Documentation ¶
Overview ¶
Package v1 contains structs representing SLSA provenance v1.0.
Index ¶
- Constants
- func BuildCmd(predicate ProvenancePredicate) []string
- func BuilderID(predicate ProvenancePredicate) string
- func BuilderImageDigest(predicate ProvenancePredicate) (string, error)
- func GitURI(predicate ProvenancePredicate) []string
- type BuildConfig
- type BuildMetadata
- type Builder
- type DockerBasedExternalParameters
- type ProvenanceBuildDefinition
- type ProvenancePredicate
- type ProvenanceRunDetails
- type ResourceDescriptor
Constants ¶
const ( // PredicateSLSAProvenance is the predicate type of a SLSA v1 provenance. PredicateSLSAProvenance = "https://slsa.dev/provenance/v1" // PredicateSLSAProvenanceDraft is the predicate type of an earlier draft of SLSA v1 provenance. PredicateSLSAProvenanceDraft = "https://slsa.dev/provenance/v1.0?draft" // DockerBasedBuildType is the build type of container-based builds. DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft" )
Variables ¶
This section is empty.
Functions ¶
func BuildCmd ¶
func BuildCmd(predicate ProvenancePredicate) []string
BuildCmd extracts and returns the build command from the given ProvenancePredicate.
func BuilderID ¶
func BuilderID(predicate ProvenancePredicate) string
BuilderID extracts and returns the builder ID from the given ProvenancePredicate.
func BuilderImageDigest ¶
func BuilderImageDigest(predicate ProvenancePredicate) (string, error)
BuilderImageDigest extracts and returns the digest for the Builder Image.
func GitURI ¶
func GitURI(predicate ProvenancePredicate) []string
GitURI returns references to a Git repo.
Types ¶
type BuildConfig ¶
type BuildConfig struct { // The path, relative to the root of the git repository, where the artifact // built by the `docker run` command is expected to be found. ArtifactPath string `toml:"artifact_path"` // Build command that is passed to `docker run`. Command []string `toml:"command"` }
BuildConfig is a collection of parameters to use for building the artifact in a container-based build.
type BuildMetadata ¶
type BuildMetadata struct { // Identifies this particular build invocation, which can be useful for // finding associated logs or other ad-hoc analysis. The exact meaning and // format is defined by builder.id; by default it is treated as opaque and // case-sensitive. The value SHOULD be globally unique. InvocationID string `json:"invocationID,omitempty"` // The timestamp of when the build started. StartedOn *time.Time `json:"startedOn,omitempty"` // The timestamp of when the build completed. FinishedOn *time.Time `json:"finishedOn,omitempty"` }
type Builder ¶
type Builder struct { // URI indicating the transitive closure of the trusted builder. ID string `json:"id"` // Version numbers of components of the builder. Version map[string]string `json:"version,omitempty"` // Dependencies used by the orchestrator that are not run within the // workload and that do not affect the build, but might affect the // provenance generation or security guarantees. BuilderDependencies []ResourceDescriptor `json:"builderDependencies,omitempty"` }
Builder represents the transitive closure of all the entities that are, by necessity, trusted to faithfully run the build and record the provenance.
type DockerBasedExternalParameters ¶
type DockerBasedExternalParameters struct { // The source GitHub repo Source ResourceDescriptor `json:"source"` // The Docker builder image BuilderImage ResourceDescriptor `json:"builderImage"` // Path to a configuration file relative to the root of the repository. ConfigPath string `json:"configPath"` // Unpacked build config parameters Config BuildConfig `json:"buildConfig"` }
DockerBasedExternalParameters is a representation of the top level inputs to a container-based build.
type ProvenanceBuildDefinition ¶
type ProvenanceBuildDefinition struct { // A human-readable URI identifying the template for how to perform the // build and interpret the parameters and dependencies. BuildType string `json:"buildType"` // Parameters that are under external control, such as those set by a user. ExternalParameters interface{} `json:"externalParameters"` // Parameters that are under the control of the entity represented by // builder.id. InternalParameters interface{} `json:"internalParameters,omitempty"` // Unordered collection of artifacts needed at build time. ResolvedDependencies []ResourceDescriptor `json:"resolvedDependencies,omitempty"` }
ProvenanceBuildDefinition describes all inputs to the build.
type ProvenancePredicate ¶
type ProvenancePredicate struct { // The BuildDefinition describes all of the inputs to the build. BuildDefinition ProvenanceBuildDefinition `json:"buildDefinition"` // The RunDetails describes this particular execution of the build. RunDetails ProvenanceRunDetails `json:"runDetails"` }
ProvenancePredicate defines the structure of a SLSA v1 provenance predicate. See the specification in https://slsa.dev/spec/v1.0/.
func ParseContainerBasedSLSAv1Provenance ¶
func ParseContainerBasedSLSAv1Provenance(predicate interface{}) (*ProvenancePredicate, error)
ParseContainerBasedSLSAv1Provenance parses the given object as a ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into an instance of DockerBasedExternalParameters. Returns an error if any of the conversions is unsuccessful.
type ProvenanceRunDetails ¶
type ProvenanceRunDetails struct { // Identifies the entity that executed the build. Builder Builder `json:"builder"` // Metadata about this particular execution of the build. BuildMetadata BuildMetadata `json:"metadata,omitempty"` // Additional artifacts generated during the build that are not considered // the “output” of the build but that might be needed during debugging or // incident response. Byproducts []ResourceDescriptor `json:"byproducts,omitempty"` }
ProvenanceRunDetails includes details specific to a particular execution of a build.
type ResourceDescriptor ¶
type ResourceDescriptor struct { // A URI used to identify the resource globally. This field is REQUIRED // unless either digest or content is set. URI string `json:"uri,omitempty"` // A set of cryptographic digests of the contents of the resource. This // field is REQUIRED unless either uri or content is set. Digest intoto.DigestSet `json:"digest,omitempty"` // Machine-readable identifier for distinguishing between descriptors. Name string `json:"name,omitempty"` // Location of the described resource, if different from the uri. DownloadLocation string `json:"downloadLocation,omitempty"` // The MIME Type (i.e., media type) of the described resource. MediaType string `json:"mediaType,omitempty"` // The contents of the resource. This field is REQUIRED unless either uri // or digest is set. Content []byte `json:"content,omitempty"` // This field MAY be used to provide additional information or metadata // about the resource that may be useful to the consumer when evaluating // the attestation against a policy. Annotations map[string]interface{} `json:"annotations,omitempty"` }
ResourceDescriptor describes a particular software resource.