Skip to content

Commit

Permalink
feat: add v2alpha3 format
Browse files Browse the repository at this point in the history
  • Loading branch information
@aaron-prindle
aaron-prindle committed Jan 16, 2024
1 parent e8dd767 commit e83c7cb
Show file tree
Hide file tree
Showing 27 changed files with 3,924 additions and 14 deletions.
10 changes: 5 additions & 5 deletions docs/config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,20 @@ Supported keys include:

| Key | Description | Supported Values | Default |
| :-------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :-------- |
| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2alpha2` | `in-toto` |
| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2alpha3` | `in-toto` |
| `artifacts.taskrun.storage` | The storage backend to store `TaskRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `TaskRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton` |
| `artifacts.taskrun.signer` | The signature backend to sign `TaskRun` payloads with. | `x509`, `kms` | `x509` |

> NOTE:
>
> - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
> - `slsa/v2alpha3` corresponds to the slsav1.0 spec.
### PipelineRun Configuration

| Key | Description | Supported Values | Default |
| :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------------------------------------- | :-------- |
| `artifacts.pipelinerun.format` | The format to store `PipelineRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2alpha2` | `in-toto` |
| `artifacts.pipelinerun.format` | The format to store `PipelineRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2alpha3` | `in-toto` |
| `artifacts.pipelinerun.storage` | The storage backend to store `PipelineRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `PipelineRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton` |
| `artifacts.pipelinerun.signer` | The signature backend to sign `PipelineRun` payloads with. | `x509`, `kms` | `x509` |
| `artifacts.pipelinerun.enable-deep-inspection` | This boolean option will configure whether Chains should inspect child taskruns in order to capture inputs/outputs within a pipelinerun. `"false"` means that Chains only checks pipeline level results, whereas `"true"` means Chains inspects both pipeline level and task level results. | `"true"`, `"false"` | `"false"` |
Expand All @@ -43,7 +43,7 @@ Supported keys include:
>
> - For grafeas storage backend, currently we only support Container Analysis. We will make grafeas server address configurabe within a short time.
> - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
> - `slsa/v2alpha3` corresponds to the slsav1.0 spec.
### OCI Configuration

Expand Down Expand Up @@ -96,7 +96,7 @@ You can read more about Grafeas notes and occurrences [here](https://github.com/
> NOTE:
> Considerations for the builddefinition.buildtype parameter:
>
> - It is only valid for `slsa/v2alpha2` configurations (see TaskRun or PipelineRun configuration).
> - It is only valid for `slsa/v2alpha3` configurations (see TaskRun or PipelineRun configuration).
> - The parameter can take one of two values:
> - `https://tekton.dev/chains/v2/slsa`: This buildType strictly conforms to the slsav1.0 spec.
> - `https://tekton.dev/chains/v2/slsa-tekton`: This buildType also conforms to the slsav1.0 spec, but adds additional informaton specific to Tekton. This information includes the PipelinRun/TaskRun labels and annotations as internalParameters. It also includes capturing each pipeline task in a PipelinRun under resolvedDependencies.
Expand Down
2 changes: 1 addition & 1 deletion docs/slsa-provenance.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The following shows the mapping between slsa version and formatter name.

| SLSA Version | Formatter Name |
| ------------ | ---------------------- |
| v1.0 | `slsa/v2alpha2` |
| v1.0 | `slsa/v2alpha3` |
| v0.2 | `slsa/v1` or `in-toto` |

To configure Task-level provenance version
Expand Down
1 change: 1 addition & 0 deletions pkg/chains/formats/all/all.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,5 @@ import (
_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1"
_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha1"
_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha2"
_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3"
)
2 changes: 2 additions & 0 deletions pkg/chains/formats/format.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ const (
PayloadTypeSlsav1 config.PayloadType = "slsa/v1"
PayloadTypeSlsav2alpha1 config.PayloadType = "slsa/v2alpha1"
PayloadTypeSlsav2alpha2 config.PayloadType = "slsa/v2alpha2"
PayloadTypeSlsav2alpha3 config.PayloadType = "slsa/v2alpha3"
)

