provenance

package

v0.0.0-...-e601d7c Latest Latest Go to latest Published: Apr 20, 2026 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/simple-container-com/api

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func ExtractDigestFromImageRef(imageRef string) string
func ValidateStatementContent(content []byte, opts ValidateOptions) error
type Attacher
- func NewAttacher(signingConfig *signing.Config) *Attacher
- func (a *Attacher) Attach(ctx context.Context, statement *Statement, imageRef string) error
- func (a *Attacher) Verify(ctx context.Context, imageRef string, format Format) (*Statement, error)
type Format
- func DetectFormat(content []byte) (Format, error)
- func ParseFormat(value string) (Format, error)
type GenerateOptions
type Metadata
type Statement
- func Generate(ctx context.Context, imageRef string, format Format, opts GenerateOptions) (*Statement, error)
- func NewStatement(format Format, content []byte, imageRef string, metadata *Metadata) *Statement
type ValidateOptions

Constants ¶

View Source

const (
	// Cosign attestation types for supported provenance predicate schemas.
	CosignAttestationTypeV10 = "slsaprovenance1"
	CosignAttestationTypeV02 = "slsaprovenance02"
)

Variables ¶

This section is empty.

Functions ¶

func ExtractDigestFromImageRef ¶

func ExtractDigestFromImageRef(imageRef string) string

ExtractDigestFromImageRef returns the sha256 digest component from an image ref.

func ValidateStatementContent ¶

func ValidateStatementContent(content []byte, opts ValidateOptions) error

ValidateStatementContent applies policy checks to a verified provenance payload.

Types ¶

type Attacher ¶

type Attacher struct {
	SigningConfig *signing.Config
	Timeout       time.Duration
}

Attacher attaches and verifies provenance attestations via cosign.

func NewAttacher ¶

func NewAttacher(signingConfig *signing.Config) *Attacher

NewAttacher creates a provenance attacher.

func (*Attacher) Attach ¶

func (a *Attacher) Attach(ctx context.Context, statement *Statement, imageRef string) error

Attach attaches the provenance statement to the image using cosign attest.

func (*Attacher) Verify ¶

func (a *Attacher) Verify(ctx context.Context, imageRef string, format Format) (*Statement, error)

Verify verifies the provenance attestation and returns the decoded predicate.

type Format ¶

type Format string

Format identifies the provenance predicate schema.

const (
	FormatSLSAV10 Format = "slsa-v1.0"
	// FormatSLSAV02 is retained only so legacy attestations can still be detected.
	FormatSLSAV02 Format = "slsa-v0.2"
)

func DetectFormat ¶

func DetectFormat(content []byte) (Format, error)

DetectFormat inspects a provenance payload and returns the matching supported format.

func ParseFormat ¶

func ParseFormat(value string) (Format, error)

ParseFormat parses the configured provenance format.

type GenerateOptions ¶

type GenerateOptions struct {
	BuilderID         string
	SourceRoot        string
	ContextPath       string
	DockerfilePath    string
	IncludeGit        bool
	IncludeDockerfile bool
	IncludeEnv        bool
	IncludeMaterials  bool
}

GenerateOptions controls provenance generation.

type Metadata ¶

type Metadata struct {
	BuilderID  string `json:"builderId,omitempty"`
	SourceURI  string `json:"sourceUri,omitempty"`
	GitCommit  string `json:"gitCommit,omitempty"`
	GitBranch  string `json:"gitBranch,omitempty"`
	Dockerfile string `json:"dockerfile,omitempty"`
}

Metadata tracks key provenance metadata used during generation.

type Statement ¶

type Statement struct {
	Format      Format    `json:"format"`
	Content     []byte    `json:"content"`
	Digest      string    `json:"digest"`
	ImageRef    string    `json:"imageRef"`
	GeneratedAt time.Time `json:"generatedAt"`
	Metadata    *Metadata `json:"metadata,omitempty"`
}

Statement holds a generated provenance predicate.

func Generate ¶

func Generate(ctx context.Context, imageRef string, format Format, opts GenerateOptions) (*Statement, error)

Generate creates a provenance predicate for the supplied image.

func NewStatement ¶

func NewStatement(format Format, content []byte, imageRef string, metadata *Metadata) *Statement

NewStatement creates a normalized provenance statement.

func (*Statement) Predicate ¶

func (s *Statement) Predicate() ([]byte, error)

Predicate returns the provenance predicate content suitable for cosign attest. When Content is already a bare predicate, it is returned unchanged.

func (*Statement) Save ¶

func (s *Statement) Save(path string) error

Save persists the generated statement to a local file.

func (*Statement) Validate ¶

func (s *Statement) Validate(opts ValidateOptions) error

Validate verifies that the statement content matches expected provenance policy values.

type ValidateOptions ¶

type ValidateOptions struct {
	ExpectedFormat    Format
	ExpectedDigest    string
	ExpectedBuilderID string
	ExpectedSourceURI string
	ExpectedCommit    string
}

ValidateOptions controls post-verification provenance policy checks.

Source Files ¶

View all Source files

provenance.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL