SLSA 1 Compliance

[upodroid]

https://slsa.dev/spec/v0.1/requirements

For SLSA 1 we need to do the following:

• Build:
  • Scripted Build: All build steps were fully defined in some sort of “build script”. The only manual command, if any, was to invoke the build script. ✅
• Provenance:
  • Available: The provenance is available to the consumer in a format that the consumer accepts. The format SHOULD be in-toto SLSA Provenance, but another format MAY be used if both producer and consumer agree and it meets all the other requirements.
  • Identifies the artifact: The provenance MUST identify the output artifact via at least one cryptographic hash. The provenance MAY provide multiple identifying cryptographic hashes using different algorithms. When only one hash is provided, the RECOMMENDED algorithm is SHA-256 for cross-system compatibility. If another algorithm is used, it SHOULD be resistant to collisions and second preimages.
  • Identifies the builder: The provenance identifies the entity that performed the build and generated the provenance. This represents the entity that the consumer must trust. Examples: “GitHub Actions with a GitHub-hosted worker”, “jdoe@example.com’s machine”.
  • Identifies the build instructions: The provenance identifies the top-level instructions used to execute the build. The identified instructions SHOULD be at the highest level available to the build (e.g. if the build is told to run build.sh it should list build.sh and NOT the individual instructions in build.sh).

/kind security /priority important-soon

[upodroid]

@mattmoor

I'm having a hard time working out the Provenance piece.

Using net-certmanager as an example.

To build images, we call https://github.com/knative-sandbox/net-certmanager/blob/main/vendor/knative.dev/hack/release.sh and https://github.com/knative-sandbox/net-certmanager/blob/main/hack/release.sh.

A typical run looks like this. https://storage.googleapis.com/knative-prow/logs/nightly_net-certmanager_main_periodic/1550767763880939520/build-log.txt

If I supply the sbom as predicate and run cosign attest --predicate sbom.json --key gcpkms://projects/knative-nightly/locations/global/keyRings/cosign/cryptoKeys/signing-key gcr.io/knative-nightly/knative.dev/container-freezer/cmd/daemon it only meets half of the requirements and I get an attestation that looks like this:

---
_type: https://in-toto.io/Statement/v0.1
predicateType: cosign.sigstore.dev/attestation/v1
subject:
- name: gcr.io/knative-nightly/knative.dev/container-freezer/cmd/daemon
  digest:
    sha256: '06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70'
predicate:
  Data: |
    {
      "SPDXID": "SPDXRef-DOCUMENT",
      "name": "sbom-sha256:06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
      "spdxVersion": "SPDX-2.2",
      "creationInfo": {
        "created": "2022-07-23T02:16:23Z",
        "creators": [
          "Tool: ko v0.11.3-0.20220715180928-3d362cf6702f"
        ]
      },
      "dataLicense": "CC0-1.0",
      "documentNamespace": "http://spdx.org/spdxdocs/ko/sha256:06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
      "documentDescribes": [
        "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70"
      ],
      "packages": [
        {
          "SPDXID": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "name": "sha256:06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/index@sha256:06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70?mediaType=application%2Fvnd.oci.image.index.v1%2Bjson",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-683737dbc197ac24fae46b4fc0b9bca0dabc495ff2bd0bbe8334e97685d91b2c",
          "name": "ghcr.io/distroless/static@sha256:683737dbc197ac24fae46b4fc0b9bca0dabc495ff2bd0bbe8334e97685d91b2c",
          "versionInfo": "ghcr.io/distroless/static:latest",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "683737dbc197ac24fae46b4fc0b9bca0dabc495ff2bd0bbe8334e97685d91b2c"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:683737dbc197ac24fae46b4fc0b9bca0dabc495ff2bd0bbe8334e97685d91b2c?repository_url=ghcr.io%2Fdistroless%2Fstatic\u0026tag=latest",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-5c435970807e375629d1212ab22a77f63febe7ee9562050cf9ef08faa59f6538",
          "name": "sha256:5c435970807e375629d1212ab22a77f63febe7ee9562050cf9ef08faa59f6538",
          "versionInfo": "linux/386",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "5c435970807e375629d1212ab22a77f63febe7ee9562050cf9ef08faa59f6538"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:5c435970807e375629d1212ab22a77f63febe7ee9562050cf9ef08faa59f6538?arch=386\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-3db31766df168607a4841ac8d785b7d1e6249df42a9463bb68be1832e3e05f5e",
          "name": "sha256:3db31766df168607a4841ac8d785b7d1e6249df42a9463bb68be1832e3e05f5e",
          "versionInfo": "linux/amd64",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "3db31766df168607a4841ac8d785b7d1e6249df42a9463bb68be1832e3e05f5e"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:3db31766df168607a4841ac8d785b7d1e6249df42a9463bb68be1832e3e05f5e?arch=amd64\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-5f62eb2d4c266818bc00d6e1b59a23a07232c0e55fd936f444ab4a1ea34d94e5",
          "name": "sha256:5f62eb2d4c266818bc00d6e1b59a23a07232c0e55fd936f444ab4a1ea34d94e5",
          "versionInfo": "linux/arm/v6",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "5f62eb2d4c266818bc00d6e1b59a23a07232c0e55fd936f444ab4a1ea34d94e5"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:5f62eb2d4c266818bc00d6e1b59a23a07232c0e55fd936f444ab4a1ea34d94e5?arch=arm\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux\u0026variant=v6",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-ba0959c87fc72ef00beb4af63ec93022cbf3a2057a55684c71b7ef267f774e3f",
          "name": "sha256:ba0959c87fc72ef00beb4af63ec93022cbf3a2057a55684c71b7ef267f774e3f",
          "versionInfo": "linux/arm/v7",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "ba0959c87fc72ef00beb4af63ec93022cbf3a2057a55684c71b7ef267f774e3f"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:ba0959c87fc72ef00beb4af63ec93022cbf3a2057a55684c71b7ef267f774e3f?arch=arm\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux\u0026variant=v7",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-7cc2080eed1a84179c353807169fdc09ca0866c1c219c9c138170b375132925b",
          "name": "sha256:7cc2080eed1a84179c353807169fdc09ca0866c1c219c9c138170b375132925b",
          "versionInfo": "linux/arm64",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "7cc2080eed1a84179c353807169fdc09ca0866c1c219c9c138170b375132925b"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:7cc2080eed1a84179c353807169fdc09ca0866c1c219c9c138170b375132925b?arch=arm64\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-5f920b8fbc8ec2194966af61eb78ead3407b20c50d774489eb6d42ed6e1ced01",
          "name": "sha256:5f920b8fbc8ec2194966af61eb78ead3407b20c50d774489eb6d42ed6e1ced01",
          "versionInfo": "linux/ppc64le",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "5f920b8fbc8ec2194966af61eb78ead3407b20c50d774489eb6d42ed6e1ced01"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:5f920b8fbc8ec2194966af61eb78ead3407b20c50d774489eb6d42ed6e1ced01?arch=ppc64le\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-93b6f1a2fe540a515ca06b23c65847371fb2e58790734d7042677991554f535d",
          "name": "sha256:93b6f1a2fe540a515ca06b23c65847371fb2e58790734d7042677991554f535d",
          "versionInfo": "linux/riscv64",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "93b6f1a2fe540a515ca06b23c65847371fb2e58790734d7042677991554f535d"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:93b6f1a2fe540a515ca06b23c65847371fb2e58790734d7042677991554f535d?arch=riscv64\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        },
        {
          "SPDXID": "SPDXRef-Package-sha256-ac4bcb7d1a2b83f42bb367b5d4cb45f81f3844dd889cb8c5721fab2a21cc3af2",
          "name": "sha256:ac4bcb7d1a2b83f42bb367b5d4cb45f81f3844dd889cb8c5721fab2a21cc3af2",
          "versionInfo": "linux/s390x",
          "filesAnalyzed": false,
          "licenseDeclared": "NOASSERTION",
          "licenseConcluded": "NOASSERTION",
          "downloadLocation": "NOASSERTION",
          "copyrightText": "NOASSERTION",
          "checksums": [
            {
              "algorithm": "SHA256",
              "checksumValue": "ac4bcb7d1a2b83f42bb367b5d4cb45f81f3844dd889cb8c5721fab2a21cc3af2"
            }
          ],
          "externalRefs": [
            {
              "referenceCategory": "PACKAGE_MANAGER",
              "referenceLocator": "pkg:oci/image@sha256:ac4bcb7d1a2b83f42bb367b5d4cb45f81f3844dd889cb8c5721fab2a21cc3af2?arch=s390x\u0026mediaType=application%2Fvnd.oci.image.manifest.v1%2Bjson\u0026os=linux",
              "referenceType": "purl"
            }
          ]
        }
      ],
      "relationships": [
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "DESCENDANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-683737dbc197ac24fae46b4fc0b9bca0dabc495ff2bd0bbe8334e97685d91b2c"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-5c435970807e375629d1212ab22a77f63febe7ee9562050cf9ef08faa59f6538"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-3db31766df168607a4841ac8d785b7d1e6249df42a9463bb68be1832e3e05f5e"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-5f62eb2d4c266818bc00d6e1b59a23a07232c0e55fd936f444ab4a1ea34d94e5"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-ba0959c87fc72ef00beb4af63ec93022cbf3a2057a55684c71b7ef267f774e3f"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-7cc2080eed1a84179c353807169fdc09ca0866c1c219c9c138170b375132925b"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-5f920b8fbc8ec2194966af61eb78ead3407b20c50d774489eb6d42ed6e1ced01"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-93b6f1a2fe540a515ca06b23c65847371fb2e58790734d7042677991554f535d"
        },
        {
          "spdxElementId": "SPDXRef-Package-sha256-06846e64a6b6e954df9a8253ad9a2fa62b81a5b8e960f38a258ced50b9366d70",
          "relationshipType": "VARIANT_OF",
          "relatedSpdxElement": "SPDXRef-Package-sha256-ac4bcb7d1a2b83f42bb367b5d4cb45f81f3844dd889cb8c5721fab2a21cc3af2"
        }
      ]
    }
  Timestamp: '2022-07-23T11:18:34Z'

On a sidenote, for SLSA 2+ we need to run the release/nightly jobs on GCB to meet the hosted builder requirements.

[mattmoor]

On a sidenote, for SLSA 2+ we need to run the release/nightly jobs on GCB to meet the hosted builder requirements.

🤔 something like GCB isn't a requirement for SLSA and in fact will become a problem for higher levels of SLSA because there's no hermetic build option (yet / afaik).

cc @puerco @priyawadhwa

[puerco]

The goal of the provenance attestation is to leave a record of where a bunch of artifacts came from and how they came to be. Essentially you need to let others know what you took in, what you did to those ingredients (using the old slsa terms) and what came out.

What you are doing here is creating an attestation with the SBOM as predicate, it has it's use cases too but that document is essentially saying:

"The SBOM for these articats is this one here." - Signed XXX

The provenance attestation for SLSA needs to have a SLSA Provenance predicate. Now, it is important to consider where and when you generate the attestation to ensure it cannot be forged and that untrusted/falsifiable data cannot make it into the attestation. I am happy to chat about options and to share some of tools we are building for kubernetes as part of the SLSA 3 compliance effort.

[upodroid]

I wrote a provenance generator that pulls info from prow at run time and generates provenance. Would be great if you could take a look and provide comments/feedback.

3456

[upodroid]

This is working now.

 REDACTED  MCW0CDP3YY  ~  $  COSIGN_EXPERIMENTAL=1 cosign verify-attestation gcr.io/knative-nightly/knative.dev/net-contour/cmd/controller:v20221117-0c20c48d --type=slsaprovenance | jq .payload -r | base64 -d | jq

