├── .gitignore ├── renovate.json ├── policy ├── security │ ├── trivy.rego │ ├── pullrequest.rego │ ├── provenance.rego │ ├── pullrequest_test.rego │ └── provenance_test.rego └── governance │ ├── identities.rego │ ├── governance_test.rego │ └── governance.rego ├── .releaserc ├── .github └── workflows │ └── bundle.yaml ├── README.md └── test ├── pullrequest.json ├── sbom.json ├── provenance.json └── trivy.json /.gitignore: -------------------------------------------------------------------------------- 1 | bundle.tar.gz 2 | .idea/ -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended", 5 | ":semanticCommits", 6 | ":semanticCommitTypeAll(build)", 7 | ":semanticCommitScopeDisabled", 8 | "helpers:pinGitHubActionDigests" 9 | ] 10 | } 11 | -------------------------------------------------------------------------------- /policy/security/trivy.rego: -------------------------------------------------------------------------------- 1 | package security.trivy 2 | 3 | default allow = false 4 | 5 | allow { 6 | count(violation) == 0 7 | } 8 | 9 | violation[msg] { 10 | severities := ["MEDIUM", "HIGH", "CRITICAL"] 11 | input.predicate.scanner.result.Results[_].Vulnerabilities[_].Severity == severities[_] 12 | msg := "vulnerability higher than medium" 13 | } 14 | -------------------------------------------------------------------------------- /policy/security/pullrequest.rego: -------------------------------------------------------------------------------- 1 | package security.pullrequest 2 | 3 | default allow = false 4 | 5 | allow { 6 | count(violation) == 0 7 | } 8 | 9 | violation[msg] { 10 | input.predicate.reviewers == null 11 | msg := "pull request reviewers is null" 12 | } 13 | 14 | violation[msg] { 15 | count(input.predicate.reviewers) < 1 16 | msg := "pull request reviewers is less than 1" 17 | } 18 | -------------------------------------------------------------------------------- /policy/governance/identities.rego: -------------------------------------------------------------------------------- 1 | package governance 2 | 3 | signer_identities := [ 4 | { 5 | "issuer": "https://token.actions.githubusercontent.com", 6 | "subjectRegExp": `^https://github\.com/liatrio/gh-trusted-builds-workflows/\.github/workflows/build-and-push\.yaml@refs/tags/v\d+\.\d+\.\d+$`, 7 | }, 8 | { 9 | "issuer": "https://token.actions.githubusercontent.com", 10 | "subjectRegExp": `^https://github\.com/liatrio/gh-trusted-builds-workflows/\.github/workflows/scan-image\.yaml@refs/tags/v\d+\.\d+\.\d+$`, 11 | }, 12 | ] 13 | -------------------------------------------------------------------------------- /policy/security/provenance.rego: -------------------------------------------------------------------------------- 1 | package security.provenance 2 | 3 | default allow = false 4 | 5 | allow { 6 | count(violation) == 0 7 | } 8 | 9 | buildType := "https://github.com/slsa-framework/slsa-github-generator/container@v1" 10 | 11 | orgName := "Liatrio" 12 | 13 | violation[msg] { 14 | input.predicate.buildType != buildType 15 | msg := "provenance build type is incorrect" 16 | } 17 | 18 | violation[msg] { 19 | input.predicate.invocation.environment.github_event_payload.enterprise.name != orgName 20 | msg := "provenance enterprise name is not Liatrio" 21 | } 22 | -------------------------------------------------------------------------------- /.releaserc: -------------------------------------------------------------------------------- 1 | { 2 | "branches": "main", 3 | "repositoryUrl": "https://github.com/liatrio/gh-trusted-builds-policy", 4 | "debug": "false", 5 | "plugins": [ 6 | [ 7 | "@semantic-release/commit-analyzer", { 8 | "preset": "angular", 9 | "releaseRules": [ 10 | {"type": "docs", "release": "patch"}, 11 | {"type": "refactor", "release": "patch"}, 12 | {"type": "style", "release": "patch"}, 13 | {"type": "build", "release": "patch"} 14 | ], 15 | "parserOpts": { 16 | "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"] 17 | } 18 | } 19 | ], 20 | [ 21 | "@semantic-release/github", 22 | { 23 | "assets": [ 24 | { 25 | "path": "bundle.tar.gz" 26 | } 27 | ] 28 | } 29 | ] 30 | ] 31 | } -------------------------------------------------------------------------------- /policy/governance/governance_test.rego: -------------------------------------------------------------------------------- 1 | package governance_test 2 | 3 | import data.governance.allow 4 | 5 | test_all_pass { 6 | case := [data.test.pullrequest.two_reviewers, data.test.trivy.no_results, data.test.sbom.app, data.test.provenance] 7 | allow with input as case 8 | } 9 | 10 | test_fail_no_pull_request { 11 | case := [data.test.trivy.no_results] 12 | not allow with input as case 13 | } 14 | 15 | test_fail_no_reviewer { 16 | case := [data.test.pullrequest.no_reviewer, data.test.trivy.no_results] 17 | not allow with input as case 18 | } 19 | 20 | test_fail_null_reviewer { 21 | case := [data.test.pullrequest.null_reviewer, data.test.trivy.no_results] 22 | not allow with input as case 23 | } 24 | 25 | test_fail_medium_vuln { 26 | case := [data.test.pullrequest.two_reviewers, data.test.trivy.medium_pkg_result] 27 | not allow with input as case 28 | } 29 | 30 | test_fail_no_sbom { 31 | case := [data.test.pullrequest.two_reviewers, data.test.trivy.no_results] 32 | not allow with input as case 33 | } 34 | -------------------------------------------------------------------------------- /policy/security/pullrequest_test.rego: -------------------------------------------------------------------------------- 1 | package security.pullrequest 2 | 3 | # Test that allow is false when there are no reviewers 4 | test_allow_no_reviewers { 5 | input := {"predicate": {"reviewers": null}} 6 | not allow with input as input 7 | } 8 | 9 | # Test that allow is false when reviewers count is less than 1 10 | test_allow_less_than_one_reviewer { 11 | input := {"predicate": {"reviewers": []}} 12 | not allow with input as input 13 | } 14 | 15 | # Test that allow is true when reviewers count is 1 or more 16 | test_allow_one_or_more_reviewers { 17 | input := {"predicate": {"reviewers": ["Alice"]}} 18 | allow with input as input 19 | } 20 | 21 | # Test that violation message is correct when there are no reviewers 22 | test_violation_no_reviewers { 23 | input := {"predicate": {"reviewers": null}} 24 | violation[msg] with input as input 25 | msg == "pull request reviewers is null" 26 | } 27 | 28 | # Test that violation message is correct when reviewers count is less than 1 29 | test_violation_less_than_one_reviewer { 30 | input := {"predicate": {"reviewers": []}} 31 | violation[msg] with input as input 32 | msg == "pull request reviewers is less than 1" 33 | } 34 | -------------------------------------------------------------------------------- /.github/workflows/bundle.yaml: -------------------------------------------------------------------------------- 1 | name: bundle 2 | on: 3 | push: 4 | workflow_dispatch: 5 | 6 | env: 7 | OPA_VERSION: "0.62.1" 8 | 9 | jobs: 10 | test: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 15 | - name: Setup OPA 16 | uses: open-policy-agent/setup-opa@34a30e8a924d1b03ce2cf7abe97250bbb1f332b5 # v2.2.0 17 | with: 18 | version: ${{ env.OPA_VERSION }} 19 | - name: Test Policy 20 | run: opa test --verbose . 