please icon indicating copy to clipboard operation
please copied to clipboard
verified publisher icon thought-machine

Work in progress - Add SLSA Provenance

Open matglas opened this issue 1 year ago • 0 comments

Implementation of #3121.

Open for feedback and input. These are some initial commits to add SLSA Provenance output based on in-toto attestations. I'm personally involved with in-toto project.

The implementation is inspired by a implementation done in Witness. https://github.com/in-toto/go-witness/pull/149 This is one of the client implementations of in-toto attestations / SLSA Provenance by the in-toto project itself.

Example structure of SLSA Provenance

{
    // This is predefined
    "_type": "https://in-toto.io/Statement/v1",

    // This is predefined
    "predicateType": "https://slsa.dev/provenance/v1",
    
    // This follows a schema.
    "predicate": {

        "buildDefinition": {
            "buildType": "hhttps://please.build/buildtypes/[email protected]",  // Implemented

            "externalParameters": {
                "profile": [".plzconfig.ci", ".plzconfig.local"],
                "targets": ["//foo:bar"],                                // Implemented
                "include": ["baz"],
                "exclude": ["pop"]
            },

            // Maybe put the final config in here.
            "internalParameters": {
		"version": "v17.8.5",  // Implemented
		"buildConfig": {
                	"build_id": "123456",
                },
		"buildEnv": {
                	"DOO": "tee"
                },
                "plugins": [{
	                "shell": {
		                "uri": "git+https://github.com/please-build/shell.git",
		                "digest": {
			               "gitCommit": "c27d339ee6075c1f744c5d4b200f7901aad2c369"
		                }
	                }}
                ]
            },
            "resolvedDependencies": [
                {
                    "uri": "git+https://github.com/octocat/hello-world@refs/heads/main",
                    "digest": {
                        "gitCommit": "c27d339ee6075c1f744c5d4b200f7901aad2c369"
                    }
                },
                {
                    "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu20/20220515.1"
                }
            ]
        },
        "runDetails": {
            "builder": {
                "id": "https://please.build/slsa-framework/slsa-level-1@refs/tags/v0.0.1"
            },

            // Optional. Maybe set the invocationId with a command argument.
            "metadata": {
                "invocationId": "https://ci.example.com/job/1",
                "startedOn": "2023-01-01T12:34:56Z",
                "finishedOn": "2023-01-01T12:44:56Z"
            }
        }
    },
    "subject": [
        {
            "name": "file://plz-out/gen/foo/bar.txt",
            "digest": {
                "sha256": "fe4fe40ac7250263c5dbe1cf3138912f3f416140aa248637a60d65fe22c47da4"
            }
        }
    ]
}

Todo

  • [ ] Implement Internal Parameters
  • [ ] Implement External Parameters
  • [ ] Implement resolved dependencies

matglas avatar May 08 '24 06:05 matglas