Provenance attestations
Definition
Provenance attestations are formal declarations that provide metadata about the origin and history of a software artifact, such as its source code, build process, and dependencies. These attestations help verify the integrity and authenticity of the software by ensuring that it has not been tampered with and that it originates from a trusted source. They are crucial in supply chain security to prevent the introduction of malicious code into software systems.
Secure Settings Example
apiVersion: in-toto.io/v1
kind: Link
metadata:
name: build-step
spec:
materials:
- uri: "git+https://example.com/repo.git@master"
digest:
sha256: "d6a770ba38583ed4bb4525bd96e50461655d2759"
products:
- uri: "docker://example.com/myapp:latest"
digest:
sha256: "3b1f33b8b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5"
byproducts:
- name: "build-log"
content: "Build completed successfully"
command:
- "docker"
- "build"
- "-t"
- "example.com/myapp:latest"
- "."
environment:
variables:
- name: "GOOS"
value: "linux"
- name: "GOARCH"
value: "amd64"
Insecure Settings Example
apiVersion: in-toto.io/v1
kind: Link
metadata:
name: build-step
spec:
materials:
- uri: "git+https://example.com/repo.git@master"
# Missing digest information
products:
- uri: "docker://example.com/myapp:latest"
# Missing digest information
byproducts:
- name: "build-log"
content: "Build completed successfully"
command:
- "docker"
- "build"
- "-t"
- "example.com/myapp:latest"
- "."
environment:
variables:
- name: "GOOS"
value: "linux"
- name: "GOARCH"
value: "amd64"