chains
chains copied to clipboard
tektoncd
Supply Chain Security in Tekton Pipelines
### Feature request Since the buildConfig field is removed in the SLSA v1 spec, I propose that chains supports a new predicate type to store the pipelineRun and expanded taskRun...
As highlighted in https://docs.google.com/document/d/1IPE_xycMZ7I2ni98wPLFogY5xJEREdXuYwOuPnPL5Po/edit, when adding support for `v1` objects, we need to replicate usage in a lot of files which is going to be tedious. We will need to...
# Expected Behavior According to its [schema](https://slsa.dev/spec/v0.2/provenance#schema), the attribute `invocation.configSource.uri` of a v0.2 SLSA Provenance is expected to be an URI, e.g. , e.g.: `oci://quay.io//` # Actual Behavior In 0.17.0,...
Currently, for pipeline runs, we only capture the `pipelineRunResults` under `byProducts`. The underlying task results are not surfaced in the provenance. https://github.com/tektoncd/chains/issues/824 has a use case for this and surfacing...
# Expected Behavior SLSA v1 predicate should be wrapped into [intoto v1 statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md) # Actual Behavior It's wrapped into intoto v0.1 statement https://github.com/tektoncd/chains/blob/70c8c7de563ba3d6c1e65a1e4e21c83335fa432a/pkg/chains/formats/slsa/v2alpha2/internal/pipelinerun/pipelinerun.go#L47 # Related https://github.com/in-toto/in-toto-golang/issues/265 It would be ideal...
### Feature request The SLSA v1 specification [allows `"git*"`](https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md#gitcommit-gittree-gitblob-gittag) as algorithm value for `predicate.buildDefinition.resolvedDependencies.digest`. Currently [it is set](https://github.com/tektoncd/chains/blob/main/pkg/chains/formats/slsa/internal/material/material.go) to `"sha1"` and the value is the git commit id. With `artifacts.pipelinerun.format=slsa/v2alpha2`...
Created based on https://github.com/tektoncd/chains/pull/730#discussion_r1179481642 It is generally preferable to sign produced artifacts by the process which generated them in order to more clearly indicate the level of trust which can...
### Feature request Currently there are some fields which might be supported as per the code base, but are not included in the [config.md](https://github.com/tektoncd/chains/blob/main/docs/config.md) docs Fields from [config.go](https://github.com/tektoncd/chains/blob/main/pkg/config/config.go) such as...
# Background One important field in SLSA provenance is [predicate.builder.builderID](https://slsa.dev/provenance/v0.2#builder). Chains does support setting this value via the configmap field named [builder.id](https://github.com/tektoncd/chains/blob/main/docs/config.md#in-toto-configuration), which is great and we'd like to keep...
This new version will now process the information from any associated StepAction from the executed PipelineRun. Also, the way chains read results from PipelineRuns to populate the `subjects` field is...