21 | 22 | release: 23 | needs: 24 | - test 25 | if: github.ref == 'refs/heads/main' 26 | runs-on: ubuntu-latest 27 | steps: 28 | - name: Checkout 29 | uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 30 | - name: Setup OPA 31 | uses: open-policy-agent/setup-opa@34a30e8a924d1b03ce2cf7abe97250bbb1f332b5 # v2.2.0 32 | with: 33 | version: ${{ env.OPA_VERSION }} 34 | - name: Setup Node.js 35 | uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4 36 | with: 37 | node-version: 20 38 | - name: Test Policies 39 | run: opa test . 40 | - name: Build OPA Bundle 41 | run: opa build --ignore "*_test.rego" policy 42 | - name: Setup Semantic Release 43 | run: npm install -g semantic-release @semantic-release/github -D 44 | - name: Release OPA Bundle 45 | run: npx semantic-release 46 | env: 47 | GH_TOKEN: ${{ github.token }} 48 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gh-trusted-builds-policy 2 | 3 | Open Policy Agent bundle for automated governance. 4 | 5 | Bundles are made available as GitHub releases. 6 | 7 | ## Packages 8 | 9 | ### `governance` 10 | 11 | Designed for use by automated governance trusted workflows. 12 | Encapsulates verifying all rules required for governance approval, 13 | and handling input transformation. 14 | Input is expected to be a json list of all Rekor transparency log entries for a given artifact. 15 | 16 | #### Rules 17 | 18 | - `data.governance.allow`: Returns `true` if no violations are found across all governance rules. 19 | 20 | ### `security` 21 | 22 | Core rules related to security policies. 23 | Contains multiple packages for different topics. 24 | 25 | #### Rules 26 | 27 | - `data.security.pullrequest.allow`: Returns `true` if no violations are found for a given pull request. 28 | Input is expected to be a single [Liatrio GitHub pull request attestation](https://github.com/liatrio/custom-attestations-poc#github-pull-request). 29 | 30 | ## Release 31 | 32 | A new bundle will be published on every push to `main`. 33 | Semantic commits are used to automate the semver process. 34 | 35 | ## Test 36 | 37 | The [test/](test) directory contains example inputs for testing. 38 | Each package has its own json file for related inputs. 39 | The json file has a single, top level property that matches the package name. 40 | This is to avoid collisions, with how opa loads all data for tests. 41 | 42 | Policy test files live alongside the policy they are testing, as `*_test.rego`. 43 | 44 | ### Commands 45 | 46 | - `opa test .`: Run all automated policy tests. 47 | - `opa test -v .`: See test case inputs, and violations. 48 | Useful for troubleshooting. -------------------------------------------------------------------------------- /policy/security/provenance_test.rego: -------------------------------------------------------------------------------- 1 | package security.provenance 2 | 3 | # Test that allow is false when buildType is incorrect 4 | test_fail_incorrect_buildType { 5 | input := {"predicate": {"buildType": "incorrect_buildType", "invocation": {"environment": {"github_event_payload": {"enterprise": {"name": "Liatrio"}}}}}} 6 | not allow with input as input 7 | } 8 | 9 | # Test that allow is false when enterprise name is not Liatrio 10 | test_fail_incorrect_enterprise_name { 11 | input := {"predicate": {"buildType": "https://github.com/slsa-framework/slsa-github-generator/container@v1", "invocation": {"environment": {"github_event_payload": {"enterprise": {"name": "NotLiatrio"}}}}}} 12 | not allow with input as input 13 | } 14 | 15 | # Test that allow is true when buildType is correct and enterprise name is Liatrio 16 | test_allow_correct_buildType_and_enterprise_name { 17 | input := {"predicate": {"buildType": "https://github.com/slsa-framework/slsa-github-generator/container@v1", "invocation": {"environment": {"github_event_payload": {"enterprise": {"name": "Liatrio"}}}}}} 18 | allow with input as input 19 | } 20 | 21 | # Test that violation message is correct when buildType is incorrect 22 | test_violation_incorrect_buildType { 23 | input := {"predicate": {"buildType": "incorrect_buildType", "invocation": {"environment": {"github_event_payload": {"enterprise": {"name": "Liatrio"}}}}}} 24 | violation[msg] with input as input 25 | msg == "provenance build type is incorrect" 26 | } 27 | 28 | # Test that violation message is correct when enterprise name is not Liatrio 29 | test_violation_incorrect_enterprise_name { 30 | input := {"predicate": {"buildType": "https://github.com/slsa-framework/slsa-github-generator/container@v1", "invocation": {"environment": {"github_event_payload": {"enterprise": {"name": "NotLiatrio"}}}}}} 31 | violation[msg] with input as input 32 | msg == "provenance enterprise name is not Liatrio" 33 | } 34 | -------------------------------------------------------------------------------- /policy/governance/governance.rego: -------------------------------------------------------------------------------- 1 | package governance 2 | 3 | import data.security 4 | 5 | default allow = false 6 | 7 | pullrequest_attestations := [att | json.unmarshal(input[i].Attestation).predicateType == "https://liatr.io/attestations/github-pull-request/v1"; att := json.unmarshal(input[i].Attestation)] 8 | 9 | trivy_attestations := [att | json.unmarshal(input[i].Attestation).predicateType == "https://cosign.sigstore.dev/attestation/vuln/v1"; att := json.unmarshal(input[i].Attestation)] 10 | 11 | sbom_attestations := [att | json.unmarshal(input[i].Attestation).predicateType == "https://spdx.dev/Document"; att := json.unmarshal(input[i].Attestation)] 12 | 13 | provenance_attestations := [att | json.unmarshal(input[i].Attestation).predicateType == "https://slsa.dev/provenance/v0.2"; att := json.unmarshal(input[i].Attestation)] 14 | 15 | allow { 16 | violations := ((pullrequest_violations | trivy_violations) | sbom_violations) | provenance_violations 17 | print(violations) 18 | count(violations) == 0 19 | } 20 | 21 | provenance_violations[msg] { 22 | count(provenance_attestations) == 0 23 | msg := "no provenance attestation" 24 | } 25 | 26 | provenance_violations[msg] { 27 | some i 28 | attestation := provenance_attestations[i] 29 | not security.provenance.allow with input as attestation 30 | msg := "provenance violation found" 31 | } 32 | 33 | pullrequest_violations[msg] { 34 | count(pullrequest_attestations) == 0 35 | msg := "no pull request attestation" 36 | } 37 | 38 | pullrequest_violations[msg] { 39 | not security.pullrequest.allow with input as pullrequest_attestations[0] 40 | msg := "pull request violations found" 41 | } 42 | 43 | sbom_violations[msg] { 44 | count(sbom_attestations) == 0 45 | msg := "no sbom attestation" 46 | } 47 | 48 | trivy_violations[msg] { 49 | count(trivy_attestations) == 0 50 | msg := "no trivy attestation" 51 | } 52 | 53 | trivy_violations[msg] { 54 | some i 55 | attestation := trivy_attestations[i] 56 | not security.trivy.allow with input as attestation 57 | msg := "trivy scan violation found" 58 | } 59 | -------------------------------------------------------------------------------- /test/pullrequest.json: -------------------------------------------------------------------------------- 1 | { 2 | "pullrequest": { 3 | "two_reviewers": { 4 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://liatr.io/attestations/github-pull-request/v1\",\"subject\":[{\"name\":\"git+https://github.com/liatrio/gh-trusted-builds-app.git\",\"digest\":{\"sha1\":\"21eafbfb102f996dcbac3d0eaf1296af8f4ca844\"}}],\"predicate\":{\"link\":\"https://github.com/liatrio/gh-trusted-builds-app/pull/6\",\"title\":\"feat: health endpoint\",\"author\":\"rcoy-v\",\"mergedBy\":\"rcoy-v\",\"createdAt\":\"2023-05-02T14:49:31Z\",\"mergedAt\":\"2023-05-02T14:58:25Z\",\"base\":\"main\",\"head\":\"healthz\",\"approved\":true,\"reviewers\":[{\"name\":\"alexashley\",\"approved\":true,\"reviewLink\":\"https://github.com/liatrio/gh-trusted-builds-app/pull/6#pullrequestreview-1409291355\",\"timestamp\":\"2023-05-02T14:54:56Z\"},{\"name\":\"blairdrummond\",\"approved\":true,\"reviewLink\":\"https://github.com/liatrio/gh-trusted-builds-app/pull/6#pullrequestreview-1409289041\",\"timestamp\":\"2023-05-02T14:53:50Z\"}],\"contributors\":[{\"name\":\"rcoy-v\"}],\"predicateCreatedAt\":\"2023-05-02T14:59:03.710242382Z\"}}", 5 | "AttestationType": "", 6 | "Body": { 7 | "IntotoObj": { 8 | "content": { 9 | "hash": { 10 | "algorithm": "sha256", 11 | "value": "2b247da429d7073de2984fa1ebd1be5f1e5ab397d879623ce7d1d4a517ed9873" 12 | }, 13 | "payloadHash": { 14 | "algorithm": "sha256", 15 | "value": "3dcf7a9498bca8ed2bdf8eb7375aa12e86116b03528bcad60ff219b4ae0e57d3" 16 | } 17 | }, 18 | "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFaUpmamtBY1FBZDJ1L1ZDeUpiOXF4bVV4d0pDYgoyZlBZZ1JrekdKbEYySUdHbnUrRWJycEo3SU1jaXN2cXYxOUE1cFVUazZCRXAxWnl0VzRVMmYxL3FBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 19 | } 20 | }, 21 | "LogIndex": 5, 22 | "IntegratedTime": 1683039544, 23 | "UUID": "426935e4def3c60029977a4a46c2a6ae853997891927c147f27e14ce5e1a60cae37edd57cfd798d4", 24 | "LogID": "aa734d09eae60ff0e521e84664a110b60d376f8a02385ab6e41453a0083a3d8b" 25 | }, 26 | "no_reviewer": { 27 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://liatr.io/attestations/github-pull-request/v1\",\"subject\":[{\"name\":\"git+https://github.com/liatrio/gh-trusted-builds-app.git\",\"digest\":{\"sha1\":\"cf1d0a24941a7a787c15fbb4183e345d819651a3\"}}],\"predicate\":{\"link\":\"https://github.com/liatrio/gh-trusted-builds-app/pull/7\",\"title\":\"docs: fix spelling error in readme\",\"author\":\"rcoy-v\",\"mergedBy\":\"rcoy-v\",\"createdAt\":\"2023-05-02T15:05:39Z\",\"mergedAt\":\"2023-05-02T15:05:47Z\",\"base\":\"main\",\"head\":\"spelling-fix\",\"approved\":false,\"reviewers\":[],\"contributors\":[{\"name\":\"rcoy-v\"}],\"predicateCreatedAt\":\"2023-05-02T15:06:41.768710296Z\"}}", 28 | "AttestationType": "", 29 | "Body": { 30 | "IntotoObj": { 31 | "content": { 32 | "hash": { 33 | "algorithm": "sha256", 34 | "value": "d1fe2ef4ca599837254a197ef5c81e0b6ec9f89ff85dc99e1ea5393ffe05fd1e" 35 | }, 36 | "payloadHash": { 37 | "algorithm": "sha256", 38 | "value": "70a41f87a1c1f82ad05a76854446feb6c244844df3da9abac2c8b3e70dc3ba9a" 39 | } 40 | }, 41 | "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFaUpmamtBY1FBZDJ1L1ZDeUpiOXF4bVV4d0pDYgoyZlBZZ1JrekdKbEYySUdHbnUrRWJycEo3SU1jaXN2cXYxOUE1cFVUazZCRXAxWnl0VzRVMmYxL3FBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 42 | } 43 | }, 44 | "LogIndex": 10, 45 | "IntegratedTime": 1683040002, 46 | "UUID": "426935e4def3c6001f4765e92e8f84b9353107f36e21bdaad5e1e6e283d103f967309d531cb933c7", 47 | "LogID": "aa734d09eae60ff0e521e84664a110b60d376f8a02385ab6e41453a0083a3d8b" 48 | }, 49 | "null_reviewer": { 50 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://liatr.io/attestations/github-pull-request/v1\",\"subject\":[{\"name\":\"git+https://github.com/liatrio/gh-trusted-builds-app.git\",\"digest\":{\"sha1\":\"cf1d0a24941a7a787c15fbb4183e345d819651a3\"}}],\"predicate\":{\"link\":\"https://github.com/liatrio/gh-trusted-builds-app/pull/7\",\"title\":\"docs: fix spelling error in readme\",\"author\":\"rcoy-v\",\"mergedBy\":\"rcoy-v\",\"createdAt\":\"2023-05-02T15:05:39Z\",\"mergedAt\":\"2023-05-02T15:05:47Z\",\"base\":\"main\",\"head\":\"spelling-fix\",\"approved\":false,\"reviewers\":null,\"contributors\":[{\"name\":\"rcoy-v\"}],\"predicateCreatedAt\":\"2023-05-02T15:06:41.768710296Z\"}}", 51 | "AttestationType": "", 52 | "Body": { 53 | "IntotoObj": { 54 | "content": { 55 | "hash": { 56 | "algorithm": "sha256", 57 | "value": "d1fe2ef4ca599837254a197ef5c81e0b6ec9f89ff85dc99e1ea5393ffe05fd1e" 58 | }, 59 | "payloadHash": { 60 | "algorithm": "sha256", 61 | "value": "70a41f87a1c1f82ad05a76854446feb6c244844df3da9abac2c8b3e70dc3ba9a" 62 | } 63 | }, 64 | "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFaUpmamtBY1FBZDJ1L1ZDeUpiOXF4bVV4d0pDYgoyZlBZZ1JrekdKbEYySUdHbnUrRWJycEo3SU1jaXN2cXYxOUE1cFVUazZCRXAxWnl0VzRVMmYxL3FBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 65 | } 66 | }, 67 | "LogIndex": 10, 68 | "IntegratedTime": 1683040002, 69 | "UUID": "426935e4def3c6001f4765e92e8f84b9353107f36e21bdaad5e1e6e283d103f967309d531cb933c7", 70 | "LogID": "aa734d09eae60ff0e521e84664a110b60d376f8a02385ab6e41453a0083a3d8b" 71 | } 72 | } 73 | } -------------------------------------------------------------------------------- /test/sbom.json: -------------------------------------------------------------------------------- 1 | { 2 | "sbom": { 3 | "app": { 4 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://spdx.dev/Document\",\"subject\":[{\"name\":\"ghcr.io/liatrio/gh-trusted-builds-app\",\"digest\":{\"sha256\":\"32c41199cf0525d63cc865e4a026b3ff8c9ba41c04739ba684c365cfbeba3ce7\"}}],\"predicate\":{\"SPDXID\":\"SPDXRef-DOCUMENT\",\"creationInfo\":{\"created\":\"2023-05-26T16:41:10Z\",\"creators\":[\"Organization: Anchore, Inc\",\"Tool: syft-0.82.0\"],\"licenseListVersion\":\"3.20\"},\"dataLicense\":\"CC0-1.0\",\"documentNamespace\":\"https://anchore.com/syft/image/ghcr.io/liatrio/gh-trusted-builds-app@sha256-32c41199cf0525d63cc865e4a026b3ff8c9ba41c04739ba684c365cfbeba3ce7-9d7e103d-9150-4cd9-82a5-99870a231a94\",\"files\":[{\"SPDXID\":\"SPDXRef-File-app-e068d64b5eee470f\",\"checksums\":[{\"algorithm\":\"SHA1\",\"checksumValue\":\"0000000000000000000000000000000000000000\"}],\"comment\":\"layerID: sha256:90f550fa67075b189ccdc841e3ba0f5c234e0984bedf050ef796cca3755b1c00\",\"copyrightText\":\"\",\"fileName\":\"/app\",\"fileTypes\":[\"OTHER\"],\"licenseConcluded\":\"NOASSERTION\"},{\"SPDXID\":\"SPDXRef-File-app-server-95d0f9636066c81b\",\"checksums\":[{\"algorithm\":\"SHA256\",\"checksumValue\":\"c3ddd07c4081d8c8149f62bfdb4691e87ec65586634088f47e464e4411406f0e\"}],\"comment\":\"layerID: sha256:90f550fa67075b189ccdc841e3ba0f5c234e0984bedf050ef796cca3755b1c00\",\"copyrightText\":\"\",\"fileName\":\"/app/server\",\"fileTypes\":[\"APPLICATION\",\"BINARY\"],\"licenseConcluded\":\"NOASSERTION\"}],\"name\":\"ghcr.io/liatrio/gh-trusted-builds-app@sha256:32c41199cf0525d63cc865e4a026b3ff8c9ba41c04739ba684c365cfbeba3ce7\",\"packages\":[{\"SPDXID\":\"SPDXRef-Package-go-module-github.com-google-uuid-550d641155fbe086\",\"checksums\":[{\"algorithm\":\"SHA256\",\"checksumValue\":\"b7a2625e09b05cc8c4b3c56eb172099360571ec9fec31f0165d4daa19e5fbbb2\"}],\"copyrightText\":\"NOASSERTION\",\"downloadLocation\":\"NOASSERTION\",\"externalRefs\":[{\"referenceCategory\":\"SECURITY\",\"referenceLocator\":\"cpe:2.3:a:google:uuid:v1.3.0:*:*:*:*:*:*:*\",\"referenceType\":\"cpe23Type\"},{\"referenceCategory\":\"PACKAGE-MANAGER\",\"referenceLocator\":\"pkg:golang/github.com/google/uuid@v1.3.0\",\"referenceType\":\"purl\"}],\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"name\":\"github.com/google/uuid\",\"sourceInfo\":\"acquired package info from go module information: /app/server\",\"versionInfo\":\"v1.3.0\"},{\"SPDXID\":\"SPDXRef-Package-go-module-github.com-liatrio-gh-trusted-builds-app-1808e23a377c2b90\",\"copyrightText\":\"NOASSERTION\",\"downloadLocation\":\"NOASSERTION\",\"externalRefs\":[{\"referenceCategory\":\"SECURITY\",\"referenceLocator\":\"cpe:2.3:a:liatrio:gh-trusted-builds-app:\\\\(devel\\\\):*:*:*:*:*:*:*\",\"referenceType\":\"cpe23Type\"},{\"referenceCategory\":\"SECURITY\",\"referenceLocator\":\"cpe:2.3:a:liatrio:gh_trusted_builds_app:\\\\(devel\\\\):*:*:*:*:*:*:*\",\"referenceType\":\"cpe23Type\"},{\"referenceCategory\":\"PACKAGE-MANAGER\",\"referenceLocator\":\"pkg:golang/github.com/liatrio/gh-trusted-builds-app@(devel)\",\"referenceType\":\"purl\"}],\"licenseConcluded\":\"NOASSERTION\",\"licenseDeclared\":\"NOASSERTION\",\"name\":\"github.com/liatrio/gh-trusted-builds-app\",\"sourceInfo\":\"acquired package info from go module information: /app/server\",\"versionInfo\":\"(devel)\"}],\"relationships\":[{\"comment\":\"evident-by: indicates the package's existence is evident by the given file\",\"relatedSpdxElement\":\"SPDXRef-File-app-server-95d0f9636066c81b\",\"relationshipType\":\"OTHER\",\"spdxElementId\":\"SPDXRef-Package-go-module-github.com-liatrio-gh-trusted-builds-app-1808e23a377c2b90\"},{\"comment\":\"evident-by: indicates the package's existence is evident by the given file\",\"relatedSpdxElement\":\"SPDXRef-File-app-server-95d0f9636066c81b\",\"relationshipType\":\"OTHER\",\"spdxElementId\":\"SPDXRef-Package-go-module-github.com-google-uuid-550d641155fbe086\"},{\"relatedSpdxElement\":\"SPDXRef-DOCUMENT\",\"relationshipType\":\"DESCRIBES\",\"spdxElementId\":\"SPDXRef-DOCUMENT\"}],\"spdxVersion\":\"SPDX-2.3\"}}", 5 | "AttestationType": "", 6 | "Body": { 7 | "IntotoObj": { 8 | "content": { 9 | "hash": { 10 | "algorithm": "sha256", 11 | "value": "bf66066855f676c74df977444f48366a07469ecf6fcd7e336c01e43f90f90355" 12 | }, 13 | "payloadHash": { 14 | "algorithm": "sha256", 15 | "value": "123faf5cffc92437bc9d26a4a905dda0dea272b179c1fc523d9a088b2c148aa3" 16 | } 17 | }, 18 | "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUcvakNDQm9XZ0F3SUJBZ0lVUXpoekpHTTlzVVU4NXpLalVhcWpTa1dHN1NRd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpNd05USTJNVFkwTVRFd1doY05Nak13TlRJMk1UWTFNVEV3V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVvTU5TbFNUVFZKT1FDeVYvWVJPQlhJK1QzdW54L2YwOGFmQkQKMFFCRjhOZzk0SnpKK3ZDNGJRQndwNTZVQjRtQi9kNlV4U1duc2xOSVZmNXNEeU4xWktPQ0JhUXdnZ1dnTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVTQTBFCkx3NEdIV1I0UGJkZlNFMkJaWlVMVmhZd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d2VnWURWUjBSQVFIL0JIQXdib1pzYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJ4cFlYUnlhVzh2WjJndApkSEoxYzNSbFpDMWlkV2xzWkhNdGQyOXlhMlpzYjNkekx5NW5hWFJvZFdJdmQyOXlhMlpzYjNkekwySjFhV3hrCkxXRnVaQzF3ZFhOb0xubGhiV3hBY21WbWN5OW9aV0ZrY3k5elltOXRNRGtHQ2lzR0FRUUJnNzh3QVFFRUsyaDAKZEhCek9pOHZkRzlyWlc0dVlXTjBhVzl1Y3k1bmFYUm9kV0oxYzJWeVkyOXVkR1Z1ZEM1amIyMHdId1lLS3dZQgpCQUdEdnpBQkFnUVJkMjl5YTJac2IzZGZaR2x6Y0dGMFkyZ3dOZ1lLS3dZQkJBR0R2ekFCQXdRb01qSm1OMll4Ck9EZ3pORFkzTVRVMU5HWTJaak0zWVRsak1HWXhaRFpqTUdJeFpqSTBNakZtTkRBUkJnb3JCZ0VFQVlPL01BRUUKQkFOaGNIQXdLd1lLS3dZQkJBR0R2ekFCQlFRZGJHbGhkSEpwYnk5bmFDMTBjblZ6ZEdWa0xXSjFhV3hrY3kxaApjSEF3SFFZS0t3WUJCQUdEdnpBQkJnUVBjbVZtY3k5b1pXRmtjeTl6WW05dE1Ec0dDaXNHQVFRQmc3OHdBUWdFCkxRd3JhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJUQjgKQmdvckJnRUVBWU8vTUFFSkJHNE1iR2gwZEhCek9pOHZaMmwwYUhWaUxtTnZiUzlzYVdGMGNtbHZMMmRvTFhSeQpkWE4wWldRdFluVnBiR1J6TFhkdmNtdG1iRzkzY3k4dVoybDBhSFZpTDNkdmNtdG1iRzkzY3k5aWRXbHNaQzFoCmJtUXRjSFZ6YUM1NVlXMXNRSEpsWm5NdmFHVmhaSE12YzJKdmJUQTRCZ29yQmdFRUFZTy9NQUVLQkNvTUtEZGgKWWpCbVlXSXlPRFptWVRSbE1HWTNOalZrWlRRNE0yUTROVGd4Tm1OallqWmhNalJrTVRnd0hRWUtLd1lCQkFHRAp2ekFCQ3dRUERBMW5hWFJvZFdJdGFHOXpkR1ZrTUVBR0Npc0dBUVFCZzc4d0FRd0VNZ3d3YUhSMGNITTZMeTluCmFYUm9kV0l1WTI5dEwyeHBZWFJ5YVc4dloyZ3RkSEoxYzNSbFpDMWlkV2xzWkhNdFlYQndNRGdHQ2lzR0FRUUIKZzc4d0FRMEVLZ3dvTWpKbU4yWXhPRGd6TkRZM01UVTFOR1kyWmpNM1lUbGpNR1l4WkRaak1HSXhaakkwTWpGbQpOREFmQmdvckJnRUVBWU8vTUFFT0JCRU1EM0psWm5NdmFHVmhaSE12YzJKdmJUQVpCZ29yQmdFRUFZTy9NQUVQCkJBc01DVFkwTXprNU1UUXlOakFxQmdvckJnRUVBWU8vTUFFUUJCd01HbWgwZEhCek9pOHZaMmwwYUhWaUxtTnYKYlM5c2FXRjBjbWx2TUJjR0Npc0dBUVFCZzc4d0FSRUVDUXdITlRjeU5qWXhPREJyQmdvckJnRUVBWU8vTUFFUwpCRjBNVzJoMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5c2FXRjBjbWx2TDJkb0xYUnlkWE4wWldRdFluVnBiR1J6CkxXRndjQzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTloY0hBdWVXRnRiRUJ5WldaekwyaGxZV1J6TDNOaWIyMHcKT0FZS0t3WUJCQUdEdnpBQkV3UXFEQ2d5TW1ZM1pqRTRPRE0wTmpjeE5UVTBaalptTXpkaE9XTXdaakZrTm1NdwpZakZtTWpReU1XWTBNQ0VHQ2lzR0FRUUJnNzh3QVJRRUV3d1JkMjl5YTJac2IzZGZaR2x6Y0dGMFkyZ3dZd1lLCkt3WUJCQUdEdnpBQkZRUlZERk5vZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2YkdsaGRISnBieTluYUMxMGNuVnoKZEdWa0xXSjFhV3hrY3kxaGNIQXZZV04wYVc5dWN5OXlkVzV6THpVd09UTXdOakF6TWpZdllYUjBaVzF3ZEhNdgpNVENCaVFZS0t3WUJCQUhXZVFJRUFnUjdCSGtBZHdCMUFOMDlNR3JHeHhFeVl4a2VISmxuTndLaVNsNjQzanl0Ci80ZUtjb0F2S2U2T0FBQUJpRmp2Zm5BQUFBUURBRVl3UkFJZ0dTQ1gwa0tRNy9sTWNtS2tJeG1pTmV5NTBCN0MKZ2dGakQ3VWVIWE52Q0JBQ0lCRjMvVEpVKzU3ZktHQk5DODNLT0dUdndKKzF6TXVlRUREeVdxaFBScTdWTUFvRwpDQ3FHU000OUJBTURBMmNBTUdRQ01EWHUzVlNZNVdqMjZxbFRURFRyUXYxRFBicnlLRnJkTzhlY3EvQ2p1dUJsCkZieDRkUys0VXpIL21xTXZLVUliZHdJd2ZqWlpwMWJCMk9ESktoQ3FKMlNwQW1SKzh0QVRIWlRQZk1GejJKV3EKVW5veXdhdWJQdVBnYnB2MVIzSzdSenhPCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" 19 | } 20 | }, 21 | "LogIndex": 21763978, 22 | "IntegratedTime": 1685119271, 23 | "UUID": "24296fb24b8ad77aa1b89ec050ab378e81752a59147a1398243d081e88512e91cee2918855ea5e16", 24 | "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d" 25 | } 26 | } 27 | } -------------------------------------------------------------------------------- /test/provenance.json: -------------------------------------------------------------------------------- 1 | { 2 | "provenance": { 3 