policy

package
v0.6.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 12, 2025 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SourcePolicyUri       = "github.com/slsa-framework/source-policies"
	SourcePolicyRepoOwner = "slsa-framework"
	SourcePolicyRepo      = "source-policies"
)

Variables

View Source 
var File_policy_proto protoreflect.FileDescriptor

Functions

func ComputeEligibleSince 

func ComputeEligibleSince(controls slsa.Controls, level slsa.SlsaSourceLevel) (*time.Time, error)

Computes the time since these controls have been eligible for the level, nil if not eligible.

func ComputeEligibleSlsaLevel 

func ComputeEligibleSlsaLevel(controls slsa.Controls) slsa.SlsaSourceLevel

Computes the eligible SLSA level, and when they started being eligible for it, if only they had a policy. Also returns a rationale for why it's eligible for this level.

Types

type OrgStatusCheckControl 

type OrgStatusCheckControl struct {

	// The property to record in the VSA if the conditions are met.
	// MUST start with `ORG_SOURCE_`.
	// We'll overide this with slsa.ControlName
	PropertyName string `protobuf:"bytes,1,opt,name=property_name,json=propertyName,proto3" json:"property_name,omitempty"`
	// These controls have their own start time to enable orgs to enable
	// new ones without violating continuity on other controls.
	Since *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=since,proto3" json:"since,omitempty"`
	// The name of the 'Status Check' as reported in the GitHub UI & API.
	CheckName string `protobuf:"bytes,3,opt,name=check_name,json=checkName,proto3" json:"check_name,omitempty"`
	// contains filtered or unexported fields
}

Used by orgs to require that specific 'checks' are run on protected branches and to associate those checks with a control name to include in provenance and VSAs. https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-status-checks-to-pass-before-merging

func (*OrgStatusCheckControl) Descriptor deprecated 

func (*OrgStatusCheckControl) Descriptor() ([]byte, []int)

Deprecated: Use OrgStatusCheckControl.ProtoReflect.Descriptor instead.

func (*OrgStatusCheckControl) GetCheckName 

func (x *OrgStatusCheckControl) GetCheckName() string

func (*OrgStatusCheckControl) GetPropertyName 

func (x *OrgStatusCheckControl) GetPropertyName() string

func (*OrgStatusCheckControl) GetSince 

func (x *OrgStatusCheckControl) GetSince() *timestamppb.Timestamp

func (*OrgStatusCheckControl) MarshalJSON 

func (ctl *OrgStatusCheckControl) MarshalJSON() ([]byte, error)

func (*OrgStatusCheckControl) ProtoMessage 

func (*OrgStatusCheckControl) ProtoMessage()

func (*OrgStatusCheckControl) ProtoReflect 

func (x *OrgStatusCheckControl) ProtoReflect() protoreflect.Message

func (*OrgStatusCheckControl) Reset 

func (x *OrgStatusCheckControl) Reset()

func (*OrgStatusCheckControl) String 

func (x *OrgStatusCheckControl) String() string

type PolicyEvaluator 

type PolicyEvaluator struct {
	// UNSAFE!
	// Instead of grabbing the policy from the canonical repo, use the policy at this path instead.
	UseLocalPolicy string
	// contains filtered or unexported fields
}

PolicyEvaluator creates a new policy evaluator

func NewPolicyEvaluator 

func NewPolicyEvaluator() *PolicyEvaluator

func (*PolicyEvaluator) CreateLocalPolicy 

func (pe *PolicyEvaluator) CreateLocalPolicy(ctx context.Context, repo *models.Repository, branch *models.Branch, pathToClone string) (string, error)

func (*PolicyEvaluator) EvaluateControl 

func (pe *PolicyEvaluator) EvaluateControl(ctx context.Context, repo *models.Repository, branch *models.Branch, controlStatus *ghcontrol.GhControlStatus) (slsa.SourceVerifiedLevels, string, error)

EvaluateControl checks the control against the policy and returns the resulting source level and policy path.

func (*PolicyEvaluator) EvaluateSourceProv 

func (pe *PolicyEvaluator) EvaluateSourceProv(ctx context.Context, repo *models.Repository, branch *models.Branch, prov *spb.Statement) (slsa.SourceVerifiedLevels, string, error)

Evaluates the provenance against the policy and returns the resulting source level and policy path

func (*PolicyEvaluator) EvaluateTagProv 

func (pe *PolicyEvaluator) EvaluateTagProv(ctx context.Context, repo *models.Repository, prov *spb.Statement) (slsa.SourceVerifiedLevels, string, error)

Evaluates the provenance against the policy and returns the resulting source level and policy path

func (*PolicyEvaluator) GetPolicy 

func (pe *PolicyEvaluator) GetPolicy(ctx context.Context, repo *models.Repository) (policy *RepoPolicy, path string, err error)

GetPolicy fetches the policy for a repository from the SLSA source repo. For debugging purposes, if UseLocalPolicy is defined, then the policy will be read from a local file.

