search

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
https://witness.dev
Apache License 2.0
393 stars 56 forks source link

Auto-Attest #205

Open colek42 opened 1 year ago

colek42 commented 1 year ago

Proposal:

Add a function to the Attestor interface. Attestors should implement this interface by interrogating the environment to see if it can run. We should run all attestors that are valid for an environment.

Example 1 (Pre-Attestor):

The GitLab attestor will check to see if the environment contains an environment variable "CI_JOB_JWT_V2" retired for the attestor to run.

Example 2 (Post-Attestor):

The oci attestor will attempt to parse all output files. It will log errors at the DEBUG level.

Concerns

With this design change, it will be important that the functions that check the environment return a result quickly.

I am unsure how to solve the case where a user wants to always opt out of an attestor. For example. The environment attestor may divulge secrets.

mikhailswift commented 1 year ago

Some thoughts around this:

A simple first iteration would to be just to try every attestor -- though the Snyk attestor should be excluded from this. This is essentially what your Example 2 is doing already -- just try to see if a product is an OCI container and if it is go ahead and run.

A user should be able to configure two things optionally:

  1. Required attestors: If a required attestor fails to run the program should exit on the failure as we do today
  2. Excluded attestors: Witness should not try and run an excluded attestor