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://slsa.dev/provenance/v0.2\",\"subject\":[{\"name\":\"ghcr.io/liatrio/gh-trusted-builds-app\",\"digest\":{\"sha256\":\"39ada25f4ddc545afdc5f577bcd65a665a50e72ea572dad4ac79e63664470c47\"}}],\"predicate\":{\"builder\":{\"id\":\"https://github.com/liatrio/gh-trusted-builds-workflows/.github/workflows/build-and-push.yaml@refs/tags/v2.0.13\"},\"buildType\":\"https://github.com/slsa-framework/slsa-github-generator/container@v1\",\"invocation\":{\"configSource\":{\"uri\":\"git+https://github.com/liatrio/gh-trusted-builds-app@refs/heads/main\",\"digest\":{\"sha1\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\"},\"entryPoint\":\".github/workflows/app.yaml\"},\"parameters\":{},\"environment\":{\"github_actor\":\"alexashley\",\"github_actor_id\":\"9082799\",\"github_base_ref\":\"\",\"github_event_name\":\"push\",\"github_event_payload\":{\"after\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\",\"base_ref\":null,\"before\":\"8355442c7a097cbdeb5f19358737f5ff610a5824\",\"commits\":[{\"author\":{\"email\":\"alexashley@users.noreply.github.com\",\"name\":\"AlexAshley\",\"username\":\"alexashley\"},\"committer\":{\"email\":\"noreply@github.com\",\"name\":\"GitHub\",\"username\":\"web-flow\"},\"distinct\":true,\"id\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\",\"message\":\"feat:approvedchange(#55)\",\"timestamp\":\"2024-03-15T15:34:58-04:00\",\"tree_id\":\"735c09ddac812ab94144e5d919e7df3bab00034e\",\"url\":\"https://github.com/liatrio/gh-trusted-builds-app/commit/fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\"}],\"compare\":\"https://github.com/liatrio/gh-trusted-builds-app/compare/8355442c7a09...fe9fc7ffa58e\",\"created\":false,\"deleted\":false,\"enterprise\":{\"avatar_url\":\"https://avatars.githubusercontent.com/b/9988?v=4\",\"created_at\":\"2021-11-02T23:03:56Z\",\"description\":\"\",\"html_url\":\"https://github.com/enterprises/liatrio-partnerdemo\",\"id\":9988,\"name\":\"Liatrio\",\"node_id\":\"E_kgDNJwQ\",\"slug\":\"liatrio-partnerdemo\",\"updated_at\":\"2023-09-19T00:04:56Z\",\"website_url\":\"\"},\"forced\":false,\"head_commit\":{\"author\":{\"email\":\"alexashley@users.noreply.github.com\",\"name\":\"AlexAshley\",\"username\":\"alexashley\"},\"committer\":{\"email\":\"noreply@github.com\",\"name\":\"GitHub\",\"username\":\"web-flow\"},\"distinct\":true,\"id\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\",\"message\":\"feat:approvedchange(#55)\",\"timestamp\":\"2024-03-15T15:34:58-04:00\",\"tree_id\":\"735c09ddac812ab94144e5d919e7df3bab00034e\",\"url\":\"https://github.com/liatrio/gh-trusted-builds-app/commit/fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\"},\"organization\":{\"avatar_url\":\"https://avatars.githubusercontent.com/u/5726618?v=4\",\"description\":\"EnterpriseDeliveryTransformation,DevOps,CloudNativeAutomation\",\"events_url\":\"https://api.github.com/orgs/liatrio/events\",\"hooks_url\":\"https://api.github.com/orgs/liatrio/hooks\",\"id\":5726618,\"issues_url\":\"https://api.github.com/orgs/liatrio/issues\",\"login\":\"liatrio\",\"members_url\":\"https://api.github.com/orgs/liatrio/members{/member}\",\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjU3MjY2MTg=\",\"public_members_url\":\"https://api.github.com/orgs/liatrio/public_members{/member}\",\"repos_url\":\"https://api.github.com/orgs/liatrio/repos\",\"url\":\"https://api.github.com/orgs/liatrio\"},\"pusher\":{\"email\":\"alexashley@users.noreply.github.com\",\"name\":\"alexashley\"},\"ref\":\"refs/heads/main\",\"repository\":{\"allow_forking\":true,\"archive_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/{archive_format}{/ref}\",\"archived\":false,\"assignees_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/assignees{/user}\",\"blobs_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/git/blobs{/sha}\",\"branches_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/branches{/branch}\",\"clone_url\":\"https://github.com/liatrio/gh-trusted-builds-app.git\",\"collaborators_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/collaborators{/collaborator}\",\"comments_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/comments{/number}\",\"commits_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/commits{/sha}\",\"compare_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/compare/{base}...{head}\",\"contents_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/contents/{+path}\",\"contributors_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/contributors\",\"created_at\":1684768749,\"custom_properties\":{},\"default_branch\":\"main\",\"deployments_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/deployments\",\"description\":null,\"disabled\":false,\"downloads_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/downloads\",\"events_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/events\",\"fork\":false,\"forks\":0,\"forks_count\":0,\"forks_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/forks\",\"full_name\":\"liatrio/gh-trusted-builds-app\",\"git_commits_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/git/commits{/sha}\",\"git_refs_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/git/refs{/sha}\",\"git_tags_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/git/tags{/sha}\",\"git_url\":\"git://github.com/liatrio/gh-trusted-builds-app.git\",\"has_discussions\":false,\"has_downloads\":true,\"has_issues\":true,\"has_pages\":false,\"has_projects\":true,\"has_wiki\":true,\"homepage\":\"\",\"hooks_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/hooks\",\"html_url\":\"https://github.com/liatrio/gh-trusted-builds-app\",\"id\":643991426,\"is_template\":false,\"issue_comment_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/issues/comments{/number}\",\"issue_events_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/issues/events{/number}\",\"issues_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/issues{/number}\",\"keys_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/keys{/key_id}\",\"labels_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/labels{/name}\",\"language\":\"Mermaid\",\"languages_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/languages\",\"license\":null,\"master_branch\":\"main\",\"merges_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/merges\",\"milestones_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/milestones{/number}\",\"mirror_url\":null,\"name\":\"gh-trusted-builds-app\",\"node_id\":\"R_kgDOJmKHgg\",\"notifications_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/notifications{?since,all,participating}\",\"open_issues\":1,\"open_issues_count\":1,\"organization\":\"liatrio\",\"owner\":{\"avatar_url\":\"https://avatars.githubusercontent.com/u/5726618?v=4\",\"email\":\"cloudservices@liatrio.com\",\"events_url\":\"https://api.github.com/users/liatrio/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/liatrio/followers\",\"following_url\":\"https://api.github.com/users/liatrio/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/liatrio/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/liatrio\",\"id\":5726618,\"login\":\"liatrio\",\"name\":\"liatrio\",\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjU3MjY2MTg=\",\"organizations_url\":\"https://api.github.com/users/liatrio/orgs\",\"received_events_url\":\"https://api.github.com/users/liatrio/received_events\",\"repos_url\":\"https://api.github.com/users/liatrio/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/liatrio/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/liatrio/subscriptions\",\"type\":\"Organization\",\"url\":\"https://api.github.com/users/liatrio\"},\"private\":false,\"pulls_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/pulls{/number}\",\"pushed_at\":1710531298,\"releases_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/releases{/id}\",\"size\":117,\"ssh_url\":\"git@github.com:liatrio/gh-trusted-builds-app.git\",\"stargazers