metadata

package

v0.19.783 Latest Latest Go to latest Published: Feb 13, 2026 License: AGPL-3.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/nuonco/nuon

Links

Open Source Insights

Documentation ¶

Constants ¶

View Source

const (
	SBOMMediaTypeSPDX      = "application/spdx+json"
	SBOMMediaTypeCycloneDX = "application/vnd.cyclonedx+json"
	SignatureMediaType     = "application/vnd.dev.cosign.simplesigning.v1+json"

	ArtifactTypeSBOM      = "application/vnd.oci.artifact.sbom.v1+json"
	ArtifactTypeSignature = "application/vnd.dev.cosign.artifact.sig.v1+json"

	// OCI image index media types
	MediaTypeImageIndex     = "application/vnd.oci.image.index.v1+json"
	MediaTypeDockerManifest = "application/vnd.docker.distribution.manifest.list.v2+json"

	// Attestation-related annotations and media types
	AnnotationReferenceType   = "vnd.docker.reference.type"
	AnnotationReferenceDigest = "vnd.docker.reference.digest"
	AnnotationPredicateType   = "in-toto.io/predicate-type"
	ReferenceTypeAttestation  = "attestation-manifest"

	MediaTypeInToto = "application/vnd.in-toto+json"

	// Cosign tag-based storage media types
	MediaTypeCosignSignature   = "application/vnd.dev.cosign.simplesigning.v1+json"
	MediaTypeDSSEEnvelope      = "application/vnd.dsse.envelope.v1+json"
	MediaTypeOCIImageManifest  = "application/vnd.oci.image.manifest.v1+json"
	MediaTypeDockerImageConfig = "application/vnd.oci.image.config.v1+json"
)

Variables ¶

View Source

var ErrNotIndex = errors.New("not an image index")

ErrNotIndex is returned when the descriptor is not an image index.

Functions ¶

This section is empty.

Types ¶

type Attestation ¶

type Attestation struct {
	Type      string `json:"type" temporaljson:"type"`
	Predicate string `json:"predicate,omitempty" temporaljson:"predicate,omitempty"`
}

type AttestationLayer ¶

type AttestationLayer struct {
	Digest        string           `json:"digest" temporaljson:"digest"`
	MediaType     string           `json:"media_type" temporaljson:"media_type"`
	Size          int64            `json:"size" temporaljson:"size"`
	PredicateType string           `json:"predicate_type,omitempty" temporaljson:"predicate_type,omitempty"`
	RawJSON       json.RawMessage  `json:"raw_json,omitempty" temporaljson:"raw_json,omitempty"`
	Decoded       *InTotoStatement `json:"decoded,omitempty" temporaljson:"decoded,omitempty"`
	Truncated     bool             `json:"truncated,omitempty" temporaljson:"truncated,omitempty"`
}

AttestationLayer represents Layer 3 - an attestation blob containing DSSE/in-toto content.

type AttestationManifest ¶

type AttestationManifest struct {
	Digest      string             `json:"digest" temporaljson:"digest"`
	MediaType   string             `json:"media_type" temporaljson:"media_type"`
	Platform    *Platform          `json:"platform,omitempty" temporaljson:"platform,omitempty"`
	RefDigest   string             `json:"ref_digest,omitempty" temporaljson:"ref_digest,omitempty"`
	Annotations map[string]string  `json:"annotations,omitempty" temporaljson:"annotations,omitempty"`
	RawJSON     json.RawMessage    `json:"raw_json,omitempty" temporaljson:"raw_json,omitempty"`
	Layers      []AttestationLayer `json:"layers,omitempty" temporaljson:"layers,omitempty"`
}

AttestationManifest represents Layer 2 - an attestation manifest for a specific platform.

type CosignTagResult ¶

type CosignTagResult struct {
	Signed       bool
	Signatures   []Signature
	Attestations []Attestation
	SBOM         *SBOM
}

CosignTagResult holds the results of Cosign tag-based artifact discovery.

type DSSEEnvelope ¶

type DSSEEnvelope struct {
	PayloadType string          `json:"payloadType" temporaljson:"payloadType"`
	Payload     string          `json:"payload" temporaljson:"payload"`
	Signatures  []DSSESignature `json:"signatures,omitempty" temporaljson:"signatures,omitempty"`
}

DSSEEnvelope represents a Dead Simple Signing Envelope.

type DSSESignature ¶

type DSSESignature struct {
	KeyID string `json:"keyid,omitempty" temporaljson:"keyid,omitempty"`
	Sig   string `json:"sig" temporaljson:"sig"`
}

DSSESignature represents a signature in a DSSE envelope.

type ExternalImagePolicyInput ¶

type ExternalImagePolicyInput struct {
	Image    string         `json:"image" temporaljson:"image"`
	Tag      string         `json:"tag" temporaljson:"tag"`
	Digest   string         `json:"digest" temporaljson:"digest"`
	Metadata *ImageMetadata `json:"metadata" temporaljson:"metadata"`
}

type FetchGuardrails ¶

type FetchGuardrails struct {
	MaxBlobBytes         int64
	MaxTotalBytes        int64
	MaxAttestations      int
	MaxLayersPerManifest int
}

FetchGuardrails defines limits for fetching attestation content.

func DefaultGuardrails ¶

func DefaultGuardrails() FetchGuardrails

DefaultGuardrails returns sensible default limits for attestation fetching.

type FetchOptions ¶

type FetchOptions struct {
	Image  string
	Tag    string
	Auth   *RegistryAuth
	Digest string

	// Layer fetch controls
	IncludeIndex                bool
	IncludeAttestationManifests bool
	IncludeAttestationLayers    bool

	// Platform filter (e.g., "linux/amd64")
	Platform string

	// Guardrails for limiting fetch sizes
	Guardrails *FetchGuardrails
}

type ImageIndex ¶

type ImageIndex struct {
	Digest    string          `json:"digest" temporaljson:"digest"`
	MediaType string          `json:"media_type" temporaljson:"media_type"`
	RawJSON   json.RawMessage `json:"raw_json,omitempty" temporaljson:"raw_json,omitempty"`
	Manifests []ManifestEntry `json:"manifests" temporaljson:"manifests"`
}

ImageIndex represents Layer 1 - the image index (manifest list).

type ImageMetadata ¶

type ImageMetadata struct {
	Image        string        `json:"image" temporaljson:"image"`
	Tag          string        `json:"tag" temporaljson:"tag"`
	Digest       string        `json:"digest" temporaljson:"digest"`
	SBOM         *SBOM         `json:"sbom,omitempty" temporaljson:"sbom,omitempty"`
	Signatures   []Signature   `json:"signatures,omitempty" temporaljson:"signatures,omitempty"`
	Attestations []Attestation `json:"attestations,omitempty" temporaljson:"attestations,omitempty"`
	Signed       bool          `json:"signed" temporaljson:"signed"`

	// Layer 1: Image Index (manifest list)
	Index *ImageIndex `json:"index,omitempty" temporaljson:"index,omitempty"`

	// Layer 2: Attestation Manifests
	AttestationManifests []AttestationManifest `json:"attestation_manifests,omitempty" temporaljson:"attestation_manifests,omitempty"`
}

func FetchImageMetadata ¶

func FetchImageMetadata(ctx context.Context, opts *FetchOptions) (*ImageMetadata, error)

type InTotoStatement ¶

type InTotoStatement struct {
	Type          string          `json:"_type" temporaljson:"_type"`
	Subject       []InTotoSubject `json:"subject,omitempty" temporaljson:"subject,omitempty"`
	PredicateType string          `json:"predicateType" temporaljson:"predicateType"`
	Predicate     json.RawMessage `json:"predicate,omitempty" temporaljson:"predicate,omitempty"`
}

InTotoStatement represents an in-toto statement from the attestation.

type InTotoSubject ¶

type InTotoSubject struct {
	Name   string            `json:"name" temporaljson:"name"`
	Digest map[string]string `json:"digest,omitempty" temporaljson:"digest,omitempty"`
}

InTotoSubject represents a subject in an in-toto statement.

type ManifestEntry ¶

type ManifestEntry struct {
	Digest        string            `json:"digest" temporaljson:"digest"`
	MediaType     string            `json:"media_type" temporaljson:"media_type"`
	Size          int64             `json:"size" temporaljson:"size"`
	Platform      *Platform         `json:"platform,omitempty" temporaljson:"platform,omitempty"`
	Annotations   map[string]string `json:"annotations,omitempty" temporaljson:"annotations,omitempty"`
	IsAttestation bool              `json:"is_attestation" temporaljson:"is_attestation"`
}

ManifestEntry represents a manifest within an image index.

type Platform ¶

type Platform struct {
	OS           string `json:"os" temporaljson:"os"`
	Architecture string `json:"architecture" temporaljson:"architecture"`
	Variant      string `json:"variant,omitempty" temporaljson:"variant,omitempty"`
}

Platform represents an OCI platform specification.

type RegistryAuth ¶

type RegistryAuth struct {
	ServerAddress string
	Username      string
	Password      string
}

type SBOM ¶

type SBOM struct {
	Present bool   `json:"present" temporaljson:"present"`
	Format  string `json:"format,omitempty" temporaljson:"format,omitempty"`
	URI     string `json:"uri,omitempty" temporaljson:"uri,omitempty"`
}

type Signature ¶

type Signature struct {
	KeyID     string `json:"key_id,omitempty" temporaljson:"key_id,omitempty"`
	Issuer    string `json:"issuer,omitempty" temporaljson:"issuer,omitempty"`
	Subject   string `json:"subject,omitempty" temporaljson:"subject,omitempty"`
	Algorithm string `json:"algorithm,omitempty" temporaljson:"algorithm,omitempty"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL