Skip to content

Latest commit

 

History

History
70 lines (62 loc) · 2.5 KB

slsa_in_toto.md

File metadata and controls

70 lines (62 loc) · 2.5 KB

SLSA (in-toto style)

Webhook endpoint

Targets are new commits, branches, tags, and their CI/CD (status check) results

The following is a demo of Bob receiving a GitHub push webhook via GitHubWebhookNotaryMiddleware. The SCITT instance hashes the corresponding tar.gz archive of the repo and submits in-toto style SLSA evidence as the statement payload to Bob's append only log. Alice's instance is receiving events from Bob's via federation. Her instance (TODO evaluate against policy, shouldi?) determines the statement worthy of inclusion in her append-only log and issues a statement and receipt for her TS. This follows the S2C2F ING-4 pattern.

asciicast-of-hash-of-tar-gz

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "<NAME>",
      "digest": {"<ALGORITHM>": "<HEX_VALUE>"}
    },
    ...
  ],
  "predicateType": "https://in-toto.io/attestation/test-result/v0.1",
  "predicate": {
      "result": "PASSED|WARNED|FAILED",
      "configuration": ["<ResourceDescriptor>", ...],
      "url": "<URL>",
      "passedTests": ["<TEST_NAME>", ...],
      "warnedTests": ["<TEST_NAME>", ...],
      "failedTests": ["<TEST_NAME>", ...]
  }
}
{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "<NAME>",
      "digest": {"<ALGORITHM>": "<HEX_VALUE>"}
    },
    ...
  ],
  "predicateType": "https://spdx.dev/Document/v2.3",
  "predicate": {
    "SPDXID" : "SPDXRef-DOCUMENT",
    "spdxVersion" : "SPDX-2.3",
    ...
  }
}