[feature][byob] Remove private inputs from provenance

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions

Apache License 2.0

402 stars 119 forks source link

[feature][byob] Remove private inputs from provenance #2060

Open laurentsimon opened 1 year ago

laurentsimon commented 1 year ago

We had an issue about it, but I could not find it so I'm creating this new one.

1We need to mask private fields of GH context for privacy reasons: username, etc. Or, alternatively, we don't record the entire context since only a few triggers are meant to be supported by v1.0 and we can record each event's specific information instead. Note: removing the GH context has implications for branch / tag verification, so the logic would need to change.

ianlewis commented 1 year ago

We have a number of TODOs in the code pointing to #1575 relating to masking data in provenance. For v1.0 provenance we currently include the entire event object which is problematic. https://github.com/slsa-framework/slsa-github-generator/blob/8f12c7b08b0fde2eb6580658797e23e56198c9c0/.github/actions/verify-token/src/predicate1.ts#L109-L115

laurentsimon commented 1 year ago

https://github.com/slsa-framework/slsa-github-generator/issues/1575 was more about TRW-specific sensitive inputs. The GH payload we record is the one we need to address next before BYOB release.