Documentation
¶
Overview ¶
Package security provides security policy types and enforcement for epack operations.
Quick Start ¶
For most operations, use the default strict policy:
policy := security.PolicyStrict // Default, recommended
To enable insecure options (requires explicit "Dangerously" prefix):
opts := security.DangerouslySkipVerify() // Skips signature verification
Naming Convention ¶
All insecure options use the prefix "Dangerously" in code and "--insecure-*" on CLI. This makes security-weakening options immediately visible in code review and logs.
ExecutionPolicy ¶
ExecutionPolicy controls the verification level for component execution. Use the most restrictive policy that meets your requirements:
- Strict: Full verification required (default, recommended)
- TrustOnFirstUse: Trust lockfile digest, skip Sigstore on first install
- Permissive: Skip all verification (DANGEROUS - development only)
Index ¶
- type ExecutionPolicy
- type InsecureOption
- func DangerouslyAllowCustomEndpoints() InsecureOption
- func DangerouslyAllowHTTP() InsecureOption
- func DangerouslyAllowUnverified() InsecureOption
- func DangerouslyInheritPath() InsecureOption
- func DangerouslySkipEmbeddedVerify() InsecureOption
- func DangerouslySkipIdentityCheck() InsecureOption
- func DangerouslySkipVerify() InsecureOption
- type InsecureOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ExecutionPolicy ¶
type ExecutionPolicy int
ExecutionPolicy controls verification requirements for component operations. Higher values indicate more permissive (less secure) policies.
SECURITY: Default to Strict. Only use weaker policies with explicit user consent.
const ( // PolicyStrict requires full Sigstore verification for all operations. // This is the default and recommended policy for production use. PolicyStrict ExecutionPolicy = iota // PolicyTrustOnFirstUse trusts the lockfile digest without Sigstore verification. // NOT RECOMMENDED for production use. PolicyTrustOnFirstUse // PolicyPermissive skips all verification. // DANGEROUS: Only use for local development with trusted components. // NEVER use in production. PolicyPermissive )
func ParsePolicy ¶
func ParsePolicy(s string) (ExecutionPolicy, error)
ParsePolicy parses a policy string. Returns an error for unknown values. Accepts: "strict", "trust-on-first-use", "tofu", "permissive"
func (ExecutionPolicy) IsInsecure ¶
func (p ExecutionPolicy) IsInsecure() bool
IsInsecure returns true if the policy weakens security guarantees.
func (ExecutionPolicy) RequiresDigest ¶
func (p ExecutionPolicy) RequiresDigest() bool
RequiresDigest returns true if the policy requires digest verification.
func (ExecutionPolicy) RequiresSigstore ¶
func (p ExecutionPolicy) RequiresSigstore() bool
RequiresSigstore returns true if the policy requires Sigstore verification.
func (ExecutionPolicy) String ¶
func (p ExecutionPolicy) String() string
String returns the policy name for logging and error messages.
type InsecureOption ¶
type InsecureOption struct {
// contains filtered or unexported fields
}
InsecureOption represents a security-weakening option that must be explicitly enabled. Each option requires calling a "Dangerously*" constructor to enable it.
func DangerouslyAllowCustomEndpoints ¶
func DangerouslyAllowCustomEndpoints() InsecureOption
DangerouslyAllowCustomEndpoints returns an option that permits custom Sigstore endpoints. DANGER: Custom TSA/Fulcio/Rekor endpoints could be malicious. CLI equivalent: --insecure-allow-custom-endpoints
func DangerouslyAllowHTTP ¶
func DangerouslyAllowHTTP() InsecureOption
DangerouslyAllowHTTP returns an option that permits HTTP (non-TLS) connections. DANGER: Traffic may be intercepted or modified. CLI equivalent: --insecure-allow-http
func DangerouslyAllowUnverified ¶
func DangerouslyAllowUnverified() InsecureOption
DangerouslyAllowUnverified returns an option that permits running unverified components. DANGER: Components may execute without any prior verification. CLI equivalent: --insecure-allow-unverified
func DangerouslyInheritPath ¶
func DangerouslyInheritPath() InsecureOption
DangerouslyInheritPath returns an option that inherits PATH from the environment. DANGER: Malicious binaries in PATH could be executed. CLI equivalent: --insecure-inherit-path
func DangerouslySkipEmbeddedVerify ¶
func DangerouslySkipEmbeddedVerify() InsecureOption
DangerouslySkipEmbeddedVerify returns an option that skips embedded attestation verification. DANGER: Merged packs will not have their embedded attestations verified. CLI equivalent: --insecure-skip-embedded-verify
func DangerouslySkipIdentityCheck ¶
func DangerouslySkipIdentityCheck() InsecureOption
DangerouslySkipIdentityCheck returns an option that accepts any valid signer. DANGER: Components signed by any valid identity will be accepted. CLI equivalent: --insecure-skip-identity-check
func DangerouslySkipVerify ¶
func DangerouslySkipVerify() InsecureOption
DangerouslySkipVerify returns an option that skips Sigstore signature verification. DANGER: Components will run without signature validation. CLI equivalent: --insecure-skip-verify
func (InsecureOption) IsEnabled ¶
func (o InsecureOption) IsEnabled() bool
IsEnabled returns true if this option was enabled.
func (InsecureOption) String ¶
func (o InsecureOption) String() string
String returns the option name for logging.
type InsecureOptions ¶
type InsecureOptions struct {
SkipVerify bool
SkipIdentityCheck bool
SkipEmbeddedVerify bool
AllowUnverified bool
AllowCustomEndpoints bool
AllowHTTP bool
InheritPath bool
}
InsecureOptions collects multiple insecure options for operations that need them.
func NewInsecureOptions ¶
func NewInsecureOptions(opts ...InsecureOption) *InsecureOptions
NewInsecureOptions creates InsecureOptions from a list of options. Only enabled options are applied.
func (*InsecureOptions) HasAny ¶
func (o *InsecureOptions) HasAny() bool
HasAny returns true if any insecure options are enabled.
func (*InsecureOptions) String ¶
func (o *InsecureOptions) String() string
String returns a comma-separated list of enabled insecure options.
Source Files