attest

Author	SHA1	Message	Date
mrjoelkamp	84c0b116a7	feat: add verifier version to vsa	2024-10-16 12:01:31 -05:00
dependabot[bot]	e39a4ea9f3	feat(deps): bump google.golang.org/api from 0.200.0 to 0.201.0 (#197 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.200.0 to 0.201.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.200.0...v0.201.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-10-16 10:13:11 +01:00
James Carnegie	da667de610	feat: support arbitrary rego input parameters (#196 ) * feat: support arbitrary rego input parameters v0.6.6	2024-10-15 16:07:26 +01:00
Joel Kamp	7027d2d054	Merge pull request #188 from docker/dependabot/go_modules/github.com/sigstore/cosign/v2-2.4.1 feat(deps): bump github.com/sigstore/cosign/v2 from 2.4.0 to 2.4.1	2024-10-15 09:37:02 -05:00
mrjoelkamp	163c1828e3	chore: go mod tidy	2024-10-15 09:28:32 -05:00
dependabot[bot]	168a574c15	feat(deps): bump github.com/sigstore/cosign/v2 from 2.4.0 to 2.4.1 Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/cosign/compare/v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-15 14:27:14 +00:00
Joel Kamp	ad2f8befa2	Merge pull request #195 from docker/dependabot/go_modules/google.golang.org/api-0.200.0 feat(deps): bump google.golang.org/api from 0.199.0 to 0.200.0	2024-10-15 08:53:56 -05:00
dependabot[bot]	8460357880	feat(deps): bump google.golang.org/api from 0.199.0 to 0.200.0 Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.199.0 to 0.200.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.199.0...v0.200.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-15 13:44:46 +00:00
Joel Kamp	994240018e	Merge pull request #187 from docker/dependabot/go_modules/github.com/containerd/containerd/v2-2.0.0-rc.5 feat(deps): bump github.com/containerd/containerd/v2 from 2.0.0-rc.4 to 2.0.0-rc.5	2024-10-15 08:42:03 -05:00
Joel Kamp	5c51ee7c19	Merge pull request #194 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.43 feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.39 to 1.27.43	2024-10-15 08:36:49 -05:00
Joel Kamp	8ae43ba5e9	Merge branch 'main' into dependabot/go_modules/github.com/containerd/containerd/v2-2.0.0-rc.5	2024-10-15 08:33:48 -05:00
dependabot[bot]	ec659e62cd	feat(deps): bump github.com/aws/aws-sdk-go-v2/config Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.39 to 1.27.43. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.39...config/v1.27.43) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-09 08:42:48 +00:00
Joel Kamp	2d7f6cae3c	Merge pull request #191 from docker/feat-vsa-input-attestations feat: vsa input attestations	2024-10-08 08:30:06 -05:00
mrjoelkamp	a686de72fd	feat: add input atts to result summary	2024-10-07 15:07:21 -05:00
mrjoelkamp	d58ce0c600	feat: add reference wrapper for envelope	2024-10-07 13:34:04 -05:00
dependabot[bot]	bf33de5b48	feat(deps): bump github.com/theupdateframework/go-tuf/v2 (#186 ) Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](https://github.com/theupdateframework/go-tuf/compare/v2.0.1...v2.0.2) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> v0.6.5	2024-10-02 10:05:46 +01:00
dependabot[bot]	b8ca85152d	feat(deps): bump github.com/containerd/containerd/v2 Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.0.0-rc.4 to 2.0.0-rc.5. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v2.0.0-rc.4...v2.0.0-rc.5) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-02 08:36:57 +00:00
Joel Kamp	e06d8736df	Merge pull request #182 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.39 feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.38 to 1.27.39 v0.6.4	2024-10-01 16:02:00 -05:00
Joel Kamp	fcf98ebc3f	Merge branch 'main' into dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.39	2024-10-01 15:46:46 -05:00
Joel Kamp	acd8d427a1	Merge pull request #185 from docker/dependabot/go_modules/github.com/open-policy-agent/opa-0.69.0 feat(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 0.69.0	2024-10-01 15:46:34 -05:00
Joel Kamp	f2f13933df	Merge branch 'main' into dependabot/go_modules/github.com/open-policy-agent/opa-0.69.0	2024-10-01 15:42:13 -05:00
Joel Kamp	503410bb7b	Merge pull request #184 from docker/dependabot/go_modules/github.com/theupdateframework/go-tuf/v2-2.0.1 feat(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0 to 2.0.1	2024-10-01 15:41:54 -05:00
dependabot[bot]	ac04e8a9ea	feat(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 0.69.0 Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.68.0 to 0.69.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.68.0...v0.69.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-01 08:30:48 +00:00
dependabot[bot]	e3927acf17	feat(deps): bump github.com/theupdateframework/go-tuf/v2 Bumps [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Changelog](https://github.com/theupdateframework/go-tuf/blob/master/.goreleaser.yaml) - [Commits](https://github.com/theupdateframework/go-tuf/compare/v2.0.0...v2.0.1) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-10-01 08:30:33 +00:00
James Carnegie	c0510fb76c	Support images as well as indexes in ImageDetailResolvers (#183 ) * build: Generate test data for unsigned and no provenance image indexes * feat: Add function to build index without SBOM or provenance for linux/amd64 platform * feat: add build_image function to build image without SBOM or provenance for linux/amd64 * feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR * feat: support images in details resolvers v0.6.3	2024-09-30 20:53:13 +01:00
dependabot[bot]	251506fd9b	feat(deps): bump github.com/aws/aws-sdk-go-v2/config Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.38 to 1.27.39. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.38...config/v1.27.39) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-09-30 08:47:36 +00:00
dependabot[bot]	5e16b97e02	feat(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 (#181 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.198.0 to 0.199.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.198.0...v0.199.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> v0.6.2	2024-09-27 15:11:28 +01:00
dependabot[bot]	0ff28b2deb	feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#180 ) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.35 to 1.27.38. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.35...config/v1.27.38) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-27 15:05:53 +01:00
Jonny Stoten	4ca962b70c	Add function for parsing DOI definition files (#172 ) Add a Rego builtin called `attest.internals.parse_library_definition` for parsing the DOI definition files in https://github.com/docker-library/official-images/tree/master/library. This will allow us to verify DOI provenance fields against these files which are the source of truth for DOI images. This function just defers to https://github.com/docker-library/bashbrew/blob/master/manifest/rfc2822.go.	2024-09-27 12:32:24 +01:00
Joel Kamp	2a4bef091e	Merge pull request #179 from docker/fix-sign-unsigned-statements fix: only sign statements	2024-09-26 10:02:41 -05:00
mrjoelkamp	bb0843cd51	fix: only sign statements	2024-09-24 15:12:46 -05:00
David Dooling	203577e965	Remove long-term aspiration from README (#174 )	2024-09-20 09:06:02 -05:00
James Carnegie	a98604bdd5	chore: add rekor prod TUF system test (#176 )	2024-09-20 11:02:36 +01:00
dependabot[bot]	02b8063d71	feat(deps): bump google.golang.org/api from 0.197.0 to 0.198.0 (#175 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.197.0 to 0.198.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.197.0...v0.198.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-20 10:01:47 +01:00
Joel Kamp	dcf5c578dd	Merge pull request #173 from docker/feat-support-containerd-subject-annotations feat: support containerd subject annotations v0.6.1	2024-09-19 16:03:32 -05:00
mrjoelkamp	0378c94226	test: make test layouts smaller	2024-09-19 15:36:20 -05:00
mrjoelkamp	fd4e741a1f	feat: support containerd subject annotations	2024-09-19 15:10:56 -05:00
James Carnegie	2ace988b1c	chore: add test for RegoFnOpts (#171 ) v0.6.0	2024-09-19 13:54:10 +01:00
dependabot[bot]	be7a17f214	feat(deps): bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 (#169 ) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-19 11:24:30 +01:00
dependabot[bot]	1a49b5c068	chore(deps): bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#164 ) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1.10.4 to 1.11.0. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](`3378cda945...5d869da34e`) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-19 11:18:57 +01:00
James Carnegie	3e82338649	refactor: remove explicit closures. expose rego fns (#170 )	2024-09-19 11:04:00 +01:00
James Carnegie	4a70e5ae36	Add platform filtering support to mapping.yml (#167 ) * chore!: rename package config -> mapping * feat: add platform filtering support to mapping.yml	2024-09-18 21:11:55 +01:00
James Carnegie	05caa959c4	Use a Factory to create signature verifiers at policy evaluation time (#165 ) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier	2024-09-18 13:34:10 +01:00
dependabot[bot]	5335a56da1	feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#168 ) Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.33 to 1.27.35. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.33...config/v1.27.35) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-18 09:43:50 +01:00
Jonny Stoten	7fffbf9d3f	Suppress logs from ecr credential helper (#163 ) This gets rid of those annoying logs like: ``` time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000" time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000" time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000" time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000" ``` v0.5.2	2024-09-11 16:36:28 +01:00
dependabot[bot]	070fa33d0d	feat(deps): bump google.golang.org/api from 0.196.0 to 0.197.0 (#162 ) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.196.0 to 0.197.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.196.0...v0.197.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-09-11 12:27:09 +01:00
Jonny Stoten	602295492f	fix: regexes for autolabeler (#160 ) * Fix regexes for autolabeler * Remove branch autolabeler rules	2024-09-10 21:02:05 +01:00
Jonny Stoten	6edcc3d5d7	Test on Go 1.23 as well (#161 )	2024-09-10 17:40:43 +01:00
Jonny Stoten	c029bcfbaa	feat: add a prefix path to TUF client (#159 ) This is to allow us to store new policy files in the production TUF repository under a testing delegation, and for clients to opt-in to using this testing delegation when retrieving policy from TUF. If the prefix path is set, it is prepended to every target path on download with path.Join. For example, if the prefix path is testing and we download the target a/b, the TUF client with actually download testing/a/b. Also get the latest testdata from tuf-dev.	2024-09-10 17:40:20 +01:00
James Carnegie	206b33c5d9	fix: expose version and user agent to consumers (#158 ) v0.5.1	2024-09-09 12:08:01 -05:00

1 2 3 4 5 ...

321 Commits