var (
Expand All @@ -42,6 +43,7 @@ var (
PayloadTypeSlsav1: {},
PayloadTypeSlsav2alpha1: {},
PayloadTypeSlsav2alpha2: {},
PayloadTypeSlsav2alpha3: {},
}
payloaderMap = map[config.PayloadType]PayloaderInit{}
)
Expand Down
312 changes: 312 additions & 0 deletions pkg/chains/formats/slsa/testdata/slsa-v2alpha3/pipelinerun1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,312 @@
{
"metadata": {
"name": "pipelinerun-build",
"uid": "abhhf-12354-asjsdbjs23-3435353n"
},
"spec": {
"params": [
{
"name": "IMAGE",
"value": "test.io/test/image"
}
],
"pipelineRef": {
"name": "test-pipeline"
},
"taskRunTemplate": {
"serviceAccountName": "pipeline"
}
},
"status": {
"startTime": "2021-03-29T09:50:00Z",
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"lastTransitionTime": "2021-03-29T09:50:15Z",
"message": "Tasks Completed: 2 (Failed: 0, Cancelled 0), Skipped: 0",
"reason": "Succeeded",
"status": "True",
"type": "Succeeded"
}
],
"results": [
{
"name": "CHAINS-GIT_COMMIT",
"value": "abcd"
},
{
"name": "CHAINS-GIT_URL",
"value": "https://git.test.com"
},
{
"name": "IMAGE_URL",
"value": "test.io/test/image"
},
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "img-ARTIFACT_INPUTS",
"value": {
"uri": "abc","digest": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
}
},
{
"name": "img2-ARTIFACT_OUTPUTS",
"value": {
"uri": "def","digest": "sha256:"
}
},
{
"name": "img_no_uri-ARTIFACT_OUTPUTS",
"value": {
"digest": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
}
}
],
"pipelineSpec": {
"params": [
{
"description": "Image path on registry",
"name": "IMAGE",
"type": "string"
}
],
"results": [
{
"description": "",
"name": "CHAINS-GIT_COMMIT",
"value": "$(tasks.git-clone.results.commit)"
},
{
"description": "",
"name": "CHAINS-GIT_URL",
"value": "$(tasks.git-clone.results.url)"
},
{
"description": "",
"name": "IMAGE_URL",
"value": "$(tasks.build.results.IMAGE_URL)"
},
{
"description": "",
"name": "IMAGE_DIGEST",
"value": "$(tasks.build.results.IMAGE_DIGEST)"
}
],
"tasks": [
{
"name": "git-clone",
"params": [
{
"name": "url",
"value": "https://git.test.com"
},
{
"name": "revision",
"value": ""
}
],
"taskRef": {
"kind": "ClusterTask",
"name": "git-clone"
}
},
{
"name": "build",
"params": [
{
"name": "CHAINS-GIT_COMMIT",
"value": "$(tasks.git-clone.results.commit)"
},
{
"name": "CHAINS-GIT_URL",
"value": "$(tasks.git-clone.results.url)"
}
],
"taskRef": {
"kind": "ClusterTask",
"name": "build"
}
}
]
},
"taskRuns": {
"git-clone": {
"pipelineTaskName": "git-clone",
"status": {
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"lastTransitionTime": "2021-03-29T09:50:15Z",
"message": "All Steps have completed executing",
"reason": "Succeeded",
"status": "True",
"type": "Succeeded"
}
],
"podName": "git-clone-pod",
"startTime": "2021-03-29T09:50:00Z",
"steps": [
{
"container": "step-clone",
"imageID": "test.io/test/clone-image",
"name": "clone",
"terminated": {
"exitCode": 0,
"finishedAt": "2021-03-29T09:50:15Z",
"reason": "Completed",
"startedAt": "2022-05-31T19:13:27Z"
}
}
],
"results": [
{
"name": "commit",
"value": "abcd"
},
{
"name": "url",
"value": "https://git.test.com"
}
],
"taskSpec": {
"params": [
{
"description": "Repository URL to clone from.",
"name": "url",
"type": "string"
},
{
"default": "",
"description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
"name": "revision",
"type": "string"
}
],
"results": [
{
"description": "The precise commit SHA that was fetched by this Task.",
"name": "commit"
},
{
"description": "The precise URL that was fetched by this Task.",
"name": "url"
}
],
"steps": [
{
"env": [
{
"name": "HOME",
"value": "$(params.userHome)"
},
{
"name": "PARAM_URL",
"value": "$(params.url)"
}
],
"image": "$(params.gitInitImage)",
"name": "clone",
"resources": {},
"script": "git clone"
}
]
}
}
},
"taskrun-build": {
"pipelineTaskName": "build",
"status": {
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"lastTransitionTime": "2021-03-29T09:50:15Z",
"message": "All Steps have completed executing",
"reason": "Succeeded",
"status": "True",
"type": "Succeeded"
}
],
"podName": "build-pod",
"startTime": "2021-03-29T09:50:00Z",
"steps": [
{
"container": "step-build",
"imageID": "test.io/test/build-image",
"name": "build",
"terminated": {
"exitCode": 0,
"finishedAt": "2022-05-31T19:17:30Z",
"reason": "Completed",
"startedAt": "2021-03-29T09:50:00Z"
}
}
],
"results": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "IMAGE_URL",
"value": "test.io/test/image\n"
}
],
"taskSpec": {
"params": [
{
"description": "Git CHAINS URL",
"name": "CHAINS-GIT_URL",
"type": "string"
},
{
"description": "Git CHAINS Commit",
"name": "CHAINS-GIT_COMMIT",
"type": "string"
}
],
"results": [
{
"description": "Digest of the image just built.",
"name": "IMAGE_DIGEST"
},
{
"description": "URL of the image just built.",
"name": "IMAGE_URL"
}
],
"steps": [
{
"command": [
"buildah",
"build"
],
"image": "test.io/test/build-image",
"name": "generate"
},
{
"command": [
"buildah",
"push"
],
"image": "test.io/test/build-image",
"name": "push"
}
]
}
}
}
},
"provenance": {
"refSource": {
"uri": "git+https://github.com/test",
"digest": {
"sha1": "28b123"
},
"entryPoint": "pipeline.yaml"
}
}
}
}
Loading

0 comments on commit e83c7cb

Please sign in to comment.