-
Notifications
You must be signed in to change notification settings - Fork 244
Expose SLSA source level from new verify-source task #2867
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
662aec2
feat: add verify-source task for SLSA source verification
ralphbean 3ace512
fix: add POC warning and fix CODEOWNERS for verify-source
ralphbean 22c2542
feat: add GitHub token support to verify-source task
ralphbean 4099f12
refactor: use env vars for token auth in verify-source
ralphbean 999cf21
refactor: rename sourcetool to source-tool in verify-source
ralphbean 901f833
refactor: parse VSA directly instead of log output
ralphbean c786f52
refactor: simplify VSA parsing script
ralphbean File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| # verify-source task | ||
|
|
||
| The verify-source Task verifies the SLSA source level of a git commit | ||
| by checking for a Verification Summary Attestation (VSA) stored as a | ||
| git note. The task fetches git notes from the repository and parses | ||
| the VSA to extract the verified SLSA source level. | ||
|
|
||
| WARNING: This task relies on VSAs generated by source-tool | ||
| (https://github.com/slsa-framework/source-tool) which is currently a | ||
| proof-of-concept and under active development. It should not be used in | ||
| production environments. It supports GitHub and GitLab repositories, | ||
| and may encounter API rate limits without authentication. | ||
|
|
||
|
|
||
| ## Parameters | ||
| |name|description|default value|required| | ||
| |---|---|---|---| | ||
| |url|Repository URL to verify.||true| | ||
| |revision|Commit SHA to verify.||true| | ||
|
|
||
| ## Results | ||
| |name|description| | ||
| |---|---| | ||
| |SLSA_SOURCE_LEVEL_ACHIEVED|The SLSA source level achieved by this commit| | ||
| |TEST_OUTPUT|JSON formatted test results for SLSA verification| | ||
|
|
||
| ## Workspaces | ||
| |name|description|optional| | ||
| |---|---|---| | ||
| |basic-auth|A Workspace containing a token file for API authentication. The workspace should contain a file named 'token' with a GitHub personal access token, GitLab personal access token, or other authentication token. The task will automatically set the appropriate environment variable (GITHUB_TOKEN or GITLAB_TOKEN) based on the repository host. This is used to avoid rate limiting when accessing the API. Binding a Secret to this Workspace is strongly recommended over other volume types. |true| | ||
|
|
||
| ## Additional info | ||
|
|
||
| ### API Authentication | ||
|
|
||
| To avoid API rate limits, you can provide an authentication token via the `basic-auth` workspace. The task automatically detects the repository host and sets the appropriate environment variable (`GITHUB_TOKEN` for GitHub, `GITLAB_TOKEN` for GitLab). | ||
|
|
||
| **Create a secret with your token:** | ||
|
|
||
| ```bash | ||
| # For GitHub | ||
| kubectl create secret generic git-token \ | ||
| --from-literal=token=ghp_yourGitHubTokenHere | ||
|
|
||
| # For GitLab | ||
| kubectl create secret generic git-token \ | ||
| --from-literal=token=glpat-yourGitLabTokenHere | ||
| ``` | ||
|
|
||
| **Use the secret in your pipeline:** | ||
|
|
||
| ```yaml | ||
| apiVersion: tekton.dev/v1 | ||
| kind: TaskRun | ||
| metadata: | ||
| name: verify-source-example | ||
| spec: | ||
| taskRef: | ||
| name: verify-source | ||
| params: | ||
| - name: url | ||
| value: https://github.com/slsa-framework/source-tool | ||
| - name: revision | ||
| value: 134593d9158efd253e979e2e8d87b939945d091e | ||
| workspaces: | ||
| - name: basic-auth | ||
| secret: | ||
| secretName: git-token | ||
| ``` | ||
|
|
||
| The task will automatically detect the `token` file in the workspace and set the appropriate environment variable based on the repository URL. |
68 changes: 68 additions & 0 deletions
68
task/verify-source/0.1/tests/test-verify-source-no-vsa.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| --- | ||
| apiVersion: tekton.dev/v1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: test-verify-source-no-vsa | ||
| spec: | ||
| description: | | ||
| Test the verify-source task with a repository that has no VSA | ||
| tasks: | ||
| - name: run-task | ||
| taskRef: | ||
