Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Link & SLSA attestor #149

Merged
merged 43 commits into from
May 9, 2024
Merged

Link & SLSA attestor #149

merged 43 commits into from
May 9, 2024

Commits on Feb 5, 2024

  1. Initial link attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    63410d4 View commit details
    Browse the repository at this point in the history

  2. refactor: move gitoid code to cyrptoutil, use digestvalue everywhere (#… 

    …139)

When the functionality to calculate gitoids was added, there was a bit
of tech debt incurred since they didn't implement hash.Hash. This
remedies this with an admitedly hacky implementation of hash.Hash that
wraps the gitoid code. This also standardizes our cryptoutil fucntions
around the DigestValue struct that was added around this time to
differentiate between gitoids and regular hash functions.

Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
Signed-off-by: John Kjell <john@testifysec.com>
    @mikhailswift @jkjell
    mikhailswift authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    7da776c View commit details
    Browse the repository at this point in the history

  3. chore: bump actions/upload-artifact from 4.2.0 to 4.3.0 (#142) 

    Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@694cdab...26f96df)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <john@testifysec.com>
    @dependabot @jkjell
    dependabot[bot] authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    924eb1f View commit details
    Browse the repository at this point in the history

  4. chore: bump github/codeql-action from 3.23.1 to 3.23.2 (#143) 

    Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.1 to 3.23.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0b21cf2...b7bf0a3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
    @dependabot @ChaosInTheCRD @jkjell
    2 people authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    856b500 View commit details
    Browse the repository at this point in the history

  5. Adding job to auto cut releases (#141) 

    adding job to auto cut releases

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @jkjell
    ChaosInTheCRD authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    315793e View commit details
    Browse the repository at this point in the history

  6. fixing error in github actions workflow (#147) 

    fixing error in workflow

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @jkjell
    ChaosInTheCRD authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    ad61b8a View commit details
    Browse the repository at this point in the history

  7. RunAttestors refactor (#131) 

    * improving run attestors

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* finalising changes.

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* improving run attestors

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* finalising changes.

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* addressing review, restoring run type order

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* updating error handling logic

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* updating to go 1.21 for errors.Join

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

---------

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: Tom Meadows <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @jkjell
    ChaosInTheCRD authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    ed1dfef View commit details
    Browse the repository at this point in the history

  8. Adding workaround due to failing workflows (#145) 

    adding workaround due to failing workflows

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @jkjell
    ChaosInTheCRD authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    ed519d1 View commit details
    Browse the repository at this point in the history

  9. Checking policy signature against cert constraints (#144) 

    * adding logic so policy signature can be checked against constraints
* threaded options into policy validation functionary
---------

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
Co-authored-by: John Kjell <john@testifysec.com>
Signed-off-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @jkjell
    ChaosInTheCRD and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    04a8ef4 View commit details
    Browse the repository at this point in the history

  10. [StepSecurity] ci: Harden GitHub Actions (#148) 

    Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Signed-off-by: John Kjell <john@testifysec.com>
    @step-security-bot @jkjell
    step-security-bot authored and jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    3cff01c View commit details
    Browse the repository at this point in the history

  11. Add import for init and export variables 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    3d7747b View commit details
    Browse the repository at this point in the history

  12. Add mulitple results to run to allow exporting attestors to indivudal… 

    … files

Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    7a1a1f7 View commit details
    Browse the repository at this point in the history

  13. Add collection to result array 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    fb27f55 View commit details
    Browse the repository at this point in the history

  14. Replace export parameters in run with attestor option 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    af0470f View commit details
    Browse the repository at this point in the history

  15. Fix golang lint isues 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    8e2aaa4 View commit details
    Browse the repository at this point in the history

  16. Merge branch 'main' into link-attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell authored Feb 5, 2024
    Configuration menu
    Copy the full SHA
    bb8a962 View commit details
    Browse the repository at this point in the history

Commits on Feb 12, 2024

  1. Update link attestor testing 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Feb 12, 2024
    Configuration menu
    Copy the full SHA
    62057c3 View commit details
    Browse the repository at this point in the history

Commits on Mar 22, 2024

  1. Merge branch 'main' into link-attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell authored Mar 22, 2024
    Configuration menu
    Copy the full SHA
    bb035a0 View commit details
    Browse the repository at this point in the history

Commits on Mar 23, 2024

  1. Add SLSA attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Mar 23, 2024
    Configuration menu
    Copy the full SHA
    b11d528 View commit details
    Browse the repository at this point in the history

  2. Add interface for product attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Mar 23, 2024
    Configuration menu
    Copy the full SHA
    ae52a37 View commit details
    Browse the repository at this point in the history

  3. Add more attestor interfaces 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Mar 23, 2024
    Configuration menu
    Copy the full SHA
    8f016d9 View commit details
    Browse the repository at this point in the history