\":20,\"stargazers_count\":20,\"stargazers_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/stargazers\",\"statuses_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/statuses/{sha}\",\"subscribers_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/subscribers\",\"subscription_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/subscription\",\"svn_url\":\"https://github.com/liatrio/gh-trusted-builds-app\",\"tags_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/tags\",\"teams_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/teams\",\"topics\":[\"automated-governance\",\"noarchive\"],\"trees_url\":\"https://api.github.com/repos/liatrio/gh-trusted-builds-app/git/trees{/sha}\",\"updated_at\":\"2023-08-21T17:50:36Z\",\"url\":\"https://github.com/liatrio/gh-trusted-builds-app\",\"visibility\":\"public\",\"watchers\":20,\"watchers_count\":20,\"web_commit_signoff_required\":false},\"sender\":{\"avatar_url\":\"https://avatars.githubusercontent.com/u/9082799?v=4\",\"events_url\":\"https://api.github.com/users/alexashley/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/alexashley/followers\",\"following_url\":\"https://api.github.com/users/alexashley/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/alexashley/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/alexashley\",\"id\":9082799,\"login\":\"alexashley\",\"node_id\":\"MDQ6VXNlcjkwODI3OTk=\",\"organizations_url\":\"https://api.github.com/users/alexashley/orgs\",\"received_events_url\":\"https://api.github.com/users/alexashley/received_events\",\"repos_url\":\"https://api.github.com/users/alexashley/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/alexashley/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/alexashley/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/alexashley\"}},\"github_head_ref\":\"\",\"github_ref\":\"refs/heads/main\",\"github_ref_type\":\"branch\",\"github_repository_id\":\"643991426\",\"github_repository_owner\":\"liatrio\",\"github_repository_owner_id\":\"5726618\",\"github_run_attempt\":\"1\",\"github_run_id\":\"8301443632\",\"github_run_number\":\"150\",\"github_sha1\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\"}},\"metadata\":{\"buildInvocationID\":\"8301443632-1\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false},\"materials\":[{\"uri\":\"git+https://github.com/liatrio/gh-trusted-builds-app@refs/heads/main\",\"digest\":{\"sha1\":\"fe9fc7ffa58e26987b13040ffac4609ed5cabf9f\"}}]}}", 4 | "AttestationType": "", 5 | "Body": { 6 | "IntotoObj": { 7 | "content": { 8 | "hash": { 9 | "algorithm": "sha256", 10 | "value": "bf66066855f676c74df977444f48366a07469ecf6fcd7e336c01e43f90f90355" 11 | }, 12 | "payloadHash": { 13 | "algorithm": "sha256", 14 | "value": "123faf5cffc92437bc9d26a4a905dda0dea272b179c1fc523d9a088b2c148aa3" 15 | } 16 | }, 17 | "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUcvakNDQm9XZ0F3SUJBZ0lVUXpoekpHTTlzVVU4NXpLalVhcWpTa1dHN1NRd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpNd05USTJNVFkwTVRFd1doY05Nak13TlRJMk1UWTFNVEV3V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVvTU5TbFNUVFZKT1FDeVYvWVJPQlhJK1QzdW54L2YwOGFmQkQKMFFCRjhOZzk0SnpKK3ZDNGJRQndwNTZVQjRtQi9kNlV4U1duc2xOSVZmNXNEeU4xWktPQ0JhUXdnZ1dnTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVTQTBFCkx3NEdIV1I0UGJkZlNFMkJaWlVMVmhZd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d2VnWURWUjBSQVFIL0JIQXdib1pzYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJ4cFlYUnlhVzh2WjJndApkSEoxYzNSbFpDMWlkV2xzWkhNdGQyOXlhMlpzYjNkekx5NW5hWFJvZFdJdmQyOXlhMlpzYjNkekwySjFhV3hrCkxXRnVaQzF3ZFhOb0xubGhiV3hBY21WbWN5OW9aV0ZrY3k5elltOXRNRGtHQ2lzR0FRUUJnNzh3QVFFRUsyaDAKZEhCek9pOHZkRzlyWlc0dVlXTjBhVzl1Y3k1bmFYUm9kV0oxYzJWeVkyOXVkR1Z1ZEM1amIyMHdId1lLS3dZQgpCQUdEdnpBQkFnUVJkMjl5YTJac2IzZGZaR2x6Y0dGMFkyZ3dOZ1lLS3dZQkJBR0R2ekFCQXdRb01qSm1OMll4Ck9EZ3pORFkzTVRVMU5HWTJaak0zWVRsak1HWXhaRFpqTUdJeFpqSTBNakZtTkRBUkJnb3JCZ0VFQVlPL01BRUUKQkFOaGNIQXdLd1lLS3dZQkJBR0R2ekFCQlFRZGJHbGhkSEpwYnk5bmFDMTBjblZ6ZEdWa0xXSjFhV3hrY3kxaApjSEF3SFFZS0t3WUJCQUdEdnpBQkJnUVBjbVZtY3k5b1pXRmtjeTl6WW05dE1Ec0dDaXNHQVFRQmc3OHdBUWdFCkxRd3JhSFIwY0hNNkx5OTBiMnRsYmk1aFkzUnBiMjV6TG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJUQjgKQmdvckJnRUVBWU8vTUFFSkJHNE1iR2gwZEhCek9pOHZaMmwwYUhWaUxtTnZiUzlzYVdGMGNtbHZMMmRvTFhSeQpkWE4wWldRdFluVnBiR1J6TFhkdmNtdG1iRzkzY3k4dVoybDBhSFZpTDNkdmNtdG1iRzkzY3k5aWRXbHNaQzFoCmJtUXRjSFZ6YUM1NVlXMXNRSEpsWm5NdmFHVmhaSE12YzJKdmJUQTRCZ29yQmdFRUFZTy9NQUVLQkNvTUtEZGgKWWpCbVlXSXlPRFptWVRSbE1HWTNOalZrWlRRNE0yUTROVGd4Tm1OallqWmhNalJrTVRnd0hRWUtLd1lCQkFHRAp2ekFCQ3dRUERBMW5hWFJvZFdJdGFHOXpkR1ZrTUVBR0Npc0dBUVFCZzc4d0FRd0VNZ3d3YUhSMGNITTZMeTluCmFYUm9kV0l1WTI5dEwyeHBZWFJ5YVc4dloyZ3RkSEoxYzNSbFpDMWlkV2xzWkhNdFlYQndNRGdHQ2lzR0FRUUIKZzc4d0FRMEVLZ3dvTWpKbU4yWXhPRGd6TkRZM01UVTFOR1kyWmpNM1lUbGpNR1l4WkRaak1HSXhaakkwTWpGbQpOREFmQmdvckJnRUVBWU8vTUFFT0JCRU1EM0psWm5NdmFHVmhaSE12YzJKdmJUQVpCZ29yQmdFRUFZTy9NQUVQCkJBc01DVFkwTXprNU1UUXlOakFxQmdvckJnRUVBWU8vTUFFUUJCd01HbWgwZEhCek9pOHZaMmwwYUhWaUxtTnYKYlM5c2FXRjBjbWx2TUJjR0Npc0dBUVFCZzc4d0FSRUVDUXdITlRjeU5qWXhPREJyQmdvckJnRUVBWU8vTUFFUwpCRjBNVzJoMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5c2FXRjBjbWx2TDJkb0xYUnlkWE4wWldRdFluVnBiR1J6CkxXRndjQzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTloY0hBdWVXRnRiRUJ5WldaekwyaGxZV1J6TDNOaWIyMHcKT0FZS0t3WUJCQUdEdnpBQkV3UXFEQ2d5TW1ZM1pqRTRPRE0wTmpjeE5UVTBaalptTXpkaE9XTXdaakZrTm1NdwpZakZtTWpReU1XWTBNQ0VHQ2lzR0FRUUJnNzh3QVJRRUV3d1JkMjl5YTJac2IzZGZaR2x6Y0dGMFkyZ3dZd1lLCkt3WUJCQUdEdnpBQkZRUlZERk5vZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2YkdsaGRISnBieTluYUMxMGNuVnoKZEdWa0xXSjFhV3hrY3kxaGNIQXZZV04wYVc5dWN5OXlkVzV6THpVd09UTXdOakF6TWpZdllYUjBaVzF3ZEhNdgpNVENCaVFZS0t3WUJCQUhXZVFJRUFnUjdCSGtBZHdCMUFOMDlNR3JHeHhFeVl4a2VISmxuTndLaVNsNjQzanl0Ci80ZUtjb0F2S2U2T0FBQUJpRmp2Zm5BQUFBUURBRVl3UkFJZ0dTQ1gwa0tRNy9sTWNtS2tJeG1pTmV5NTBCN0MKZ2dGakQ3VWVIWE52Q0JBQ0lCRjMvVEpVKzU3ZktHQk5DODNLT0dUdndKKzF6TXVlRUREeVdxaFBScTdWTUFvRwpDQ3FHU000OUJBTURBMmNBTUdRQ01EWHUzVlNZNVdqMjZxbFRURFRyUXYxRFBicnlLRnJkTzhlY3EvQ2p1dUJsCkZieDRkUys0VXpIL21xTXZLVUliZHdJd2ZqWlpwMWJCMk9ESktoQ3FKMlNwQW1SKzh0QVRIWlRQZk1GejJKV3EKVW5veXdhdWJQdVBnYnB2MVIzSzdSenhPCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" 18 | } 19 | }, 20 | "LogIndex": 21763978, 21 | "IntegratedTime": 1685119271, 22 | "UUID": "24296fb24b8ad77aa1b89ec050ab378e81752a59147a1398243d081e88512e91cee2918855ea5e16", 23 | "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d" 24 | } 25 | } -------------------------------------------------------------------------------- /test/trivy.json: -------------------------------------------------------------------------------- 1 | { 2 | "trivy": { 3 | "no_results": { 4 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://cosign.sigstore.dev/attestation/vuln/v1\",\"subject\":[{\"name\":\"agplatformrnim.azurecr.io/liatrio/gh-trusted-builds-app\",\"digest\":{\"sha256\":\"402f75059e50ca02f0b299fff18827a2d421806a1d4468319a7a3a4d73869c6f\"}}],\"predicate\":{\"invocation\":{\"parameters\":null,\"uri\":\"\",\"event_id\":\"\",\"builder.id\":\"\"},\"scanner\":{\"uri\":\"pkg:github/aquasecurity/trivy@0.38.1\",\"version\":\"0.38.1\",\"db\":{\"uri\":\"\",\"version\":\"\"},\"result\":{\"ArtifactName\":\"agplatformrnim.azurecr.io/liatrio/gh-trusted-builds-app@sha256:402f75059e50ca02f0b299fff18827a2d421806a1d4468319a7a3a4d73869c6f\",\"ArtifactType\":\"container_image\",\"Metadata\":{\"DiffIDs\":[\"sha256:494b53b7397ee2e8ff729e660f1ba82a419ba68ddb1555e0bcfd731bc98ec4d4\",\"sha256:c0930de9a53b20873ff6411f282b2144c94c61e5e1c1cd0fc5ae254064792191\"],\"ImageConfig\":{\"architecture\":\"amd64\",\"config\":{\"Entrypoint\":[\"/app/server\"],\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Labels\":{\"org.opencontainers.image.created\":\"2023-05-02T14:58:55.293Z\",\"org.opencontainers.image.description\":\"\",\"org.opencontainers.image.licenses\":\"\",\"org.opencontainers.image.revision\":\"21eafbfb102f996dcbac3d0eaf1296af8f4ca844\",\"org.opencontainers.image.source\":\"https://github.com/liatrio/gh-trusted-builds-app\",\"org.opencontainers.image.title\":\"gh-trusted-builds-app\",\"org.opencontainers.image.url\":\"https://github.com/liatrio/gh-trusted-builds-app\",\"org.opencontainers.image.version\":\"main\"},\"WorkingDir\":\"/app\"},\"created\":\"2023-05-02T14:59:17.367150942Z\",\"history\":[{\"comment\":\"buildkit.dockerfile.v0\",\"created\":\"2023-05-02T14:58:57Z\",\"created_by\":\"WORKDIR /app\"},{\"comment\":\"buildkit.dockerfile.v0\",\"created\":\"2023-05-02T14:59:17Z\",\"created_by\":\"COPY /app/server . # buildkit\"},{\"comment\":\"buildkit.dockerfile.v0\",\"created\":\"2023-05-02T14:59:17Z\",\"created_by\":\"ENTRYPOINT [\\\"/app/server\\\"]\",\"empty_layer\":true}],\"os\":\"linux\",\"rootfs\":{\"diff_ids\":[\"sha256:494b53b7397ee2e8ff729e660f1ba82a419ba68ddb1555e0bcfd731bc98ec4d4\",\"sha256:c0930de9a53b20873ff6411f282b2144c94c61e5e1c1cd0fc5ae254064792191\"],\"type\":\"layers\"}},\"ImageID\":\"sha256:7570a5ce737f0aa022fa5fe55231c466b05a4c8ece38f054892fa3cf8ee034e8\",\"RepoDigests\":[\"agplatformrnim.azurecr.io/liatrio/gh-trusted-builds-app@sha256:402f75059e50ca02f0b299fff18827a2d421806a1d4468319a7a3a4d73869c6f\"]},\"SchemaVersion\":2}},\"metadata\":{\"scanStartedOn\":\"2023-05-02T15:02:05.836645608Z\",\"scanFinishedOn\":\"2023-05-02T15:02:05.836645608Z\"}}}", 5 | "AttestationType": "", 6 | "Body": { 7 | "IntotoObj": { 8 | "content": { 9 | "hash": { 10 | "algorithm": "sha256", 11 | "value": "d1b5f671aaad435609efd2b152a9613b044d4f1a701d9f83cf2747a024932321" 12 | }, 13 | "payloadHash": { 14 | "algorithm": "sha256", 15 | "value": "a312c77afbc33e5400a4f8db3a4e2b3de190b22b0601a9b70ad131dac85104fc" 16 | } 17 | }, 18 | "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQjFDNURoOGxsSzhxSnpNcFMvN3FINUR3dDZGMgp6SDlPNGNrYjVkSTYxQnF3RzZJbENBcmt1bkc0Vi9PcEltQU04TEtXTGtnYjVzV2dPbkFheU5VWlFnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 19 | } 20 | }, 21 | "LogIndex": 8, 22 | "IntegratedTime": 1683039741, 23 | "UUID": "426935e4def3c6005d936f3cb85c5b308c66c8f1d834776a484dc93362cac9197edcdef7f0d0b004", 24 | "LogID": "aa734d09eae60ff0e521e84664a110b60d376f8a02385ab6e41453a0083a3d8b" 25 | }, 26 | "medium_pkg_result": { 27 | "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://cosign.sigstore.dev/attestation/vuln/v1\",\"subject\":[{\"name\":\"python\",\"digest\":{\"sha256\":\"f7d35c5f1d87557577a4787169a698f5b9d71534348ca50e902594a8191909f3\"}}],\"predicate\":{\"invocation\":{\"parameters\":null,\"uri\":\"\",\"event_id\":\"\",\"builder.id\":\"\"},\"scanner\":{\"uri\":\"pkg:github/aquasecurity/trivy@0.40.0\",\"version\":\"0.40.0\",\"db\":{\"uri\":\"\",\"version\":\"\"},\"result\":{\"SchemaVersion\":2,\"ArtifactName\":\"python:3.7-alpine\",\"ArtifactType\":\"container_image\",\"Metadata\":{\"OS\":{\"Family\":\"alpine\",\"Name\":\"3.17.3\"},\"ImageID\":\"sha256:f7d35c5f1d87557577a4787169a698f5b9d71534348ca50e902594a8191909f3\",\"DiffIDs\":[\"sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5\",\"sha256:afe664e556196edf8dea8f027f4a6621dc701929509584d4110b12c6c1ed15d8\",\"sha256:93e5e799dc5bc2210c0e6b7584b8e676308fa225dca54b4805b7c0719bd1dc60\",\"sha256:6088fa36d84dde6d49690a282002db8f3bbde0b552ebe2be9df8e0d4ddf6a298\",\"sha256:a1d14deee6280465912ef84fc9c134031cb6c253e79d0a3a29976da5144cc69f\"],\"RepoTags\":[\"python:3.7-alpine\"],\"RepoDigests\":[\"python@sha256:33dce7ad3eda495861d313e013778da4d72a5d0e2e3e88955a3afae3202bec6f\"],\"ImageConfig\":{\"architecture\":\"amd64\",\"created\":\"2023-04-28T22:20:40Z\",\"history\":[{\"created\":\"2023-03-29T18:19:24.348438709Z\",\"created_by\":\"/bin/sh -c #(nop) ADD file:9a4f77dfaba7fd2aa78186e4ef0e7486ad55101cefc1fabbc1b385601bb38920 in / \"},{\"created\":\"2023-03-29T18:19:24.45578926Z\",\"created_by\":\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV LANG=C.UTF-8\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"RUN /bin/sh -c set -eux; \\tapk add --no-cache \\t\\tca-certificates \\t\\ttzdata \\t; # buildkit\",\"comment\":\"buildkit.dockerfile.v0\"},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PYTHON_VERSION=3.7.16\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"RUN /bin/sh -c set -eux; \\t\\tapk add --no-cache --virtual .build-deps \\t\\tgnupg \\t\\ttar \\t\\txz \\t\\t\\t\\tbluez-dev \\t\\tbzip2-dev \\t\\tdpkg-dev dpkg \\t\\texpat-dev \\t\\tfindutils \\t\\tgcc \\t\\tgdbm-dev \\t\\tlibc-dev \\t\\tlibffi-dev \\t\\tlibnsl-dev \\t\\tlibtirpc-dev \\t\\tlinux-headers \\t\\tmake \\t\\tncurses-dev \\t\\topenssl-dev \\t\\tpax-utils \\t\\treadline-dev \\t\\tsqlite-dev \\t\\ttcl-dev \\t\\ttk \\t\\ttk-dev \\t\\tutil-linux-dev \\t\\txz-dev \\t\\tzlib-dev \\t; \\t\\twget -O python.tar.xz \\\"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\\\"; \\twget -O python.tar.xz.asc \\\"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\\\"; \\tGNUPGHOME=\\\"$(mktemp -d)\\\"; export GNUPGHOME; \\tgpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \\\"$GPG_KEY\\\"; \\tgpg --batch --verify python.tar.xz.asc python.tar.xz; \\tgpgconf --kill all; \\trm -rf \\\"$GNUPGHOME\\\" python.tar.xz.asc; \\tmkdir -p /usr/src/python; \\ttar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \\trm python.tar.xz; \\t\\tcd /usr/src/python; \\tgnuArch=\\\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\\\"; \\t./configure \\t\\t--build=\\\"$gnuArch\\\" \\t\\t--enable-loadable-sqlite-extensions \\t\\t--enable-optimizations \\t\\t--enable-option-checking=fatal \\t\\t--enable-shared \\t\\t--with-system-expat \\t\\t--without-ensurepip \\t; \\tnproc=\\\"$(nproc)\\\"; \\tEXTRA_CFLAGS=\\\"-DTHREAD_STACK_SIZE=0x100000\\\"; \\tLDFLAGS=\\\"${LDFLAGS:--Wl},--strip-all\\\"; \\tPROFILE_TASK='-m test.regrtest --pgo \\t\\ttest_array \\t\\ttest_base64 \\t\\ttest_binascii \\t\\ttest_binhex \\t\\ttest_binop \\t\\ttest_bytes \\t\\ttest_c_locale_coercion \\t\\ttest_class \\t\\ttest_cmath \\t\\ttest_codecs \\t\\ttest_compile \\t\\ttest_complex \\t\\ttest_csv \\t\\ttest_decimal \\t\\ttest_dict \\t\\ttest_float \\t\\ttest_fstring \\t\\ttest_hashlib \\t\\ttest_io \\t\\ttest_iter \\t\\ttest_json \\t\\ttest_long \\t\\ttest_math \\t\\ttest_memoryview \\t\\ttest_pickle \\t\\ttest_re \\t\\ttest_set \\t\\ttest_slice \\t\\ttest_struct \\t\\ttest_threading \\t\\ttest_time \\t\\ttest_traceback \\t\\ttest_unicode \\t'; \\tmake -j \\\"$nproc\\\" \\t\\t\\\"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}\\\" \\t\\t\\\"LDFLAGS=${LDFLAGS:-}\\\" \\t\\t\\\"PROFILE_TASK=${PROFILE_TASK:-}\\\" \\t; \\trm