You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We can use the new SLSA provenance attestations to extract source information from an image.
Example use cases:
Provide a more accurate image history view (e.g. on hub)
We should provide a way to lookup build step identifiers (e.g. sha256 digests, diffids, stage numbers, etc) in the sourcemap and return the LLB used to build it, as well as the source-mapping for the original component - I think it should be valid to allow a flexible lookup using different types of identifiers for this?
If SLSA provenance isn't available, we should provide fallbacks using the image config history - we can't reconstruct the LLB, but we can some guesses as to the original source code and build-steps using the layers - though this is definitely outside the initial scope.
For example, a struct might look something like this:
typeImagestruct {
// ...BuildSteps []BuildStep
}
// GetBuildStep is a helper utility to get a BuildStep using a BuildStepIdentifier, could be an interface or similar that could be the sha256 digest of the layer, the DiffID for that layer, the stage name for that layer, etc.func (imgImage) GetBuildStep(idBuildStepIdentifier) BuildStep { ... }
typeBuildStepstruct {
Digest digest.DigestDiffID digest.DigestStagestring// e.g. stage0LLBSource
}
Ideally, if we can, we should represent Source in a VCS-rich way, so not only should it be possible to get the string that represents that snippet, but if we have Git metadata, we can attempt to link it back to source.
The text was updated successfully, but these errors were encountered:
We can use the new SLSA provenance attestations to extract source information from an image.
Example use cases:
We should provide a way to lookup build step identifiers (e.g. sha256 digests, diffids, stage numbers, etc) in the sourcemap and return the LLB used to build it, as well as the source-mapping for the original component - I think it should be valid to allow a flexible lookup using different types of identifiers for this?
If SLSA provenance isn't available, we should provide fallbacks using the image config history - we can't reconstruct the LLB, but we can some guesses as to the original source code and build-steps using the layers - though this is definitely outside the initial scope.
For example, a struct might look something like this:
Ideally, if we can, we should represent
Sourcein a VCS-rich way, so not only should it be possible to get the string that represents that snippet, but if we have Git metadata, we can attempt to link it back to source.The text was updated successfully, but these errors were encountered: