits findings (excluded by default, or
// capped by --max-findings).
Truncated bool `json:"truncated"`
// ResultCount is the total number of fail-kind findings discovered, equal to
// summary.byLevel.total + summary.suppressed, regardless of how many findings
// are emitted in results[].
ResultCount int `json:"resultCount"`
Results []CodeScanFinding `json:"results,omitempty"`
ScanContext *CodeScanContext `json:"scanContext,omitempty"`
ScanStartedOn string `json:"scanStartedOn,omitempty"`
ScanFinishedOn string `json:"scanFinishedOn,omitempty"`
}
CodeScan is the predicate portion of an autogov code-scan attestation built from a SARIF 2.1.0 report (https://autogov.dev/attestation/code-scan/v0.1).
func NewCodeScan ¶ added in v0.27.0
func NewCodeScan(opts CodeScanOptions) (*CodeScan, error)
NewCodeScan builds a code-scan predicate from a SARIF 2.1.0 report.
type CodeScanContext ¶ added in v0.27.0
type CodeScanContext struct {
CommitSHA string `json:"commitSha,omitempty"`
Ref string `json:"ref,omitempty"`
URL string `json:"url,omitempty"`
}
CodeScanContext records the scanned source context.
type CodeScanFinding ¶ added in v0.27.0
type CodeScanFinding struct {
RuleID string `json:"ruleId"`
Tool string `json:"tool,omitempty"`
Level string `json:"level"`
Kind string `json:"kind"`
SecuritySeverity string `json:"securitySeverity,omitempty"`
SecuritySeverityLevel string `json:"securitySeverityLevel,omitempty"`
Message string `json:"message,omitempty"`
Location *CodeScanLocation `json:"location,omitempty"`
BaselineState string `json:"baselineState,omitempty"`
Suppressed bool `json:"suppressed"`
SuppressionKind string `json:"suppressionKind,omitempty"`
PartialFingerprints map[string]string `json:"partialFingerprints,omitempty"`
}
CodeScanFinding is a normalized SARIF result. Emitted only when findings are explicitly included (--include-findings); off by default so file paths, line numbers, and scanner messages are not baked into a permanent public artifact.
type CodeScanInvocation ¶ added in v0.27.0
type CodeScanInvocation struct {
ExecutionSuccessful bool `json:"executionSuccessful"`
}
CodeScanInvocation reports whether every SARIF invocation completed. executionSuccessful is the AND of all invocations; absent invocations are treated as successful (no evidence of an incomplete scan).
type CodeScanLevelCounts ¶ added in v0.27.0
type CodeScanLevelCounts struct {
Error int `json:"error"`
Warning int `json:"warning"`
Note int `json:"note"`
None int `json:"none"`
Total int `json:"total"`
}
CodeScanLevelCounts counts fail-kind findings by resolved SARIF level.
type CodeScanLocation ¶ added in v0.27.0
type CodeScanLocation struct {
URI string `json:"uri,omitempty"`
StartLine int `json:"startLine,omitempty"`
EndLine int `json:"endLine,omitempty"`
}
CodeScanLocation is the primary physical location of a finding.
type CodeScanOptions ¶ added in v0.27.0
type CodeScanOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
IncludeFindings bool
MaxFindings int
ConfigURI string
CommitSHA string
Ref string
URL string
}
CodeScanOptions contains options for creating a code-scan predicate.
type CodeScanSeverityCounts ¶ added in v0.27.0
type CodeScanSeverityCounts struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
None int `json:"none"`
Total int `json:"total"`
}
CodeScanSeverityCounts counts fail-kind findings by security-severity bucket. None counts fail-kind findings lacking a numeric security-severity property.
type CodeScanSummary ¶ added in v0.27.0
type CodeScanSummary struct {
ByLevel CodeScanLevelCounts `json:"byLevel"`
BySecuritySeverity CodeScanSeverityCounts `json:"bySecuritySeverity"`
Suppressed int `json:"suppressed"`
New int `json:"new,omitempty"`
}
CodeScanSummary aggregates findings. byLevel and bySecuritySeverity count the SAME set (non-suppressed fail-kind findings) on two independent axes, so their totals are equal. suppressed counts fail-kind findings that were suppressed. new counts non-suppressed fail-kind findings whose baselineState is new or updated (the set gate_new_only would act on).
