Add predicate output option

michaelvl · Feb 25, 2024 · 49c63a5 · 49c63a5
1 parent 21e78e5
commit 49c63a5
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 4 deletions.
diff --git a/cmd/evaluate-policy.go b/cmd/evaluate-policy.go
@@ -53,14 +53,22 @@ func EvaluatePolicyCmd() *cobra.Command {
 			}
 			log.Printf("policy evaluation status: %v\n", allowedText)
 
-			if opts.OutputVsaPath != "" {
+			if opts.OutputVsaPath != "" || opts.OutputVsaPredicatePath != "" {
 				vsa, err := vsa.Generate(digest, atts, allowedText, opts.SlsaVsaPassVerifiedLevel, opts.VerifierID)
 				if err != nil {
 					return err
 				}
-				err = attestations.WriteStatement(vsa, opts.OutputVsaPath)
-				if err != nil {
-					return err
+				if opts.OutputVsaPath != "" {
+					err = attestations.WriteStatement(vsa, opts.OutputVsaPath)
+					if err != nil {
+						return err
+					}
+				}
+				if opts.OutputVsaPredicatePath != "" {
+					err = attestations.WritePredicate(vsa, opts.OutputVsaPredicatePath)
+					if err != nil {
+						return err
+					}
 				}
 			}
 

diff --git a/cmd/options/evaluate-policy.go b/cmd/options/evaluate-policy.go
@@ -8,6 +8,7 @@ type EvaluateOptions struct {
 	PolicyPath                  string
 	OutputAttestationsPath      string
 	OutputVsaPath               string
+	OutputVsaPredicatePath      string
 	FailOnPolicyValidationError bool
 	SlsaVsaPassVerifiedLevel    string
 	VerifierID                  string
@@ -21,6 +22,8 @@ func (o *EvaluateOptions) AddFlags(cmd *cobra.Command) {
 		"path to write raw attestation json to")
 	cmd.Flags().StringVar(&o.OutputVsaPath, "output-vsa", "",
 		"path to write verification-statement attestation to")
+	cmd.Flags().StringVar(&o.OutputVsaPredicatePath, "output-vsa-predicate", "",
+		"path to write verification-statement predicate to")
 	cmd.Flags().BoolVar(&o.FailOnPolicyValidationError, "fail-on-validation-error", false,
 		"exit with non-zero exit code if policy verification fail")
 	cmd.Flags().StringVar(&o.SlsaVsaPassVerifiedLevel, "vsa-verified-level", "SLSA_BUILD_LEVEL_3",

diff --git a/internal/attestations/attestations.go b/internal/attestations/attestations.go
@@ -119,6 +119,14 @@ func WriteStatement(statement *in_toto.Statement, outputPath string) error {
 	return WriteJson(&jsonData[0], outputPath)
 }
 
+func WritePredicate(statement *in_toto.Statement, outputPath string) error {
+	jsonData, err := StatementsToJson([]in_toto.Statement{*statement})
+	if err != nil {
+		return fmt.Errorf("decoding statement json: %w", err)
+	}
+	return WriteJson(jsonData[0]["predicate"], outputPath)
+}
+
 func WriteJson(jsonData any, outputPath string) error {
 	f, err := os.Create(outputPath)
 	if err != nil {