Spector is both tooling and a library for the generation, validation and verification of supply chain metadata documents and frameworks. Many tools generate non-compliant SBOMs or attestations. It currently supports
You can include spector as a library when writing generators for SLSA or other supported document types. It can provide the serialization & deserialization for SLSA attestations, assuring that they are properly to spec before you go further in the process.
Spector is still early on and doesn't have an official release yet.
You can run:
cargo run validate in-toto-v1 --predicate slsa-provenance-v1 --file tests/fixtures/slsa_provenance_v1.jsonYou can replace the slsa_provenance_v1.json with another in-toto statement and even an invalid one to verify the correctness of the document.
Spector is written in Rust, and built with cargo
Check out the code and run cargo build or cargo test.