Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Builtin experiments #1463

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Builtin experiments #1463

wants to merge 3 commits into from
+123 −10

Conversation

simonbaird
Copy link
Member

@simonbaird simonbaird commented Mar 21, 2024
edited

Not sure if we want to merge this or not, but it's interesting to consider.

The idea is that maybe we move all out sigstore signature checks into rego and use ec validate input for everything.

Running the script looks like this:

$ hack/builtin-experiments/demo.sh 

* Input:

image:
  ref: quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v02/cli-v02:c862b0f77bb10082d1440e0d4b6a4e9645b83382@sha256:9af445f4f79b7f129749e6fffde9a1280c4d260108e9c19545979cee449c00bf

* EC results:

success: true
filepaths:
  - filepath: /dev/fd/63
    violations: []
    warnings: []
    successes:
      - msg: Pass
        metadata:
          code: sigstore.valid
          description: Check image and attestation signatures
          title: Image validation
    success: true
    success-count: 1
policy:
  sources:
    - policy:
        - /home/sbaird/code/ec-cli/hack/builtin-experiments/policy
      data:
        - /home/sbaird/code/ec-cli/hack/builtin-experiments/data
ec-version: v0.3.2701-9b97c6d
effective-time: "2024-03-21T22:21:43.055587461Z"

@simonbaird
Small refactor in acceptance test sigstore rego
fb499e9 
This is helpful for some experiments I'm working on, and seems like
a good enough tidy/refactor anyhow.
@simonbaird
Copy link
Member Author

Should rebase on #1462 once that one is merged.

@simonbaird simonbaird closed this Mar 21, 2024
@simonbaird simonbaird reopened this Mar 21, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 21, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.16%. Comparing base (0b70d4f) to head (a93ec19).
Report is 6 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1463      +/-   ##
==========================================
+ Coverage   80.35%   87.16%   +6.80%     
==========================================
  Files          66       77      +11     
  Lines        4674     5009     +335     
==========================================
+ Hits         3756     4366     +610     
+ Misses        918      643     -275
Flag Coverage Δ
acceptance 72.62% <ø> (?)
generative ?
integration ?
unit 80.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 41 files with indirect coverage changes

@simonbaird
More hackery
a93ec19 
Will clean it up later.

This demos slsa3 passing with ec validate input.
lcarva
lcarva approved these changes Mar 28, 2024
View reviewed changes
Copy link
Member

@lcarva lcarva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an experiment. It's probably worth having it.

hack/builtin-experiments/demo.sh
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth adding a comment to explain what this experiment is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lcarva lcarva lcarva approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@simonbaird @lcarva