type CodeScanTool ¶ added in v0.27.0
type CodeScanTool struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
}
CodeScanTool identifies a scanner (one per SARIF run driver).
type Config ¶
type Config struct {
PolicyRepo PolicyRepo
SchemasPath string
}
Config holds application configuration.
func LoadConfig ¶
LoadConfig loads configuration from environment variables.
type Context ¶
type Context struct {
Repository string `json:"repository"`
RepositoryOwner string `json:"repository_owner"`
RepositoryID string `json:"repository_id"`
ServerURL string `json:"server_url"`
RepositoryOwnerID string `json:"repository_owner_id"`
WorkflowRef string `json:"workflow_ref"`
RefName string `json:"ref_name"`
EventName string `json:"event_name"`
SHA string `json:"sha"`
RunNumber string `json:"run_number"`
RunID string `json:"run_id"`
Actor string `json:"actor"`
Event struct {
WorkflowRun struct {
CreatedAt string `json:"created_at"`
} `json:"workflow_run"`
HeadCommit struct {
Timestamp string `json:"timestamp"`
} `json:"head_commit"`
} `json:"event"`
Inputs map[string]any `json:"inputs"`
JobStatus string `json:"job_status"`
Runner *Runner `json:"runner"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
}
Context represents the GitHub Actions runtime context.
func LoadGitHubContext ¶
LoadGitHubContext loads GitHub Actions context from environment variables.
type DependencyScan ¶
type DependencyScan struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
Scanner struct {
Name string `json:"name"`
URI string `json:"uri"`
Version string `json:"version"`
DB struct {
URI string `json:"uri"`
Version string `json:"version,omitempty"`
LastUpdate string `json:"lastUpdate,omitempty"`
} `json:"db"`
Result []ScanResult `json:"result"`
} `json:"scanner"`
Metadata struct {
ScanStartedOn string `json:"scanStartedOn"`
ScanFinishedOn string `json:"scanFinishedOn"`
} `json:"metadata,omitempty"`
}
DependencyScan represents the predicate portion of a dependency scan attestation.
func NewDependencyScan ¶
func NewDependencyScan(opts DependencyScanOptions) *DependencyScan
NewDependencyScan creates a new DependencyScan from options.
func (*DependencyScan) Generate ¶
func (s *DependencyScan) Generate() ([]byte, error)
Generate produces the JSON representation of the dependency scan predicate.
type DependencyScanOptions ¶
type DependencyScanOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
StartedAt time.Time
FinishedAt time.Time
}
DependencyScanOptions contains options for creating a new dependency scan.
type GrypeResult ¶
type GrypeResult struct {
Descriptor struct {
Version string `json:"version"`
Timestamp string `json:"timestamp"`
DB struct {
Status *struct {
Built string `json:"built"`
SchemaVersion string `json:"schemaVersion"`
From string `json:"from,omitempty"`
} `json:"status,omitempty"`
} `json:"db"`
} `json:"descriptor"`
Matches []struct {
Vulnerability struct {
ID string `json:"id"`
Severity string `json:"severity"`
CVSS []struct {
Metrics struct {
BaseScore float64 `json:"baseScore"`
} `json:"metrics"`
} `json:"cvss"`
} `json:"vulnerability"`
} `json:"matches"`
}
GrypeResult represents Grype scan results.
