feat: add structured data attestor #408
Conversation
|
Hi @colek42! What happens in the event that I am using some other attestors that parse json (e.g., sbom, vex attestors)? We probably want to make sure that we can call the json attestor in conjunction with those other attestors. |
I think it should just work -- It probably makes sense to add a test for that. |
|
How does this handle the case where there are multiple json files in the products? |
|
Played around with this locally a bit and can confirm it works. It does need an import added to The directory should probably be |
|
Thanks for the great code review. I'll incorporate this feedback into the k8smanifest attestor as well. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
colek42
force-pushed
the
json_attestor
branch
2 times, most recently
from
23704ac to
47818a5
Compare
-supports attestations on json/multi doc yaml -canancolizes data -adds canacolization library to internal -adds a console logger used to debig tests
What this PR does / why we need it
This PR introduces a new structured data attestor that handles JSON/YAML files by:
Parsing and canonicalizing their content (Vendored a JSON Canonicalization Scheme).
Storing a digest of the original file.
Optionally running user-defined jq queries (subject queries) to extract and store additional subject digests.
Adding a console logger for debugging tests
This helps us:
Ensure a reliable canonical form for any structured data,
Provide flexible per-field or per-expression queries for advanced pipelines.