docker/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
296 Commits 1 Branch 35 Tags
c0510fb76c20185493c1d70c404cd15aa97bc69b
Commit Graph

296 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
James Carnegie
c0510fb76c Support images as well as indexes in ImageDetailResolvers (#183) 
* build: Generate test data for unsigned and no provenance image indexes
* feat: Add function to build index without SBOM or provenance for linux/amd64 platform
* feat: add build_image function to build image without SBOM or provenance for linux/amd64
* feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR
* feat: support images in details resolvers
v0.6.3 		2024-09-30 20:53:13 +01:00
dependabot[bot]
5e16b97e02 feat(deps): bump google.golang.org/api from 0.198.0 to 0.199.0 (#181) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.198.0 to 0.199.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.198.0...v0.199.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
v0.6.2 		2024-09-27 15:11:28 +01:00
dependabot[bot]
0ff28b2deb feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#180) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.35 to 1.27.38.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.35...config/v1.27.38)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-27 15:05:53 +01:00
Jonny Stoten
4ca962b70c Add function for parsing DOI definition files (#172) 
Add a Rego builtin called `attest.internals.parse_library_definition`
for parsing the DOI definition files in
https://github.com/docker-library/official-images/tree/master/library.
This will allow us to verify DOI provenance fields against these files
which are the source of truth for DOI images.

This function just defers to
https://github.com/docker-library/bashbrew/blob/master/manifest/rfc2822.go.
 2024-09-27 12:32:24 +01:00
Joel Kamp
2a4bef091e Merge pull request #179 from docker/fix-sign-unsigned-statements 
fix: only sign statements
 2024-09-26 10:02:41 -05:00
mrjoelkamp
bb0843cd51 fix: only sign statements 2024-09-24 15:12:46 -05:00
David Dooling
203577e965 Remove long-term aspiration from README (#174) 2024-09-20 09:06:02 -05:00
James Carnegie
a98604bdd5 chore: add rekor prod TUF system test (#176) 2024-09-20 11:02:36 +01:00
dependabot[bot]
02b8063d71 feat(deps): bump google.golang.org/api from 0.197.0 to 0.198.0 (#175) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.197.0 to 0.198.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.197.0...v0.198.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-20 10:01:47 +01:00
Joel Kamp
dcf5c578dd Merge pull request #173 from docker/feat-support-containerd-subject-annotations 
feat: support containerd subject annotations
v0.6.1 		2024-09-19 16:03:32 -05:00
mrjoelkamp
0378c94226 test: make test layouts smaller 2024-09-19 15:36:20 -05:00
mrjoelkamp
fd4e741a1f feat: support containerd subject annotations 2024-09-19 15:10:56 -05:00
James Carnegie
2ace988b1c chore: add test for RegoFnOpts (#171) v0.6.0 2024-09-19 13:54:10 +01:00
dependabot[bot]
be7a17f214 feat(deps): bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 (#169) 
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-19 11:24:30 +01:00
dependabot[bot]
1a49b5c068 chore(deps): bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#164) 
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1.10.4 to 1.11.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](3378cda945...5d869da34e)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-19 11:18:57 +01:00
James Carnegie
3e82338649 refactor: remove explicit closures. expose rego fns (#170) 2024-09-19 11:04:00 +01:00
James Carnegie
4a70e5ae36 Add platform filtering support to mapping.yml (#167) 
* chore!: rename package config -> mapping
* feat: add platform filtering support to mapping.yml
 2024-09-18 21:11:55 +01:00
James Carnegie
05caa959c4 Use a Factory to create signature verifiers at policy evaluation time (#165) 
* Make verifiers composable

* fix: remove unused code and improve signature verification logic

* fix: simplify abstractions and renamed some things

* fix: improve tl interface.

* fix: sort out signer/verifier
 2024-09-18 13:34:10 +01:00
dependabot[bot]
5335a56da1 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#168) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.33 to 1.27.35.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.33...config/v1.27.35)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-18 09:43:50 +01:00
Jonny Stoten
7fffbf9d3f Suppress logs from ecr credential helper (#163) 
This gets rid of those annoying logs like:

```
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
time="2024-09-11T15:22:04Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can only be used with Amazon Elastic Container Registry." serverURL="localhost:5000"
```
v0.5.2 		2024-09-11 16:36:28 +01:00
dependabot[bot]
070fa33d0d feat(deps): bump google.golang.org/api from 0.196.0 to 0.197.0 (#162) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.196.0 to 0.197.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.196.0...v0.197.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-11 12:27:09 +01:00
Jonny Stoten
602295492f fix: regexes for autolabeler (#160) 
* Fix regexes for autolabeler

* Remove branch autolabeler rules
 2024-09-10 21:02:05 +01:00
Jonny Stoten
6edcc3d5d7 Test on Go 1.23 as well (#161) 2024-09-10 17:40:43 +01:00
Jonny Stoten
c029bcfbaa feat: add a prefix path to TUF client (#159) 
This is to allow us to store new policy files in the production TUF repository
under a testing delegation, and for clients to opt-in to using this testing
delegation when retrieving policy from TUF.

If the prefix path is set, it is prepended to every target path on download
with path.Join. For example, if the prefix path is testing and we download
the target a/b, the TUF client with actually download testing/a/b.

