-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance runlib to allow users to add arbitrary data to environment / record environment from the CLI #307
Comments
Hi, I'm exploring using in-toto to generate provenance/metadata for my CI/CD pipeline, and I ran into an issue whereby I need to capture environment data (e.g instance id, job id) into the link metadata, so that I can verify that the artifacts generated were indeed built by specific instances/servers. I came across this issue and was wondering if there are any future plans to allow us to specify environmental data that Otherwise, are there any suggestions as to how I can include information about the build environment into the link metadata files? |
Hi @chunteck, some of the thinking behind |
Hi @adityasaky, if I use the new SLSA provenance specification, I would need to write a script to generate the provenance myself right? Does in-toto support generating the new specification, or have future plans to support the new specification? Right now it seems that only the old link metadata specification is generated when using |
The SLSA provenance model is defined in in-toto-golang (https://github.com/in-toto/in-toto-golang/blob/master/in_toto/slsa_provenance/v0.2/provenance.go) but there isn't a workflow there like in-toto-run that generates it. |
noted, thanks! |
Description of issue or feature request: The in-toto spec doesn't mandate a specific format for the
environment
field in link metadata. It does recommend that the field must containvariables
for environment variables,filesystem
for a list of relevant filepaths or hashes, andworkdir
for the present working directory.The
in-toto-run
andin-toto-record
CLI commands don't currently have an option to record the environment / any other information the user wants to. However,runlib
does include arecord_environment
forin_toto_run
andin_toto_record
which records the present working directory.Current behavior: Doesn't exist.
Expected behavior: Add options that allow users to record environment from the CLI as well as store any other information.
The text was updated successfully, but these errors were encountered: