macaron.slsa_analyzer.provenance.witness package
Witness provenance (https://github.com/testifysec/witness).
- class macaron.slsa_analyzer.provenance.witness.WitnessProvenanceData(asset: AssetLocator, payload: InTotoV01Payload | InTotoV1Payload)
Bases:
NamedTuple
Data of a downloaded witness provenance.
-
asset:
AssetLocator
The provenance asset.
-
payload:
InTotoV01Payload
|InTotoV1Payload
The provenance payload.
-
asset:
- class macaron.slsa_analyzer.provenance.witness.WitnessVerifierConfig(predicate_types: set[str], artifact_extensions: set[str])
Bases:
NamedTuple
Configuration for verifying witness provenances.
- macaron.slsa_analyzer.provenance.witness.load_witness_verifier_config()
Load configuration for verifying witness provenances.
- Returns:
Configuration for verifying witness provenances.
- Return type:
- macaron.slsa_analyzer.provenance.witness.is_witness_provenance_payload(payload, predicate_types)
Check if the given provenance payload is a witness provenance payload.
- macaron.slsa_analyzer.provenance.witness.extract_repo_url(witness_payload)
Extract the repo URL from the witness provenance payload.
- Parameters:
witness_payload (InTotoPayload) – The witness provenance payload.
- Returns:
The repo URL within the witness provenance payload, if the provenance payload can be processed and the repo URL is found.
- Return type:
str | None
- macaron.slsa_analyzer.provenance.witness.extract_build_artifacts_from_witness_subjects(witness_payload)
Extract subjects that are build artifacts from the
"subject"
field of the provenance.Each artifact subject is assumed to have a sha256 digest. If a sha256 digest is not present for a subject, that subject is ignored.
- Parameters:
witness_payload (InTotoPayload) – The witness provenance payload.
- Returns:
A list subjects in the
"subject"
field of the provenance that are build artifacts.- Return type:
Submodules
macaron.slsa_analyzer.provenance.witness.attestor module
Witness Attestors.
- class macaron.slsa_analyzer.provenance.witness.attestor.RepoAttestor(*args, **kwargs)
Bases:
Protocol
Interface for witness attestors that record repo URLs.
- extract_repo_url(payload)
Extract the repo URL from a witness provenance payload.
- Parameters:
payload (InTotoStatement) – The witness provenance payload.
- Returns:
The repo URL, or
None
if it cannot be located in the provenance payload.- Return type:
str | None
- __init__(*args, **kwargs)
- class macaron.slsa_analyzer.provenance.witness.attestor.GitLabWitnessAttestor
Bases:
object
Witness attestor for GitLab.
In the payload of a witness provenance, each subject corresponds to an attestor. Docs: https://github.com/testifysec/witness/blob/main/docs/attestors/gitlab.md
- extract_repo_url(payload)
Extract the repo URL from a witness provenance payload.
- Parameters:
payload (InTotoStatement) – The witness provenance payload.
- Returns:
The repo URL, or
None
if it cannot be located in the provenance payload.- Return type:
str | None
- extract_repo_url_intoto_v01(payload)
Extract the repo URL from a witness provenance payload following in-toto v0.1 schema.
Note: the current implementation inspects the
predicate
field of the payload to locate the repo URL. The schema of this field is currently undocumented by witness.- Parameters:
payload (InTotoV01Statement) – The in-toto v0.1 payload.
- Returns:
The repo URL, or
None
if it cannot be located in the provenance payload.- Return type:
str | None