git.stella-ops.org/docs/schemas/attestation-pointer.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella-ops.org/schemas/attestation-pointer.schema.json",
  "title": "StellaOps Attestation Pointer Schema",
  "description": "Schema for attestation pointers linking findings to verification reports and attestation envelopes. Unblocks LEDGER-ATTEST-73-001 and 73-002.",
  "type": "object",
  "definitions": {
    "AttestationPointer": {
      "type": "object",
      "description": "Pointer from a finding to its related attestation artifacts",
      "required": ["pointer_id", "finding_id", "attestation_type", "created_at"],
      "properties": {
        "pointer_id": {
          "type": "string",
          "format": "uuid",
          "description": "Unique identifier for this pointer"
        },
        "finding_id": {
          "type": "string",
          "format": "uuid",
          "description": "Finding this pointer references"
        },
        "attestation_type": {
          "type": "string",
          "enum": [
            "verification_report",
            "dsse_envelope",
            "slsa_provenance",
            "vex_attestation",
            "sbom_attestation",
            "scan_attestation",
            "policy_attestation",
            "approval_attestation"
          ],
          "description": "Type of attestation being pointed to"
        },
        "attestation_ref": {
          "$ref": "#/definitions/AttestationRef"
        },
        "relationship": {
          "type": "string",
          "enum": ["verified_by", "attested_by", "signed_by", "approved_by", "derived_from"],
          "description": "Semantic relationship to the attestation"
        },
        "verification_result": {
          "$ref": "#/definitions/VerificationResult"
        },
        "created_at": {
          "type": "string",
          "format": "date-time"
        },
        "created_by": {
          "type": "string",
          "description": "Service or user that created the pointer"
        },
        "metadata": {
          "type": "object",
          "additionalProperties": true
        }
      }
    },
    "AttestationRef": {
      "type": "object",
      "description": "Reference to an attestation artifact",
      "required": ["digest"],
      "properties": {
        "attestation_id": {
          "type": "string",
          "format": "uuid"
        },
        "digest": {
          "type": "string",
          "pattern": "^sha256:[a-f0-9]{64}$",
          "description": "Content-addressable digest of the attestation"
        },
        "storage_uri": {
          "type": "string",
          "format": "uri",
          "description": "URI to retrieve the attestation"
        },
        "payload_type": {
          "type": "string",
          "description": "DSSE payload type (e.g., application/vnd.in-toto+json)"
        },
        "predicate_type": {
          "type": "string",
          "description": "in-toto predicate type URI"
        },
        "subject_digests": {
          "type": "array",
          "items": {
            "type": "string",
            "pattern": "^sha256:[a-f0-9]{64}$"
          },
          "description": "Digests of subjects this attestation covers"
        },
        "signer_info": {
          "$ref": "#/definitions/SignerInfo"
        },
        "rekor_entry": {
          "$ref": "#/definitions/RekorEntryRef"
        }
      }
    },
    "SignerInfo": {
      "type": "object",
      "description": "Information about the attestation signer",
      "properties": {
        "key_id": {
          "type": "string",
          "description": "Key identifier"
        },
        "issuer": {
          "type": "string",
          "description": "Certificate issuer (for Fulcio keyless signing)"
        },
        "subject": {
          "type": "string",
          "description": "Certificate subject (email, OIDC identity)"
        },
        "certificate_chain": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "PEM-encoded certificate chain"
        },
        "signed_at": {
          "type": "string",
          "format": "date-time"
        }
      }
    },
    "RekorEntryRef": {
      "type": "object",
      "description": "Reference to Rekor transparency log entry",
      "properties": {
        "log_index": {
          "type": "integer",
          "minimum": 0
        },
        "log_id": {
          "type": "string"
        },
        "uuid": {
          "type": "string",
          "pattern": "^[a-f0-9]{64}$"
        },
        "integrated_time": {
          "type": "integer",
          "description": "Unix timestamp of log entry"
        }
      }
    },
    "VerificationResult": {
      "type": "object",
      "description": "Result of attestation verification",
      "required": ["verified", "verified_at"],
      "properties": {
        "verified": {
          "type": "boolean",
          "description": "Whether verification passed"
        },
        "verified_at": {
          "type": "string",
          "format": "date-time"
        },
        "verifier": {
          "type": "string",
          "description": "Service that performed verification"
        },
        "verifier_version": {
          "type": "string"
        },
        "policy_ref": {
          "type": "string",
          "description": "Reference to verification policy used"
        },
        "checks": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/VerificationCheck"
          }
        },
        "warnings": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "errors": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    },
    "VerificationCheck": {
      "type": "object",
      "description": "Individual verification check result",
      "required": ["check_type", "passed"],
      "properties": {
        "check_type": {
          "type": "string",
          "enum": [
            "signature_valid",
            "certificate_valid",
            "certificate_not_expired",
            "certificate_not_revoked",
            "rekor_entry_valid",
            "timestamp_valid",
            "policy_met",
            "identity_verified",
            "issuer_trusted"
          ]
        },
        "passed": {
          "type": "boolean"
        },
        "details": {
          "type": "string"
        },
        "evidence": {
          "type": "object",
          "additionalProperties": true
        }
      }
    },
    "VerificationReport": {
      "type": "object",
      "description": "Full verification report for a finding",
      "required": ["report_id", "finding_id", "created_at", "overall_result"],
      "properties": {
        "report_id": {
          "type": "string",
          "format": "uuid"
        },
        "finding_id": {
          "type": "string",
          "format": "uuid"
        },
        "created_at": {
          "type": "string",
          "format": "date-time"
        },
        "overall_result": {
          "type": "string",
          "enum": ["passed", "failed", "partial", "not_applicable"]
        },
        "attestation_results": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/AttestationVerificationResult"
          }
        },
        "policy_evaluations": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/PolicyEvaluationResult"
          }
        },
        "summary": {
          "type": "string"
        },
        "recommendations": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    },
    "AttestationVerificationResult": {
      "type": "object",
      "description": "Verification result for a specific attestation",
      "required": ["attestation_ref", "verification_result"],
      "properties": {
        "attestation_ref": {
          "$ref": "#/definitions/AttestationRef"
        },
        "verification_result": {
          "$ref": "#/definitions/VerificationResult"
        },
        "relevance": {
          "type": "string",
          "enum": ["primary", "supporting", "contextual"],
          "description": "How relevant this attestation is to the finding"
        }
      }
    },
    "PolicyEvaluationResult": {
      "type": "object",
      "description": "Result of policy evaluation against attestations",
      "required": ["policy_id", "result"],
      "properties": {
        "policy_id": {
          "type": "string"
        },
        "policy_name": {
          "type": "string"
        },
        "policy_version": {
          "type": "string"
        },
        "result": {
          "type": "string",
          "enum": ["passed", "failed", "skipped", "error"]
        },
        "reason": {
          "type": "string"
        },
        "attestations_evaluated": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "Attestation IDs evaluated by this policy"
        }
      }
    },
    "DsseEnvelope": {
      "type": "object",
      "description": "DSSE envelope containing attestation",
      "required": ["payloadType", "payload", "signatures"],
      "properties": {
        "payloadType": {
          "type": "string",
          "description": "MIME type of payload"
        },
        "payload": {
          "type": "string",
          "contentEncoding": "base64",
          "description": "Base64-encoded payload"
        },
        "signatures": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/DsseSignature"
          },
          "minItems": 1
        }
      }
    },
    "DsseSignature": {
      "type": "object",
      "description": "Signature on DSSE envelope",
      "required": ["sig"],
      "properties": {
        "keyid": {
          "type": "string"
        },
        "sig": {
          "type": "string",
          "contentEncoding": "base64"