type ProtectedBranch 

type ProtectedBranch struct {
	Name  string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	Since *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=since,proto3" json:"since,omitempty"`
	// We override this string with slsa.SlsaSourceLevel
	TargetSlsaSourceLevel  string                   `` /* 128-byte string literal not displayed */
	RequireReview          bool                     `protobuf:"varint,4,opt,name=require_review,json=requireReview,proto3" json:"require_review,omitempty"`
	OrgStatusCheckControls []*OrgStatusCheckControl `protobuf:"bytes,5,rep,name=org_status_check_controls,proto3" json:"org_status_check_controls,omitempty"`
	// contains filtered or unexported fields
}

When a branch requires multiple controls, they must all be enabled at or before 'since'.

func (*ProtectedBranch) Descriptor deprecated 

func (*ProtectedBranch) Descriptor() ([]byte, []int)

Deprecated: Use ProtectedBranch.ProtoReflect.Descriptor instead.

func (*ProtectedBranch) GetName 

func (x *ProtectedBranch) GetName() string

func (*ProtectedBranch) GetOrgStatusCheckControls 

func (x *ProtectedBranch) GetOrgStatusCheckControls() []*OrgStatusCheckControl

func (*ProtectedBranch) GetRequireReview 

func (x *ProtectedBranch) GetRequireReview() bool

func (*ProtectedBranch) GetSince 

func (x *ProtectedBranch) GetSince() *timestamppb.Timestamp

func (*ProtectedBranch) GetTargetSlsaSourceLevel 

func (x *ProtectedBranch) GetTargetSlsaSourceLevel() string

func (*ProtectedBranch) MarshalJSON 

func (branch *ProtectedBranch) MarshalJSON() ([]byte, error)

func (*ProtectedBranch) ProtoMessage 

func (*ProtectedBranch) ProtoMessage()

func (*ProtectedBranch) ProtoReflect 

func (x *ProtectedBranch) ProtoReflect() protoreflect.Message

func (*ProtectedBranch) Reset 

func (x *ProtectedBranch) Reset()

func (*ProtectedBranch) String 

func (x *ProtectedBranch) String() string

type ProtectedTag 

type ProtectedTag struct {
	Since      *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=since,proto3" json:"since,omitempty"`
	TagHygiene bool                   `protobuf:"varint,2,opt,name=tag_hygiene,json=tagHygiene,proto3" json:"tag_hygiene,omitempty"`
	// contains filtered or unexported fields
}

The controls required for protected tags.

func (*ProtectedTag) Descriptor deprecated 

func (*ProtectedTag) Descriptor() ([]byte, []int)

Deprecated: Use ProtectedTag.ProtoReflect.Descriptor instead.

func (*ProtectedTag) GetSince 

func (x *ProtectedTag) GetSince() *timestamppb.Timestamp

func (*ProtectedTag) GetTagHygiene 

func (x *ProtectedTag) GetTagHygiene() bool

func (*ProtectedTag) MarshalJSON 

func (tag *ProtectedTag) MarshalJSON() ([]byte, error)

func (*ProtectedTag) ProtoMessage 

func (*ProtectedTag) ProtoMessage()

func (*ProtectedTag) ProtoReflect 

func (x *ProtectedTag) ProtoReflect() protoreflect.Message

func (*ProtectedTag) Reset 

func (x *ProtectedTag) Reset()

func (*ProtectedTag) String 

func (x *ProtectedTag) String() string

type RepoPolicy 

type RepoPolicy struct {
	CanonicalRepo     string             `protobuf:"bytes,1,opt,name=canonical_repo,proto3" json:"canonical_repo,omitempty"`
	ProtectedBranches []*ProtectedBranch `protobuf:"bytes,2,rep,name=protected_branches,proto3" json:"protected_branches,omitempty"`
	ProtectedTag      *ProtectedTag      `protobuf:"bytes,3,opt,name=protected_tag,json=protectedTag,proto3,oneof" json:"protected_tag,omitempty"`
	// contains filtered or unexported fields
}

The repository policy definition

func (*RepoPolicy) Descriptor deprecated 

func (*RepoPolicy) Descriptor() ([]byte, []int)

Deprecated: Use RepoPolicy.ProtoReflect.Descriptor instead.

func (*RepoPolicy) GetBranchPolicy 

func (rp *RepoPolicy) GetBranchPolicy(branch string) *ProtectedBranch

Returns the policy for the branch or nil if the branch doesn't have one.

func (*RepoPolicy) GetCanonicalRepo 

func (x *RepoPolicy) GetCanonicalRepo() string

func (*RepoPolicy) GetProtectedBranches 

func (x *RepoPolicy) GetProtectedBranches() []*ProtectedBranch

func (*RepoPolicy) GetProtectedTag 

func (x *RepoPolicy) GetProtectedTag() *ProtectedTag

func (*RepoPolicy) ProtoMessage 

func (*RepoPolicy) ProtoMessage()

func (*RepoPolicy) ProtoReflect 

func (x *RepoPolicy) ProtoReflect() protoreflect.Message

func (*RepoPolicy) Reset 

func (x *RepoPolicy) Reset()

func (*RepoPolicy) String 

func (x *RepoPolicy) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.