Verification for gcr.io/knative-nightly/knative.dev/net-contour/cmd/controller:v20221117-0c20c48d --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  signer@knative-nightly.iam.gserviceaccount.com
Certificate issuer URL:  https://accounts.google.com
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "gcr.io/knative-nightly/knative.dev/net-contour/cmd/controller",
      "digest": {
        "sha256": "51351c6bbb9a1ef81a23fbdcd0fd5cb6660a93e080ff4fec5dbbb235bd4562aa"
      }
    }
  ],
  "predicate": {
    "builder": {
      "id": "https://prow.knative.dev"
    },
    "buildType": "https://prow.knative.dev/ProwJob@v1",
    "invocation": {
      "configSource": {
        "entryPoint": "https://github.com/knative/test-infra/tree/main/prow/jobs/generated/knative-sandbox"
      }
    },
    "buildConfig": {
      "command": [
        "runner.sh",
        "./hack/release.sh",
        "--publish",
        "--tag-release"
      ],
      "entrypoint": {
        "args": [
          "runner.sh",
          "./hack/release.sh",
          "--publish",
          "--tag-release"
        ],
        "artifact_dir": "/logs/artifacts",
        "container_name": "test",
        "grace_period": 15000000000,
        "marker_file": "/logs/marker-file.txt",
        "metadata_file": "/logs/artifacts/metadata.json",
        "process_log": "/logs/process-log.txt",
        "timeout": 7200000000000
      },
      "prowjob": {
        "metadata": {
          "annotations": {
            "prow.k8s.io/context": "",
            "prow.k8s.io/job": "nightly_net-contour_main_periodic",
            "testgrid-dashboards": "net-contour",
            "testgrid-tab-name": "nightly"
          },
          "creationTimestamp": "2022-11-17T09:17:48Z",
          "generation": 4,
          "labels": {
            "created-by-prow": "true",
            "prow.k8s.io/build-id": "1593171537907683328",
            "prow.k8s.io/context": "",
            "prow.k8s.io/id": "b47f38d0-6658-11ed-a6b3-bab8ee42ac78",
            "prow.k8s.io/job": "nightly_net-contour_main_periodic",
            "prow.k8s.io/refs.base_ref": "main",
            "prow.k8s.io/refs.org": "knative-sandbox",
            "prow.k8s.io/refs.repo": "net-contour",
            "prow.k8s.io/type": "periodic"
          },
          "name": "b47f38d0-6658-11ed-a6b3-bab8ee42ac78",
          "namespace": "default",
          "resourceVersion": "171368124",
          "uid": "ca2f214c-1ebf-4c8f-a849-7d377d1aa194"
        },
        "spec": {
          "agent": "kubernetes",
          "cluster": "prow-build",
          "decoration_config": {
            "gcs_configuration": {
              "bucket": "knative-prow",
              "path_strategy": "explicit"
            },
            "gcs_credentials_secret": "gcs-upload",
            "grace_period": "15s",
            "resources": {
              "sidecar": {
                "requests": {
                  "cpu": "100m",
                  "memory": "20Mi"
                }
              }
            },
            "timeout": "2h0m0s",
            "utility_images": {
              "clonerefs": "gcr.io/k8s-prow/clonerefs:v20221111-fe4f3e2158",
              "entrypoint": "gcr.io/k8s-prow/entrypoint:v20221111-fe4f3e2158",
              "initupload": "gcr.io/k8s-prow/initupload:v20221111-fe4f3e2158",
              "sidecar": "gcr.io/k8s-prow/sidecar:v20221111-fe4f3e2158"
            }
          },
          "extra_refs": [
            {
              "base_ref": "main",
              "org": "knative-sandbox",
              "path_alias": "knative.dev/net-contour",
              "repo": "net-contour"
            }
          ],
          "job": "nightly_net-contour_main_periodic",
          "max_concurrency": 1,
          "namespace": "test-pods",
          "pod_spec": {
            "containers": [
              {
                "command": [
                  "runner.sh",
                  "./hack/release.sh",
                  "--publish",
                  "--tag-release"
                ],
                "env": [
                  {
                    "name": "ATTEST_IMAGES",
                    "value": "true"
                  },
                  {
                    "name": "GOOGLE_APPLICATION_CREDENTIALS",
                    "value": "/etc/nightly-account/service-account.json"
                  },
                  {
                    "name": "SIGN_IMAGES",
                    "value": "true"
                  }
                ],
                "image": "gcr.io/knative-tests/test-infra/prow-tests:v20221116-ea6c00cb",
                "name": "",
                "resources": {},
                "securityContext": {
                  "privileged": true
                },
                "volumeMounts": [
                  {
                    "mountPath": "/etc/nightly-account",
                    "name": "nightly-account",
                    "readOnly": true
                  }
                ]
              }
            ],
            "nodeSelector": {
              "kubernetes.io/arch": "amd64",
              "type": "testing"
            },
            "volumes": [
              {
                "name": "nightly-account",
                "secret": {
                  "items": [
                    {
                      "key": "nightly.json",
                      "path": "service-account.json"
                    }
                  ],
                  "secretName": "prow-google-credentials"
                }
              }
            ]
          },
          "prowjob_defaults": {
            "tenant_id": "GlobalDefaultID"
          },
          "report": true,
          "reporter_config": {
            "slack": {
              "channel": "net-contour",
              "job_states_to_report": [
                "failure"
              ],
              "report": true,
              "report_template": "\"The nightly release job fails, check the log: <{{.Status.URL}}|View logs>\"\n"
            }
          },
          "type": "periodic"
        },
        "status": {
          "startTime": null
        }
      }
    },
    "metadata": {
      "buildInvocationID": "1593171537907683328",
      "buildStartedOn": "2022-11-17T09:17:48Z",
      "buildFinishedOn": "2022-11-17T09:55:17.922643222Z",
      "completeness": {
        "parameters": true,
        "environment": true,
        "materials": true
      },
      "reproducible": false
    },
    "materials": [
      {
        "uri": "git+https://github.com/knative-sandbox/net-contour",
        "digest": {
          "sha1": "0c20c48d63512319cbfeabff6c0f3fc764c8df1c"
        }
      }
    ]
  }
}