Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding reviewers to in-toto attestation #263

Closed
ChaosInTheCRD opened this issue Jan 10, 2022 · 5 comments
Closed

Adding reviewers to in-toto attestation #263

ChaosInTheCRD opened this issue Jan 10, 2022 · 5 comments
Labels
attestation Updates to attestation formats

Comments

@ChaosInTheCRD
Copy link

ChaosInTheCRD commented Jan 10, 2022

Within the current provenance predicate format, is there already a way to add the reviewers identities to the attestation, so it can be made clear who approved the PR that merged the code additions for said iteration of the image?

Something along the lines of what I am looking to do is seen in the Kyverno documentation here.

Thanks 😄

@mlieberman85
Copy link
Member

This currently doesn't exist in the predicate format. There has been some discussion around whether it should exist in the provenance predicate or if it should exist in a different one.

@msuozzo
Copy link
Contributor

msuozzo commented Jan 10, 2022

I think this fits best with the idea of a source attestation. A data description of source metadata would be the perfect place to provide code reviewers as well as authors and properties of the source system itself. See tom's post and doc on the subject: #241 (comment)

@TomHennen
Copy link
Contributor

Also see in-toto/attestation#77

@trishankatdatadog
Copy link
Member

Also see in-toto/attestation#77

Yeah, I don't think this is a SLSA issue, it's an in-toto attestation one. Let's move it there.

@MarkLodato MarkLodato added the attestation Updates to attestation formats label Jan 27, 2022
@MarkLodato
Copy link
Member

Marking as closed since the consensus seems to be that this is best handled as a "chain" of attestations: the provenance says "artifact X was built from commit Y", and a review attestation say "commit Y was reviewed by party Z". Thus to see if artifact X was reviewed, you'd chain them together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
attestation Updates to attestation formats
Projects
None yet
Development

No branches or pull requests

6 participants