Adding reviewers to in-toto attestation #263
Comments
|
This currently doesn't exist in the predicate format. There has been some discussion around whether it should exist in the provenance predicate or if it should exist in a different one. |
|
I think this fits best with the idea of a source attestation. A data description of source metadata would be the perfect place to provide code reviewers as well as authors and properties of the source system itself. See tom's post and doc on the subject: #241 (comment) |
|
Also see in-toto/attestation#77 |
Yeah, I don't think this is a SLSA issue, it's an in-toto attestation one. Let's move it there. |
|
Marking as closed since the consensus seems to be that this is best handled as a "chain" of attestations: the provenance says "artifact X was built from commit Y", and a review attestation say "commit Y was reviewed by party Z". Thus to see if artifact X was reviewed, you'd chain them together. |
Within the current provenance predicate format, is there already a way to add the reviewers identities to the attestation, so it can be made clear who approved the PR that merged the code additions for said iteration of the image?
Something along the lines of what I am looking to do is seen in the Kyverno documentation here.
Thanks 😄
The text was updated successfully, but these errors were encountered: