-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding reviewers to in-toto attestation #263
Comments
This currently doesn't exist in the predicate format. There has been some discussion around whether it should exist in the provenance predicate or if it should exist in a different one. |
I think this fits best with the idea of a source attestation. A data description of source metadata would be the perfect place to provide code reviewers as well as authors and properties of the source system itself. See tom's post and doc on the subject: #241 (comment) |
Also see in-toto/attestation#77 |
Yeah, I don't think this is a SLSA issue, it's an in-toto attestation one. Let's move it there. |
Marking as closed since the consensus seems to be that this is best handled as a "chain" of attestations: the provenance says "artifact X was built from commit Y", and a review attestation say "commit Y was reviewed by party Z". Thus to see if artifact X was reviewed, you'd chain them together. |
Within the current provenance predicate format, is there already a way to add the reviewers identities to the attestation, so it can be made clear who approved the PR that merged the code additions for said iteration of the image?
Something along the lines of what I am looking to do is seen in the Kyverno documentation here.
Thanks 😄
The text was updated successfully, but these errors were encountered: