Open sozercan opened 2 years ago
susanshi
commented
2 years ago thanks for bringing this up @sozercan. Do you think the SLSA provenance store/verifier experience will be similar to the spdx example?
In the spdx example, the spdx verifier configuration specified a list of allowedLicenses. Will the branch reviewer validation for the provenance likely to be specific to individual image verification?
susanshi
commented
2 years ago Hi @sozercan ,we had a discussion around this item in our community meeting. We have a item tracking OPA policy integration. We want to build a general json verifier based on OPA Policy integration. (verification as OPA policy). This would avoid building specific verifier that is schema dependent. Does this align with your vision?
susanshi
commented
2 years ago We also discussed another passthrough option where ratify can return a report and keep the decision in keep based on rego policy
sozercan
commented
2 years ago Options are different personas here; for ratify, it would be admin while handing in rego is policy author as a Gatekeeper external data provider.
If ratify wants to validate SLSA provenance standalone (without GK or with other tools), then ratify will need a verifier for this.
jeremyrickard
commented
1 year ago This might be something that could be leveraged: https://github.com/slsa-framework/slsa-verifier
example scenario: check if an image was built from a specific repo, with a specific branch/commit, include certain reviewers, etc
https://slsa.dev/provenance/v0.2