in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
https://witness.dev
Apache License 2.0
416 stars 60 forks source link

Feature Request: Implement "inspect" Command #345

Closed colek42 closed 9 months ago

colek42 commented 11 months ago

As a Witness user, I would like to have the ability to inspect attestations and policies using a new "inspect" command. This feature would provide a convenient way to verify the contents of these files, aiding in security and compliance verification. When policy creators are trying to create policies they generally use tools like jq to parse these documents, a built in command would provide better UX for users, specifically policy creators.

Proposed Solution

  1. Create a new "inspect" command in Witness.
  2. Implement flags for specifying the attestation and policy files to inspect.
  3. Develop logic to read and parse the specified attestation and policy files.
  4. Display the parsed information to the user, offering insights into the contents of the attestation and policy.

Expected Behavior

When the "inspect" command is executed, it should:

Additional Context

This feature would be highly beneficial for users who need to validate the contents of attestations and policies in their workflow. It enhances the utility of Witness by providing an easy way to perform manual verification and analysis.

Alternatives Considered

We have considered alternative approaches to achieving this functionality, such as integrating with external tools. However, implementing this as a built-in "inspect" command would provide a seamless and user-friendly experience within the Witness CLI.

Implementation Details

This feature will require modifications to the Witness CLI codebase. We will need to create a new Cobra command, define flags, and implement logic for reading and parsing attestation and policy files.

ChaosInTheCRD commented 11 months ago

I failed to work on this due to time in the end, but I put some work into thinking / designing a similar feature for cosign (https://github.com/sigstore/cosign/issues/2210).

I definitely find that this sort of thing is valuable, but we should be careful of creating the impression that such a command would in any way verify or audit the information. Instead it should very clearly just fetch and print any attestations associated to the artifact.

Given that in witness we have an overarching AttestationCollection construct, I think there's a lot of opportunity from a UX perspective. I think it'd be pretty cool to be able to index all the attestations associated to the artifact and be able to inspect / describe them etc.

adityasaky commented 11 months ago

Related to @ChaosInTheCRD’s comment, I’m wary of “inspect” over promising what it does. This is especially a concern because an “inspection” is an actual type of check in in-toto layouts. I think using a different sub command largely solves this.