stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/provenance-attestation-pipelines.md

2.7 KiB
Raw Blame History

Provenance/Attestation Pipelines (End-to-End)

Module

Attestor

Status

IMPLEMENTED

Description

End-to-end attestation pipeline covering build provenance (SLSA), SBOM attestation, VEX attestation, verdict attestation, OCI referrer attachment, and sealed audit pack export/import.

Implementation Details

  • Pipeline Models: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/ -- pipeline orchestration:
    • ProofChainRequest.cs -- pipeline request with artifact digest, evidence sources, and options.
    • ProofChainResult.cs -- pipeline result with generated attestations, proof spine, and Merkle root.
    • PipelineSubject.cs -- subject being attested through the pipeline.
    • RekorEntry.cs -- Rekor transparency log entry from pipeline output.
  • SLSA Provenance: __Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs (with .ExtractMetadata, .Validation) -- parses SLSA build provenance.
  • SPDX3 Build Attestation: __Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs (with .MapFromSpdx3, .MapToSpdx3) -- maps build attestations.
  • VEX Integration: __Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates VEX into pipeline.
  • Attestation Bundling: __Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs -- bundles pipeline outputs.
  • OCI Attachment: __Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs -- attaches pipeline outputs as OCI referrers.
  • Evidence Pack: __Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs -- builds sealed audit packs from pipeline outputs.
  • Submission Service: StellaOps.Attestor.Core/Submission/IAttestorSubmissionService.cs -- validates and routes pipeline submissions.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/PipelineTests.cs

E2E Test Plan

  • Run the full pipeline via ProofChainRequest with SBOM, scan results, and VEX data; verify ProofChainResult contains all attestations
  • Verify SLSA provenance is parsed and included in the pipeline output
  • Verify VEX attestation is integrated into the verdict via VexProofIntegrator
  • Verify all pipeline attestations are signed into DSSE envelopes
  • Verify pipeline outputs are bundled via AttestationBundler into a single verifiable bundle
  • Attach pipeline outputs to an OCI image via OrasAttestationAttacher and verify referrer discovery
  • Export pipeline outputs as a sealed evidence pack via ReleaseEvidencePackBuilder and verify manifest integrity
  • Verify AttestorSubmissionService rejects invalid pipeline inputs with appropriate error messages