Closed colek42 closed 9 months ago
I failed to work on this due to time in the end, but I put some work into thinking / designing a similar feature for cosign (https://github.com/sigstore/cosign/issues/2210).
I definitely find that this sort of thing is valuable, but we should be careful of creating the impression that such a command would in any way verify or audit the information. Instead it should very clearly just fetch and print any attestations associated to the artifact.
Given that in witness we have an overarching AttestationCollection
construct, I think there's a lot of opportunity from a UX perspective. I think it'd be pretty cool to be able to index all the attestations associated to the artifact and be able to inspect / describe them etc.
Related to @ChaosInTheCRD’s comment, I’m wary of “inspect” over promising what it does. This is especially a concern because an “inspection” is an actual type of check in in-toto layouts. I think using a different sub command largely solves this.
As a Witness user, I would like to have the ability to inspect attestations and policies using a new "inspect" command. This feature would provide a convenient way to verify the contents of these files, aiding in security and compliance verification. When policy creators are trying to create policies they generally use tools like jq to parse these documents, a built in command would provide better UX for users, specifically policy creators.
Proposed Solution
Expected Behavior
When the "inspect" command is executed, it should:
Additional Context
This feature would be highly beneficial for users who need to validate the contents of attestations and policies in their workflow. It enhances the utility of Witness by providing an easy way to perform manual verification and analysis.
Alternatives Considered
We have considered alternative approaches to achieving this functionality, such as integrating with external tools. However, implementing this as a built-in "inspect" command would provide a seamless and user-friendly experience within the Witness CLI.
Implementation Details
This feature will require modifications to the Witness CLI codebase. We will need to create a new Cobra command, define flags, and implement logic for reading and parsing attestation and policy files.