laurentsimon
commented
1 year ago note: we currently verify the image 'immutability' before the API call https://github.com/slsa-framework/slsa-verifier/blob/main/cli/slsa-verifier/verify/verify_image.go#L56. This should probably be handled within the API instead
https://github.com/slsa-framework/slsa-verifier/issues/475#issuecomment-1428814820
Also, we currently hae a single ProvenanceOpts https://github.com/slsa-framework/slsa-verifier/blob/main/options/options.go, but this may need to be different for each option:
verify-image,verify-artifact,verify-npm-package. For example, for npm, we need additional options like package-name, package-version, attestations-path (?), so it would make sense to have dedicated structures for each.