feat(audit): add --include-attestations flag to output sigstore bundles#9049
feat(audit): add --include-attestations flag to output sigstore bundles#9049wraithgar merged 4 commits intonpm:latestfrom
Conversation
|
I ran this by our package security folks and the biggest point of feedback I got was making sure only verified bundles are output. It seems like you've attached the output inside the loop that catches only verified bundles already but I wanted to explicitly mention it so we are sure about it. |
|
Because npm's dependencies are bundled and in source control we don't allow dependency updates in external PRs. We will get pacote updated in |
|
pacote update PR #9086 |
|
@wraithgar I think this PR is good to go, or do you have additional concerns? |
|
tests will need to pass before we can land this |
|
I tried testing this locally and it looks like you'll have to rebase this branch against |
|
Rebasing my own copy of this PR branch and the command works as expected. |
Add a new --include-attestations flag for `npm audit signatures` that includes the full sigstore attestation bundles in JSON output. This enables downstream tooling to consume and further process attestation data (e.g. for policy engines, SBOMs, or custom verification). When used with `npm audit signatures --json --include-attestations`, the JSON output includes a `verified` array containing each package's name, version, and attestation bundles. Depends on npm/pacote#457 to expose the fetched attestation bundles on the manifest's _attestations property. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…undles attribute Update verify-signatures to destructure _attestationBundles from the pacote manifest (a separate attribute from _attestations) and include it in the verified entries JSON output. This aligns with the pacote change that stores bundles on a separate _ attribute to avoid future collisions with registry schema. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add test exercising the human-readable output path with --include-attestations set, covering the false branch of the hint message check at verify-signatures.js:96. Update type-description snapshot to include the new include-attestations config definition. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mitchdenny
force-pushed
the
feat/include-attestations
branch
from
796d60e to
0afd822
Compare
|
@wraithgar rebased |
|
|
|
Just to be clear here the code looks good! No changes needed. Once it's green we will land it and it should go out this week. |
|
@wraithgar just did |
3 participants
Summary
Adds a new
--include-attestationsflag fornpm audit signaturesthat includes the full sigstore attestation bundles in JSON output. Closes #9048.Changes
workspaces/config/lib/definitions/definitions.js: Newinclude-attestationsboolean config definitionlib/commands/audit.js: Addedinclude-attestationsto audit command paramslib/utils/verify-signatures.js: Collects verified attestation data and includes it in JSON output when flag is set; adds human-readable hint when attestations are verified without the flagdocs/lib/content/commands/npm-audit.md: Documents the new flagtest/lib/commands/audit.js: Two new tests covering the flag behaviorExample output
{ "invalid": [], "missing": [], "verified": [ { "name": "sigstore", "version": "0.4.0", "attestations": { "url": "https://registry.npmjs.org/-/npm/v1/attestations/sigstore@0.4.0", "provenance": { "predicateType": "https://slsa.dev/provenance/v0.2" } }, "attestationBundles": [ { "predicateType": "https://slsa.dev/provenance/v0.2", "bundle": { "mediaType": "...", "verificationMaterial": {}, "dsseEnvelope": {} } } ] } ] }Dependencies
cc @feelepxyz