type Metadata ¶
type Metadata struct {
Artifact struct {
Version string `json:"version"`
Created string `json:"created"`
Type string `json:"type"`
Registry string `json:"registry,omitempty"`
FullName string `json:"fullName,omitempty"`
Digest string `json:"digest,omitempty"`
Path string `json:"path,omitempty"`
} `json:"artifact"`
RepositoryData struct {
Repository string `json:"repository"`
RepositoryID string `json:"repositoryId"`
GitHubServerURL string `json:"githubServerURL"`
} `json:"repositoryData"`
OwnerData struct {
Owner string `json:"owner"`
OwnerID string `json:"ownerId"`
} `json:"ownerData"`
RunnerData struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
} `json:"runnerData"`
WorkflowData struct {
WorkflowRefPath string `json:"workflowRefPath"`
Inputs map[string]any `json:"inputs,omitempty"`
Branch string `json:"branch"`
Event string `json:"event"`
} `json:"workflowData"`
JobData struct {
RunNumber string `json:"runNumber"`
RunID string `json:"runId"`
Status string `json:"status"`
TriggeredBy string `json:"triggeredBy"`
StartedAt string `json:"startedAt"`
CompletedAt string `json:"completedAt"`
} `json:"jobData"`
CommitData struct {
SHA string `json:"sha"`
Timestamp string `json:"timestamp"`
} `json:"commitData"`
Organization struct {
Name string `json:"name"`
} `json:"organization"`
Compliance struct {
PolicyRef string `json:"policyRef"`
ControlIds []string `json:"controlIds"`
} `json:"compliance"`
Security struct {
Permissions map[string]string `json:"permissions"`
} `json:"security"`
}
Metadata represents the predicate portion of a metadata attestation.
func NewFromOptions ¶
NewFromOptions creates a new Metadata from the given options.
type Options ¶
type Options struct {
// artifact fields
Version string
Created time.Time
Type ArtifactType
Registry string
FullName string
SubjectPath string
Digest string
// repo fields
Repository string
RepositoryID string
GitHubServerURL string
// owner fields
Owner string
OwnerID string
// runner fields
OS string
Arch string
Environment string
// workflow fields
WorkflowRefPath string
Inputs map[string]any
Branch string
Event string
// job fields
RunNumber string
RunID string
Status string
TriggeredBy string
StartedAt time.Time
CompletedAt time.Time
// commit fields
SHA string
Timestamp time.Time
// org fields
OrgName string
// compliance fields
PolicyRef string
ControlIds []string
// permissions fields
Permissions map[string]string
}
Options contains all fields needed to generate a metadata predicate.
type PolicyRepo ¶
PolicyRepo represents policy repository configuration.
type ResourceDescriptor ¶ added in v0.26.0
type ResourceDescriptor struct {
Name string `json:"name,omitempty"`
URI string `json:"uri,omitempty"`
Digest map[string]string `json:"digest,omitempty"`
Content string `json:"content,omitempty"`
DownloadLocation string `json:"downloadLocation,omitempty"`
MediaType string `json:"mediaType,omitempty"`
Annotations map[string]any `json:"annotations,omitempty"`
}
ResourceDescriptor is an in-toto v1 ResourceDescriptor. Per spec a descriptor must specify at least one of uri, digest, or content.
type ReviewService ¶ added in v0.28.0
type ReviewService interface {
// ListPullRequestsWithCommit returns pull requests associated with a commit
// SHA. Documented quirk (go-github v88): if the SHA is not present in the
// repository's default branch, the result includes ONLY open pull requests —
// so a release-branch/tag build can return zero merged PRs even though the
// change was reviewed. NewSourceReview treats that as incompleteness, not a
// definitive direct push.
ListPullRequestsWithCommit(ctx context.Context, owner, repo, sha string, opts *gh.ListOptions) ([]*gh.PullRequest, *gh.Response, error)
// ListReviews lists all reviews on a pull request (paginated).
ListReviews(ctx context.Context, owner, repo string, number int, opts *gh.ListOptions) ([]*gh.PullRequestReview, *gh.Response, error)
// GetBranchProtection returns classic branch protection. Needs admin /
// Administration:read; a 404 means no protection (not an error condition).
GetBranchProtection(ctx context.Context, owner, repo, branch string) (*gh.Protection, *gh.Response, error)
// ListRulesForBranch returns the repository rules (rulesets) active for a
// branch. Readable without admin — the no-admin path to the required-review
// threshold.
ListRulesForBranch(ctx context.Context, owner, repo, branch string, opts *gh.ListOptions) (*gh.BranchRules, *gh.Response, error)
// GetRuleset returns a repository ruleset (incl. org/enterprise parents when
// includesParents). Needs Administration:read; a 403/404 is best-effort — the
// producer omits bypass actors rather than failing the attestation.