Commits on Mar 25, 2024

  1. Address some review feedback, licenses, and golanglint 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Mar 25, 2024
    Configuration menu
    Copy the full SHA
    885a436 View commit details
    Browse the repository at this point in the history

  2. More golangcilint errors 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Mar 25, 2024
    Configuration menu
    Copy the full SHA
    0bf0842 View commit details
    Browse the repository at this point in the history

Commits on Apr 2, 2024

  1. WIP - Improve testing interfaces for exposing data fields 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 2, 2024
    Configuration menu
    Copy the full SHA
    21006a2 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'main' into link-attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell authored Apr 2, 2024
    Configuration menu
    Copy the full SHA
    74a58da View commit details
    Browse the repository at this point in the history

Commits on Apr 4, 2024

  1. Merge branch 'link-attestor' of github.com:in-toto/go-witness into li… 

    …nk-attestor
    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    420a746 View commit details
    Browse the repository at this point in the history

  2. added changes

    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    61e8165 View commit details
    Browse the repository at this point in the history

  3. adding changes to merge into main PR

    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    b8923d2 View commit details
    Browse the repository at this point in the history

  4. Link attestor proposed changes (#204) 

    * unmarshal the time in the attestation collection correctly (#203)
* add StepName to AttestorContext
* use CollectionAttestion to properly set start/end times
---------

Signed-off-by: John Kjell <john@testifysec.com>
Co-authored-by: Cole Kennedy <colek42@gmail.com>
Co-authored-by: Cole <cole@testifysec.com>
Co-authored-by: John Kjell <john@testifysec.com>
    @ChaosInTheCRD @colek42 @jkjell
    4 people authored Apr 4, 2024
    Configuration menu
    Copy the full SHA
    4d86ee9 View commit details
    Browse the repository at this point in the history

Commits on Apr 5, 2024

  1. Merge branch 'link-attestor' of github.com:in-toto/go-witness into li… 

    …nk-attestor

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    1d19081 View commit details
    Browse the repository at this point in the history

Commits on Apr 6, 2024

  1. Merge branch 'main' into link-attestor

    @jkjell
    jkjell authored Apr 6, 2024
    Configuration menu
    Copy the full SHA
    690505e View commit details
    Browse the repository at this point in the history

  2. Passing SLSA Attest tests for GitHub and GitLab 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 6, 2024
    Configuration menu
    Copy the full SHA
    450a306 View commit details
    Browse the repository at this point in the history

  3. Clean up 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 6, 2024
    Configuration menu
    Copy the full SHA
    33f3905 View commit details
    Browse the repository at this point in the history

Commits on Apr 7, 2024

  1. Add attestation test for link attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 7, 2024
    Configuration menu
    Copy the full SHA
    dba3c39 View commit details
    Browse the repository at this point in the history

Commits on Apr 10, 2024

  1. Add data function for git interface and remove unused code 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    4e37a04 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'link-attestor' of github.com:in-toto/go-witness into li… 

    …nk-attestor
    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    f6b9f69 View commit details
    Browse the repository at this point in the history

  3. adding warning mesage for slsa attestor 

    Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
    @ChaosInTheCRD
    ChaosInTheCRD committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    bb842ee View commit details
    Browse the repository at this point in the history

Commits on Apr 19, 2024

  1. Try to gracefully handle gitlab jwt 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed Apr 19, 2024
    Configuration menu
    Copy the full SHA
    ec4f58a View commit details
    Browse the repository at this point in the history

Commits on May 2, 2024

  1. Merge branch 'main' into link-attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell authored May 2, 2024
    Configuration menu
    Copy the full SHA
    b2322d9 View commit details
    Browse the repository at this point in the history

Commits on May 8, 2024

  1. Merge branch 'main' into link-attestor 

    Signed-off-by: Tom Meadows <tom@tmlabs.co.uk>
    @ChaosInTheCRD
    ChaosInTheCRD authored May 8, 2024
    Configuration menu
    Copy the full SHA
    5ce8543 View commit details
    Browse the repository at this point in the history

  2. ran go mod tidy 

    Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
    @ChaosInTheCRD
    ChaosInTheCRD committed May 8, 2024
    Configuration menu
    Copy the full SHA
    0f6805d View commit details
    Browse the repository at this point in the history

  3. ensuring link and slsa attestation exporting is optional 

    Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
    @ChaosInTheCRD
    ChaosInTheCRD committed May 8, 2024
    Configuration menu
    Copy the full SHA
    86d4e22 View commit details
    Browse the repository at this point in the history

Commits on May 9, 2024

  1. Merge branch 'main' into link-attestor 

    Signed-off-by: John Kjell <john@testifysec.com>
    @jkjell
    jkjell committed May 9, 2024
    Configuration menu
    Copy the full SHA
    0afae1b View commit details
    Browse the repository at this point in the history