python; \\tmake -j \\\"$nproc\\\" \\t\\t\\\"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}\\\" \\t\\t\\\"LDFLAGS=${LDFLAGS:--Wl},-rpath='\\\\$\\\\$ORIGIN/../lib'\\\" \\t\\t\\\"PROFILE_TASK=${PROFILE_TASK:-}\\\" \\t\\tpython \\t; \\tmake install; \\t\\tcd /; \\trm -rf /usr/src/python; \\t\\tfind /usr/local -depth \\t\\t\\\\( \\t\\t\\t\\\\( -type d -a \\\\( -name test -o -name tests -o -name idle_test \\\\) \\\\) \\t\\t\\t-o \\\\( -type f -a \\\\( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \\\\) \\\\) \\t\\t\\t-o \\\\( -type f -a -name 'wininst-*.exe' \\\\) \\t\\t\\\\) -exec rm -rf '{}' + \\t; \\t\\tfind /usr/local -type f -executable -not \\\\( -name '*tkinter*' \\\\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \\t\\t| tr ',' '\\\\n' \\t\\t| sort -u \\t\\t| awk 'system(\\\"[ -e /usr/local/lib/\\\" $1 \\\" ]\\\") == 0 { next } { print \\\"so:\\\" $1 }' \\t\\t| xargs -rt apk add --no-network --virtual .python-rundeps \\t; \\tapk del --no-network .build-deps; \\t\\tpython3 --version # buildkit\",\"comment\":\"buildkit.dockerfile.v0\"},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"RUN /bin/sh -c set -eux; \\tfor src in idle3 pydoc3 python3 python3-config; do \\t\\tdst=\\\"$(echo \\\"$src\\\" | tr -d 3)\\\"; \\t\\t[ -s \\\"/usr/local/bin/$src\\\" ]; \\t\\t[ ! -e \\\"/usr/local/bin/$dst\\\" ]; \\t\\tln -svT \\\"$src\\\" \\\"/usr/local/bin/$dst\\\"; \\tdone # buildkit\",\"comment\":\"buildkit.dockerfile.v0\"},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PYTHON_PIP_VERSION=22.0.4\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PYTHON_SETUPTOOLS_VERSION=57.5.0\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/0d8570dc44796f4369b652222cf176b3db6ac70e/public/get-pip.py\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"ENV PYTHON_GET_PIP_SHA256=96461deced5c2a487ddc65207ec5a9cffeca0d34e7af7ea1afc470ff0d746207\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"RUN /bin/sh -c set -eux; \\t\\twget -O get-pip.py \\\"$PYTHON_GET_PIP_URL\\\"; \\techo \\\"$PYTHON_GET_PIP_SHA256 *get-pip.py\\\" | sha256sum -c -; \\t\\texport PYTHONDONTWRITEBYTECODE=1; \\t\\tpython get-pip.py \\t\\t--disable-pip-version-check \\t\\t--no-cache-dir \\t\\t--no-compile \\t\\t\\\"pip==$PYTHON_PIP_VERSION\\\" \\t\\t\\\"setuptools==$PYTHON_SETUPTOOLS_VERSION\\\" \\t; \\trm -f get-pip.py; \\t\\tpip --version # buildkit\",\"comment\":\"buildkit.dockerfile.v0\"},{\"created\":\"2023-04-28T22:20:40Z\",\"created_by\":\"CMD [\\\"python3\\\"]\",\"comment\":\"buildkit.dockerfile.v0\",\"empty_layer\":true}],\"os\":\"linux\",\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5\",\"sha256:afe664e556196edf8dea8f027f4a6621dc701929509584d4110b12c6c1ed15d8\",\"sha256:93e5e799dc5bc2210c0e6b7584b8e676308fa225dca54b4805b7c0719bd1dc60\",\"sha256:6088fa36d84dde6d49690a282002db8f3bbde0b552ebe2be9df8e0d4ddf6a298\",\"sha256:a1d14deee6280465912ef84fc9c134031cb6c253e79d0a3a29976da5144cc69f\"]},\"config\":{\"Cmd\":[\"python3\"],\"Env\":[\"PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"LANG=C.UTF-8\",\"GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D\",\"PYTHON_VERSION=3.7.16\",\"PYTHON_PIP_VERSION=22.0.4\",\"PYTHON_SETUPTOOLS_VERSION=57.5.0\",\"PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/0d8570dc44796f4369b652222cf176b3db6ac70e/public/get-pip.py\",\"PYTHON_GET_PIP_SHA256=96461deced5c2a487ddc65207ec5a9cffeca0d34e7af7ea1afc470ff0d746207\"],\"ArgsEscaped\":true}}},\"Results\":[{\"Target\":\"python:3.7-alpine (alpine 3.17.3)\",\"Class\":\"os-pkgs\",\"Type\":\"alpine\"},{\"Target\":\"Python\",\"Class\":\"lang-pkgs\",\"Type\":\"python-pkg\",\"Vulnerabilities\":[{\"VulnerabilityID\":\"CVE-2022-40897\",\"PkgName\":\"setuptools\",\"PkgPath\":\"usr/local/lib/python3.7/site-packages/setuptools-57.5.0.dist-info/METADATA\",\"InstalledVersion\":\"57.5.0\",\"FixedVersion\":\"65.5.1\",\"Layer\":{\"Digest\":\"sha256:ad0355c9dd27f6c84fe5f53ae9339581144a02d9823286e8b771871e90af5156\",\"DiffID\":\"sha256:a1d14deee6280465912ef84fc9c134031cb6c253e79d0a3a29976da5144cc69f\"},\"SeveritySource\":\"nvd\",\"PrimaryURL\":\"https://avd.aquasec.com/nvd/cve-2022-40897\",\"DataSource\":{\"ID\":\"osv\",\"Name\":\"Python Packaging Advisory Database\",\"URL\":\"https://github.com/pypa/advisory-db\"},\"Title\":\"Regular Expression Denial of Service (ReDoS) in package_index.py\",\"Description\":\"Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.\",\"Severity\":\"MEDIUM\",\"CVSS\":{\"ghsa\":{\"V3Vector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"V3Score\":7.5},\"nvd\":{\"V3Vector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"V3Score\":5.9},\"redhat\":{\"V3Vector\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"V3Score\":5.9}},\"References\":[\"https://access.redhat.com/errata/RHSA-2023:0952\",\"https://access.redhat.com/security/cve/CVE-2022-40897\",\"https://bugzilla.redhat.com/2158559\",\"https://bugzilla.redhat.com/show_bug.cgi?id=2158559\",\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897\",\"https://errata.almalinux.org/9/ALSA-2023-0952.html\",\"https://errata.rockylinux.org/RLSA-2023:0835\",\"https://github.com/advisories/GHSA-r9hx-vwmv-q579\",\"https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200\",\"https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be\",\"https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1\",\"https://github.com/pypa/setuptools/issues/3659\",\"https://linux.oracle.com/cve/CVE-2022-40897.html\",\"https://linux.oracle.com/errata/ELSA-2023-0952.html\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/\",\"https://nvd.nist.gov/vuln/detail/CVE-2022-40897\",\"https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/\",\"https://pyup.io/vulnerabilities/CVE-2022-40897/52495/\",\"https://security.netapp.com/advisory/ntap-20230214-0001/\",\"https://setuptools.pypa.io/en/latest/\",\"https://ubuntu.com/security/notices/USN-5817-1\",\"https://www.cve.org/CVERecord?id=CVE-2022-40897\"],\"PublishedDate\":\"2022-12-23T00:15:00Z\",\"LastModifiedDate\":\"2023-05-01T06:15:00Z\"}]}]}},\"metadata\":{\"scanStartedOn\":\"2023-05-04T08:38:55.768079-05:00\",\"scanFinishedOn\":\"2023-05-04T08:38:55.768079-05:00\"}}}", 28 | "AttestationType": "", 29 | "Body": { 30 | "IntotoObj": { 31 | "content": { 32 | "hash": { 33 | "algorithm": "sha256", 34 | "value": "d1b5f671aaad435609efd2b152a9613b044d4f1a701d9f83cf2747a024932321" 35 | }, 36 | "payloadHash": { 37 | "algorithm": "sha256", 38 | "value": "a312c77afbc33e5400a4f8db3a4e2b3de190b22b0601a9b70ad131dac85104fc" 39 | } 40 | }, 41 | "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQjFDNURoOGxsSzhxSnpNcFMvN3FINUR3dDZGMgp6SDlPNGNrYjVkSTYxQnF3RzZJbENBcmt1bkc0Vi9PcEltQU04TEtXTGtnYjVzV2dPbkFheU5VWlFnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" 42 | } 43 | }, 44 | "LogIndex": 8, 45 | "IntegratedTime": 1683039741, 46 | "UUID": "426935e4def3c6005d936f3cb85c5b308c66c8f1d834776a484dc93362cac9197edcdef7f0d0b004", 47 | "LogID": "aa734d09eae60ff0e521e84664a110b60d376f8a02385ab6e41453a0083a3d8b" 48 | } 49 | } 50 | } 51 | --------------------------------------------------------------------------------