Workflow

In-toto-attestation

Latest version: v0.9.3

Safety actively analyzes 688823 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

1.0

Our first major release introduces new primitives, basic tooling and guidelines for contributing new predicates types. We also made significant updates to the DigestSet type and extension fields.

What's New

* [Guidelines](https://github.com/in-toto/attestation/blob/main/docs/new_predicate_guidelines.md) for contributing new predicates
* [Attestation Bundle layer](https://github.com/in-toto/attestation/blob/main/spec/v1.0/bundle.md): A collection of multiple attestations in a single file.
* [Resource Descriptor type](https://github.com/in-toto/attestation/blob/main/spec/v1.0/resource_descriptor.md): A size-efficient description of any software artifact or resource (mutable or immutable).
* [Protobuf definitions](https://github.com/in-toto/attestation/blob/main/docs/protos.md): Language-independent definitions of attestation Statement and select predicates.
* Golang library and example app

**DISCLAIMER**: The protobuf definitions and Golang bindings will not be considered stable until the v1.1 tagged release. Use at your own risk.

Updates

* Add `dirHash1`, `gitCommit`, `gitTree`, etc. to the list of pre-defined algorithms for DigestSet
* Specify lowercase-hex encoding for standard algorithms only
* Relax requirements for Statement subject `name`
* Updated rules for extension fields and unrecognized fields
* Documentation updates

New Predicate Types

Since v0.1, we have added three predicate types to our catalog. Please note that predicates are versioned independently from the in-toto attestation spec.

* [Supply Chain Attribute Integrity (SCAI)](https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md): Evidence-based assertions about software artifact and supply chain attributes or behavior.
* [Runtime Traces](https://github.com/in-toto/attestation/blob/main/spec/predicates/runtime-trace.md): Captures runtime traces of software supply chain operations.
* [SLSA Verification Summary (VSA)](https://github.com/in-toto/attestation/blob/main/spec/predicates/vsa/vsa.md): SLSA verification decision about a software artifact.

Thanks

Thank you to all contributors to this release!

**Full Changelog**: https://github.com/in-toto/attestation/compare/v0.1.0...v1.0

Links

Releases

Has known vulnerabilities

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.