Open colek42 opened 1 year ago
Some thoughts around this:
A simple first iteration would to be just to try every attestor -- though the Snyk attestor should be excluded from this. This is essentially what your Example 2 is doing already -- just try to see if a product is an OCI container and if it is go ahead and run.
A user should be able to configure two things optionally:
Proposal:
Add a function to the Attestor interface. Attestors should implement this interface by interrogating the environment to see if it can run. We should run all attestors that are valid for an environment.
Example 1 (Pre-Attestor):
The GitLab attestor will check to see if the environment contains an environment variable "CI_JOB_JWT_V2" retired for the attestor to run.
Example 2 (Post-Attestor):
The oci attestor will attempt to parse all output files. It will log errors at the DEBUG level.
Concerns
With this design change, it will be important that the functions that check the environment return a result quickly.
I am unsure how to solve the case where a user wants to always opt out of an attestor. For example. The environment attestor may divulge secrets.