Also get the latest testdata from tuf-dev.
 2024-09-10 17:40:20 +01:00
James Carnegie
206b33c5d9 fix: expose version and user agent to consumers (#158) v0.5.1 2024-09-09 12:08:01 -05:00
James Carnegie
b4e6767cc6 feature!: support for setting HTTP User-Agent header (#157) 
* feature!: support for setting HTTP User-Agent header

* fix lint

* fix e2e

* refactor: move http.go to internal/util/useragent package and rename functions to Get and Set

* Move packages and use attest version
v0.5.0 		2024-09-09 14:22:17 +01:00
James Carnegie
ed0ae8ecf6 fix: verify mapped image name against subjects (#156) 
* fix: verify mapped image name against subjects
v0.4.4 		2024-09-05 08:08:55 -05:00
Joel Kamp
a363be7f3a Merge pull request #150 from docker/dependabot/go_modules/google.golang.org/api-0.196.0 
feat(deps): bump google.golang.org/api from 0.195.0 to 0.196.0
v0.4.3 		2024-09-04 16:47:27 -05:00
dependabot[bot]
99846a3483 feat(deps): bump google.golang.org/api from 0.195.0 to 0.196.0 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.195.0 to 0.196.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.195.0...v0.196.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-04 21:43:32 +00:00
Joel Kamp
f760b12bb2 Merge pull request #151 from docker/dependabot/go_modules/github.com/sigstore/sigstore/pkg/signature/kms/gcp-1.8.9 
feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.8 to 1.8.9
 2024-09-04 16:41:22 -05:00
Joel Kamp
bab474669f Merge pull request #155 from docker/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.33 
feat(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.31 to 1.27.33
 2024-09-04 16:40:18 -05:00
dependabot[bot]
0705a71115 feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp 
Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-04 21:37:46 +00:00
dependabot[bot]
b00e02af01 feat(deps): bump github.com/aws/aws-sdk-go-v2/config 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.31 to 1.27.33.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.31...config/v1.27.33)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-04 21:36:36 +00:00
Joel Kamp
ff53657cc9 Merge pull request #153 from docker/dependabot/github_actions/actions/create-github-app-token-1.10.4 
chore(deps): bump actions/create-github-app-token from 1.10.3 to 1.10.4
 2024-09-04 16:34:38 -05:00
Joel Kamp
c8383f3f5a Merge pull request #149 from docker/dependabot/go_modules/github.com/sigstore/sigstore/pkg/signature/kms/aws-1.8.9 
feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws from 1.8.8 to 1.8.9
 2024-09-04 16:33:50 -05:00
Joel Kamp
dc247bd348 Merge pull request #143 from docker/dependabot/go_modules/github.com/open-policy-agent/opa-0.68.0 
feat(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0
 2024-09-04 16:33:28 -05:00
Joel Kamp
ce7d173150 Merge pull request #154 from docker/feat--add-slsa-v1-predicate-type 
feat: add slsa v1 predicate type
 2024-09-04 16:32:21 -05:00
mrjoelkamp
fb69d9a09b feat: add slsa v1 predicate type 2024-09-04 16:15:56 -05:00
James Carnegie
48e58a9115 Verify input image/platform against attestation subjects before passing to rego (#148) 
* feat: verify subjects before passing to rego
 2024-09-04 10:20:00 +01:00
dependabot[bot]
bfacaf1de0 chore(deps): bump actions/create-github-app-token from 1.10.3 to 1.10.4 
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1.10.3 to 1.10.4.
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](31c86eb3b3...3378cda945)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-04 08:46:09 +00:00
dependabot[bot]
67ad27ac22 feat(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws 
Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-09-04 08:41:30 +00:00
James Carnegie
41847ef238 fix: escape ! remove .* (global match) (#146) 2024-09-03 12:24:26 +01:00
James Carnegie
1f806f33a8 feat: validate mapping files on load (#147) 2024-09-03 12:21:24 +01:00
James Carnegie
8982778507 refactor! remove pkg directory (#145) 
* refactor!: remove pkg directory

* chore: include breaking changes in draft
 2024-09-02 16:17:50 +01:00
James Carnegie
23849c1c2e fix: use canonical names inside TUF fetcher (#144) 
* fix: use canonical names inside TUF fetcher
* keep hold of reference to Config
v0.4.2 		2024-08-30 17:03:29 +01:00
dependabot[bot]
16834292de feat(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.67.1 to 0.68.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.67.1...v0.68.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-30 08:37:19 +00:00
dependabot[bot]
bada1df262 feat(deps): bump google.golang.org/api from 0.194.0 to 0.195.0 (#139) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.194.0 to 0.195.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.194.0...v0.195.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
 2024-08-30 09:29:19 +01:00
James Carnegie
4778d3de6a fix: tuf oci image parsing (#142) 
* fix: tuf oci image parsing
v0.4.1 		2024-08-29 12:27:13 -05:00
James Carnegie
a4ac09e7da refactor! don't use ctx for policy evaluator (#140) 
* refactor! don't use ctx for policy evaluator
 2024-08-29 17:43:45 +01:00
Joel Kamp
9250552c5b Merge pull request #138 from docker/feat-add-tuf-resolver-tests 
feat: add policy resolver tests
 2024-08-29 10:28:34 -05:00