        },
        "cert": {
          "type": "string",
          "contentEncoding": "base64",
          "description": "Fulcio certificate for keyless signing"
        }
      }
    },
    "AttestationSearchQuery": {
      "type": "object",
      "description": "Query for searching attestations by finding criteria",
      "properties": {
        "finding_ids": {
          "type": "array",
          "items": {
            "type": "string",
            "format": "uuid"
          }
        },
        "attestation_types": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "verification_status": {
          "type": "string",
          "enum": ["verified", "unverified", "failed", "any"]
        },
        "created_after": {
          "type": "string",
          "format": "date-time"
        },
        "created_before": {
          "type": "string",
          "format": "date-time"
        },
        "signer_identity": {
          "type": "string",
          "description": "Filter by signer email or identity"
        },
        "predicate_type": {
          "type": "string",
          "description": "Filter by in-toto predicate type"
        }
      }
    },
    "AttestationSearchResult": {
      "type": "object",
      "description": "Result of attestation search",
      "required": ["pointers", "total_count"],
      "properties": {
        "pointers": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/AttestationPointer"
          }
        },
        "total_count": {
          "type": "integer",
          "minimum": 0
        },
        "next_page_token": {
          "type": "string"
        }
      }
    },
    "FindingAttestationSummary": {
      "type": "object",
      "description": "Summary of attestations for a finding",
      "required": ["finding_id", "attestation_count"],
      "properties": {
        "finding_id": {
          "type": "string",
          "format": "uuid"
        },
        "attestation_count": {
          "type": "integer",
          "minimum": 0
        },
        "verified_count": {
          "type": "integer",
          "minimum": 0
        },
        "latest_attestation": {
          "type": "string",
          "format": "date-time"
        },
        "attestation_types": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "overall_verification_status": {
          "type": "string",
          "enum": ["all_verified", "partially_verified", "none_verified", "no_attestations"]
        }
      }
    }
  },
  "properties": {
    "pointers": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/AttestationPointer"
      }
    }
  },
  "examples": [
    {
      "pointers": [
        {
          "pointer_id": "550e8400-e29b-41d4-a716-446655440000",
          "finding_id": "660e8400-e29b-41d4-a716-446655440001",
          "attestation_type": "dsse_envelope",
          "attestation_ref": {
            "attestation_id": "770e8400-e29b-41d4-a716-446655440002",
            "digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
            "storage_uri": "s3://attestations/770e8400.../attestation.json",
            "payload_type": "application/vnd.in-toto+json",
            "predicate_type": "https://slsa.dev/provenance/v1",
            "subject_digests": [
              "sha256:def456..."
            ],
            "signer_info": {
              "key_id": "fulcio:abc123",
              "issuer": "https://accounts.google.com",
              "subject": "scanner@stellaops.iam.gserviceaccount.com",
              "signed_at": "2025-12-06T10:00:00Z"
            },
            "rekor_entry": {
              "log_index": 12345678,
              "log_id": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
              "uuid": "24296fb24b8ad77a12345678901234567890123456789012345678901234abcd",
              "integrated_time": 1733479200
            }
          },
          "relationship": "verified_by",
          "verification_result": {
            "verified": true,
            "verified_at": "2025-12-06T10:05:00Z",
            "verifier": "stellaops-attestor",
            "verifier_version": "2025.10.0",
            "checks": [
              {
                "check_type": "signature_valid",
                "passed": true,
                "details": "ECDSA signature verified"
              },
              {
                "check_type": "certificate_valid",
                "passed": true,
                "details": "Fulcio certificate chain verified"
              },
              {
                "check_type": "rekor_entry_valid",
                "passed": true,
                "details": "Rekor inclusion proof verified"
              }
            ],
            "warnings": [],
            "errors": []
          },
          "created_at": "2025-12-06T10:05:00Z",
          "created_by": "attestor-service"
        }
      ]
    }
  ]
}