GetRuleset(ctx context.Context, owner, repo string, rulesetID int64, includesParents bool) (*gh.RepositoryRuleset, *gh.Response, error)
// GetRulesetHistory returns the VERSION HISTORY of a ruleset, newest first,
// for the SLSA Source-L3 continuity walk. go-github v88 binds NEITHER ruleset
// history endpoint, so this is issued via the raw client. It tries the
// repo-scoped endpoint first; if that 404s (the id belongs to an ORG/parent
// ruleset that is only visible through includesParents on the repo), it falls
// back to the org-scoped endpoint. A 403/404 on BOTH surfaces as an error so
// continuity fails CLOSED (unreadable history is NEVER read as "no changes").
// Paginates via the Link header (resp.NextPage).
GetRulesetHistory(ctx context.Context, owner, repo string, rulesetID int64, opts *gh.ListOptions) ([]*RulesetVersion, *gh.Response, error)
// GetRulesetVersion returns the full ruleset STATE at one historical version
// (enforcement, conditions, rules, bypass actors). Like GetRulesetHistory it
// is issued via the raw client with a repo→org fallback, and any 403/404
// surfaces as an error so the continuity walk fails closed.
GetRulesetVersion(ctx context.Context, owner, repo string, rulesetID, versionID int64) (*RulesetVersionState, *gh.Response, error)
// ListCommits maps a continuity start TIME to a start COMMIT producer-side (the
// verifier never calls GitHub). Called with SHA=branch + Since=start; the oldest
// returned commit at-or-after the start time is the approximate start revision
// R0. Paginated truncation (>cap pages) is treated as unresolvable -> fail closed.
ListCommits(ctx context.Context, owner, repo string, opts *gh.CommitsListOptions) ([]*gh.RepositoryCommit, *gh.Response, error)
// GetRepository returns the repository (for its default branch), so the
// continuity walk can decide whether a ruleset version that targets only
// "~DEFAULT_BRANCH" actually covers the artifact's protected branch. Unreadable
// -> the default branch is unknown -> a "~DEFAULT_BRANCH"-only version fails
// closed.
GetRepository(ctx context.Context, owner, repo string) (*gh.Repository, *gh.Response, error)
}
ReviewService abstracts the GitHub REST calls the source-review predicate needs, so NewSourceReview is unit-testable without a live API (mirrors ReleaseService in pkg/release/cut.go). All methods are REST-only; v0.1 adds no GraphQL/githubv4 dependency (see the source-review design).
func NewGitHubReviewService ¶ added in v0.28.0
func NewGitHubReviewService(client *gh.Client) ReviewService
NewGitHubReviewService wraps a go-github client as a ReviewService.
type RulesetActor ¶ added in v0.38.0
RulesetActor identifies who created a ruleset version (recorded as evidence; not gated). A missing/typeless actor is tolerated — it never relaxes a leg.
type RulesetVersion ¶ added in v0.38.0
type RulesetVersion struct {
VersionID int64
Actor RulesetActor
UpdatedAt time.Time
}
RulesetVersion is one entry in a ruleset's version history. created_at is NOT load-bearing for continuity — the per-version STATE (fetched via GetRulesetVersion) is. UpdatedAt is the time the version became effective and is what the walk uses for the per-leg start time.
type RulesetVersionState ¶ added in v0.38.0
type RulesetVersionState struct {
Enforcement string
Conditions *gh.RepositoryRulesetConditions
Rules *gh.RepositoryRulesetRules
BypassActors []*gh.BypassActor
}
RulesetVersionState is the full enforced state of a ruleset at a historical version, the unit the continuity walk inspects. Enforcement is the raw string so an UNKNOWN/missing value is treated as NON-active (never default-to-active). Rules is the typed ruleset rules object (nil when absent -> a rule is NOT present, never default-to-satisfied). BypassActors is judged narrow-vs-wide by the walk exactly like the live bypass list.
type Runner ¶
type Runner struct {
OS string `json:"os"`
Arch string `json:"arch"`
Environment string `json:"environment"`
}
Runner represents GitHub Actions runner info.
type ScanResult ¶
ScanResult represents a single vulnerability finding.
type SourceReview ¶ added in v0.28.0
type SourceReview struct {
// subject-binding fields, not part of the predicate body
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
SourceRepository string `json:"sourceRepository"`
SourceRevision string `json:"sourceRevision"`
Ref string `json:"ref,omitempty"`
PullRequest *SourceReviewPR `json:"pullRequest,omitempty"`
Summary SourceReviewSummary `json:"summary"`
// ApproversIncluded is true when approvers[] is authoritative (every
// qualifying reviewer is present). The gate may recompute over approvers[]
// only when this is true; otherwise it must use the summary counts and fail
// closed if a per-reviewer filter it cannot satisfy is requested.
ApproversIncluded bool `json:"approversIncluded"`
Approvers []SourceReviewApprover `json:"approvers,omitempty"`
BranchProtection *SourceReviewBranchProtection `json:"branchProtection,omitempty"`
// TechnicalControls records the enforced SLSA-L3 branch-protection controls
// (force-push blocked, linear history, deletion blocked, required signatures,
// required status checks, bypass actors). Best-effort, evidence only.
TechnicalControls *SourceReviewTechnicalControls `json:"technicalControls,omitempty"`
// ContinuityStartRevision is set ONLY when ContinuityEvidence proves an
// unbroken enforcement window from this revision through the attested revision
// (SLSA L3 continuity); it is empty otherwise. The verifier MUST NOT infer L3
// continuity from this value alone — it gates on TechnicalControls.
// ContinuityComplete AND a non-empty value together (absence or an
// incomplete-proof value is undetermined, not satisfied).
ContinuityStartRevision string `json:"continuityStartRevision,omitempty"`
// ContinuityEvidence records how the continuity window was established (or why
// it could not be). Audit evidence only — the gate keys on ContinuityComplete +
// ContinuityStartRevision. Omitted when continuity was not even attempted.
ContinuityEvidence *SourceReviewContinuityEvidence `json:"continuityEvidence,omitempty"`
// ReviewDecision is reserved for an optional best-effort GraphQL enrichment
// (pullRequest.reviewDecision). It is INFORMATIONAL ONLY and never a basis for
// PASS. The producer adds no GraphQL client, so it is always empty here.
ReviewDecision string `json:"reviewDecision,omitempty"`
Configuration []ResourceDescriptor `json:"configuration"`
// ReviewToolingComplete is false when the review evidence could not be fully
// gathered (PRs/reviews unfetchable, or no merged PR resolved — which covers
// both a genuine direct push and the ListPullRequestsWithCommit default-branch
// quirk). Mirrors code-scan's invocation.executionSuccessful: the gate fails
// this closed by default.
ReviewToolingComplete bool `json:"reviewToolingComplete"`
}
SourceReview is the predicate portion of an autogov source-review attestation (https://autogov.dev/attestation/source-review/v0.2).
func NewSourceReview ¶ added in v0.28.0
func NewSourceReview(ctx context.Context, svc ReviewService, opts SourceReviewOptions) (*SourceReview, error)
NewSourceReview builds a source-review predicate from GitHub review evidence, implementing the locked review algorithm + GATE SEMANTICS. svc is injected for testability.
func (*SourceReview) Generate ¶ added in v0.28.0
func (c *SourceReview) Generate() ([]byte, error)
Generate produces the JSON representation of the source-review predicate.
type SourceReviewApprover ¶ added in v0.28.0
type SourceReviewApprover struct {
Login string `json:"login"`
Association string `json:"association,omitempty"`
SubmittedAt string `json:"submittedAt,omitempty"`
CommitID string `json:"commitId,omitempty"`
Stale bool `json:"stale"`
IsBot bool `json:"isBot"`
}
SourceReviewApprover is one distinct reviewer whose latest opinionated review state is APPROVED (the PR author is never included). stale and isBot are recorded so the gate can recompute/verify the count rather than trust a producer-asserted summary boolean.
type SourceReviewBranchProtection ¶ added in v0.28.0
type SourceReviewBranchProtection struct {
RequireReviews bool `json:"requireReviews"`
RequiredApprovingReviewCount int `json:"requiredApprovingReviewCount"`
DismissStaleReviews bool `json:"dismissStaleReviews"`
RequireCodeownerReview bool `json:"requireCodeownerReview"`
// RequireLastPushApproval records GitHub's "last push must be approved by
// someone other than the pusher" control. The producer enforces the
// on-head-commit half via staleness (an approval not on the PR head does not
// count); the "approver != last pusher" nuance requires push authorship not
// fetched here, so it is recorded as evidence and left for a future version.
RequireLastPushApproval bool `json:"requireLastPushApproval"`
}
SourceReviewBranchProtection records the review controls discovered on the target branch (best-effort; omitted when none is visible). Evidence for the required count; the gate bars on its own configured min_approvals.
type SourceReviewContinuityEvidence ¶ added in v0.38.0
type SourceReviewContinuityEvidence struct {
// Method is "ruleset-history" when continuity was proven by walking ruleset
// version history, or "none" when it could not be established (the fail-closed
// default). Any other meaning is reserved.
Method string `json:"method"`
// RulesetIDs are the distinct backing ruleset ids whose histories were walked.
RulesetIDs []int64 `json:"rulesetIds,omitempty"`
// VersionsWalked is the total number of historical ruleset versions inspected.
VersionsWalked int `json:"versionsWalked"`
// EarliestHistoryAt is the UpdatedAt of the oldest retained version observed
// across the walked rulesets (RFC3339, UTC). Used to detect retention capping.
EarliestHistoryAt string `json:"earliestHistoryAt,omitempty"`
// WindowStartAt is the latest per-ruleset clean-run start across all legs
// (RFC3339, UTC) — continuity holds only since ALL legs were simultaneously
// enforced. Empty when continuity was not established.
WindowStartAt string `json:"windowStartAt,omitempty"`
// WeakenedAt is the UpdatedAt (RFC3339, UTC) of the version that broke
// continuity (disabled/weakened/excluded/wide-bypass). Empty ("") on a clean
// window.
WeakenedAt string `json:"weakenedAt,omitempty"`
// HistoryComplete is true only when every walked ruleset's history was read in
// full (no 403/404, no pagination/truncation). False forces ContinuityComplete
// false (unknown history is not "no changes").
HistoryComplete bool `json:"historyComplete"`
// RetentionCapped is true when the earliest retained version is NEWER than the
// computed window start — the start cannot be corroborated by retained history,
// so continuity fails closed.
RetentionCapped bool `json:"retentionCapped"`
}
SourceReviewContinuityEvidence records HOW continuity was established (or why it could not be), as audit evidence. It never relaxes a gate: the verifier keys on TechnicalControls.ContinuityComplete + a non-empty ContinuityStartRevision, not on this block. Method is "ruleset-history" on a proven window, else "none".
type SourceReviewOptions ¶ added in v0.28.0
type SourceReviewOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
Owner string
Repo string
CommitSHA string // the canonical source revision (merge/squash commit on the target branch)
Ref string // target branch ref of the artifact build
PRNumber int // optional disambiguation hint; 0 = auto-discover from the commit
IncludeApprovers bool // default on; embeds the per-approver list
ConfigURI string
}
SourceReviewOptions contains options for creating a source-review predicate.
type SourceReviewPR ¶ added in v0.28.0
type SourceReviewPR struct {
Number int `json:"number"`
URL string `json:"url,omitempty"`
Author string `json:"author,omitempty"`
MergedAt string `json:"mergedAt,omitempty"`
MergeCommitSha string `json:"mergeCommitSha,omitempty"`
}
SourceReviewPR captures the pull request whose merge produced the source revision. Omitted entirely when no merged PR is resolved.
type SourceReviewSummary ¶ added in v0.28.0
type SourceReviewSummary struct {
Approvals int `json:"approvals"`
DistinctApprovers int `json:"distinctApprovers"`
ChangesRequested int `json:"changesRequested"`
RequiredApprovals int `json:"requiredApprovals"`
RequirementMet bool `json:"requirementMet"`
SelfApprovalExcluded bool `json:"selfApprovalExcluded"`
// CodeownerReviewMet is tri-state: a nil pointer (JSON null) means "not
// authoritatively determinable" — REST-only cannot reliably evaluate
// CODEOWNERS, so the producer always leaves it null. The gate treats null as
// undetermined and fails closed when codeowner review is required.
