Verification Summary Predicate
Predicate Type URI: https://slsa.dev/verification_summary/v1
A SLSA Verification Summary Attestation (VSA) that certifies the artifact was verified against a Develocity Provenance Governor Policy Scan™.
Fields:
-
verifier(object) - Identifies the entity performing the verification (Develocity Provenance Governor). -
timeVerified(string) - Timestamp of verification (ISO 8601). -
resourceUri(string) - URI of the artifact being verified (Package URL). -
policy(object) - The policy used for verification.-
uri(string) - URI of the Policy Scan Definition. -
digest(object) - SHA-256 digest of the policy content.
-
-
inputAttestations(array of objects) - Attestations used as input for verification. -
verificationResult(string) - Result of the verification (PASSEDorFAILED).
{
"verifier": {
"id": "https://provenance-governor.example.com/packages/oci/my-app/1.0.0/policy-scans/build-gate",
"version": {
"develocity-provenance-governor": "1.2.0"
}
},
"timeVerified": "2023-10-01T12:00:00Z",
"resourceUri": "pkg:maven/com.example/test-lib@1.0.0?checksum=sha256:725a3f94ec1af8830d0f708e7941c233d3cb981a6e943ca9aee5899cceb48383&repository_url=repo.example.com/libs-release",
"policy": {
"uri": "/policies/PolicyScanDefinition/build-gate",
"digest": {
"sha256": "725a3f94ec1af8830d0f708e7941c233d3cb981a6e943ca9aee5899cceb48383"
}
},
"inputAttestations": [
{
"uri": "/packages/oci/my-app/1.0.0/sha256:1f38c1af0cc5c48fc1d60cb3eb42837ec57ede8385db3018582f7c118cbff5a5/attestations/s3:local-s3/338ec7b1-4a61-5960-8983-b8eef80d9b2b",
"digest": {
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
}
],
"verificationResult": "PASSED"
}For OCI packages, the resourceUri uses the digest as the PURL version and the image tag as a qualifier, following the OCI PURL specification:
{
"resourceUri": "pkg:oci/my-app@sha256:1f38c1af0cc5c48fc1d60cb3eb42837ec57ede8385db3018582f7c118cbff5a5?repository_url=registry.example.com/my-team&tag=1.0.0"
}