| name: verify-source | ||
| params: | ||
| - name: url | ||
| value: https://github.com/kelseyhightower/nocode | ||
| - name: revision | ||
| value: ed6c73fc16578ec53ea374585df2b965ce9f4a31 | ||
| - name: check-result | ||
| params: | ||
| - name: SLSA_SOURCE_LEVEL_ACHIEVED | ||
| value: $(tasks.run-task.results.SLSA_SOURCE_LEVEL_ACHIEVED) | ||
| - name: TEST_OUTPUT | ||
| value: $(tasks.run-task.results.TEST_OUTPUT) | ||
| taskSpec: | ||
| params: | ||
| - name: SLSA_SOURCE_LEVEL_ACHIEVED | ||
| - name: TEST_OUTPUT | ||
| steps: | ||
| - name: check-result | ||
| env: | ||
| - name: SLSA_LEVEL_ACHIEVED | ||
| value: $(params.SLSA_SOURCE_LEVEL_ACHIEVED) | ||
| - name: TEST_OUTPUT | ||
| value: $(params.TEST_OUTPUT) | ||
| image: quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c | ||
| script: | | ||
| #!/usr/bin/env sh | ||
| set -eux | ||
|
|
||
| # Strip trailing newlines from results | ||
| LEVEL=$(echo "$SLSA_LEVEL_ACHIEVED" | tr -d '\n') | ||
| OUTPUT=$(echo "$TEST_OUTPUT" | tr -d '\n') | ||
|
|
||
| echo "SLSA_SOURCE_LEVEL_ACHIEVED: $LEVEL" | ||
| echo "TEST_OUTPUT: $OUTPUT" | ||
|
|
||
| # For repos without VSA, verify SLSA level is 1 (baseline) | ||
| if [ "$LEVEL" != "SLSA_SOURCE_LEVEL_1" ]; then | ||
| echo "ERROR: Expected SLSA_SOURCE_LEVEL_1 for repo without VSA, got: $LEVEL" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Verify that TEST_OUTPUT is non-empty | ||
| if [ -z "$OUTPUT" ]; then | ||
| echo "ERROR: TEST_OUTPUT is empty" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Verify that there is at least one warning (no VSA found) | ||
| WARNINGS=$(echo "$OUTPUT" | grep -o '"warnings": [0-9]*' | grep -o '[0-9]*' || echo "0") | ||
| if [ "$WARNINGS" -eq 0 ]; then | ||
| echo "ERROR: Expected at least one warning for repo without VSA" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "SUCCESS: No-VSA verification test passed - correctly identified repo without VSA" | ||
| runAfter: | ||
| - run-task |
61 changes: 61 additions & 0 deletions
61
task/verify-source/0.1/tests/test-verify-source-with-vsa.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| --- | ||
| apiVersion: tekton.dev/v1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: test-verify-source-with-vsa | ||
| spec: | ||
| description: | | ||
| Test the verify-source task with SLSA source verification | ||
| tasks: | ||
| - name: run-task | ||
| taskRef: | ||
| name: verify-source | ||
| params: | ||
| - name: url | ||
| value: https://github.com/slsa-framework/source-tool | ||
| - name: revision | ||
| value: 134593d9158efd253e979e2e8d87b939945d091e | ||
| - name: check-result | ||
| params: | ||
| - name: SLSA_SOURCE_LEVEL_ACHIEVED | ||
| value: $(tasks.run-task.results.SLSA_SOURCE_LEVEL_ACHIEVED) | ||
| - name: TEST_OUTPUT | ||
| value: $(tasks.run-task.results.TEST_OUTPUT) | ||
| taskSpec: | ||
| params: | ||
| - name: SLSA_SOURCE_LEVEL_ACHIEVED | ||
| - name: TEST_OUTPUT | ||
| steps: | ||
| - name: check-result | ||
| env: | ||
| - name: SLSA_LEVEL_ACHIEVED | ||
| value: $(params.SLSA_SOURCE_LEVEL_ACHIEVED) | ||
| - name: TEST_OUTPUT | ||
| value: $(params.TEST_OUTPUT) | ||
| image: quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c | ||
| script: | | ||
| #!/usr/bin/env sh | ||
| set -eux | ||
|
|
||
| # Strip trailing newlines from results | ||
| LEVEL=$(echo "$SLSA_LEVEL_ACHIEVED" | tr -d '\n') | ||
| OUTPUT=$(echo "$TEST_OUTPUT" | tr -d '\n') | ||
|
|
||
| echo "SLSA_SOURCE_LEVEL_ACHIEVED: $LEVEL" | ||
| echo "TEST_OUTPUT: $OUTPUT" | ||
|
|
||
| # Verify that SLSA level is 3 (extracted from VSA) | ||
| if [ "$LEVEL" != "SLSA_SOURCE_LEVEL_3" ]; then | ||
| echo "ERROR: Expected SLSA_SOURCE_LEVEL_3 from slsa-framework/source-tool repo VSA, got: $LEVEL" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Verify that TEST_OUTPUT is non-empty | ||
| if [ -z "$OUTPUT" ]; then | ||
| echo "ERROR: TEST_OUTPUT is empty" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "SUCCESS: SLSA verification test passed" | ||
| runAfter: | ||
| - run-task | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider not removing the newline here - I think we want the Task to return a newline-less result and the test should verify that