CodeownerReviewMet *bool `json:"codeownerReviewMet"`
}
SourceReviewSummary is always populated, even when approvers[] is omitted, so an operator can gate without the approver list. The booleans are EVIDENCE, never gate inputs: pass/fail derives only from the numeric counts (see the gating policy). distinctApprovers is the STRICTEST count (author, stale, dismissed, changes-requested, and bot reviewers excluded).
type SourceReviewTechnicalControls ¶ added in v0.35.0
type SourceReviewTechnicalControls struct {
ForcePushBlocked bool `json:"forcePushBlocked"`
RequiredLinearHistory bool `json:"requiredLinearHistory"`
DeletionBlocked bool `json:"deletionBlocked"`
RequiredSignatures bool `json:"requiredSignatures"`
RequiredStatusChecks []string `json:"requiredStatusChecks,omitempty"`
// BypassActors is the factual list of ruleset bypass actors, formatted
// "<ActorType>:<ActorID>:<BypassMode>" (e.g. "Integration:801323:always"),
// de-duped and sorted. The verifier judges narrow-vs-open. Read alongside
// BypassActorsComplete: an empty list is only meaningful when complete.
BypassActors []string `json:"bypassActors,omitempty"`
// BypassActorsComplete is true only when the bypass-actor list is
// AUTHORITATIVE: rule discovery was not truncated AND every backing ruleset's
// bypass actors were readable (Administration:read granted). When false, an
// empty BypassActors means "unknown", NOT "none" — the verifier MUST fail
// closed rather than read the absence as no-bypass.
BypassActorsComplete bool `json:"bypassActorsComplete"`
// ContinuityComplete is true ONLY when the ruleset version-history walk proved
// the L3-relevant controls were never disabled/weakened from a start revision
// through the attested revision (an unbroken enforcement window). It is the
// continuity sibling of BypassActorsComplete: when false (the default, and the
// outcome of any unreadable/ambiguous history), the verifier MUST treat
// continuity as UNDETERMINED and keep the source level dormant — an empty or
// even populated ContinuityStartRevision is meaningless without it.
ContinuityComplete bool `json:"continuityComplete"`
}
SourceReviewTechnicalControls records the enforced branch-protection technical controls (SLSA Source L3 evidence) discovered on the target branch via the repository ruleset (best-effort; omitted when none is visible). It is EVIDENCE ONLY: the producer records what is configured and never judges "disabled vs declared" — that is the verifier's/policy's job. The bool controls + status checks come from the no-admin ListRulesForBranch path; bypassActors require Administration:read (GetRuleset) and are simply omitted when that is denied.
type TestResult ¶ added in v0.26.0
type TestResult struct {
Type ArtifactType `json:"-"`
SubjectName string `json:"-"`
SubjectPath string `json:"-"`
Digest string `json:"-"`
// Result is one of PASSED, WARNED, or FAILED.
Result string `json:"result"`
// Configuration references the configuration used for the test run. Required
// by the spec; may be an empty list when no configuration is referenced.
Configuration []ResourceDescriptor `json:"configuration"`
// URL optionally links to the test run (e.g. logs).
URL string `json:"url,omitempty"`
// PassedTests, WarnedTests, FailedTests hold test identifiers by outcome.
// Skipped tests map to warnedTests. Never null (empty arrays preferred).
PassedTests []string `json:"passedTests"`
WarnedTests []string `json:"warnedTests"`
FailedTests []string `json:"failedTests"`
}
TestResult represents the predicate portion of an in-toto test-result attestation (https://in-toto.io/attestation/test-result/v0.1).
func NewTestResult ¶ added in v0.26.0
func NewTestResult(opts TestResultOptions) (*TestResult, error)
NewTestResult builds an in-toto test-result predicate from JUnit XML.
func (*TestResult) Generate ¶ added in v0.26.0
func (t *TestResult) Generate() ([]byte, error)
Generate produces the JSON representation of the test-result predicate.
type TestResultOptions ¶ added in v0.26.0
type TestResultOptions struct {
Type ArtifactType
SubjectName string
SubjectPath string
Digest string
ResultsPath string
URL string
ConfigURI string
}
TestResultOptions contains options for creating a test-result predicate.