package policy

buildx – github.com/docker/buildx/policy Index | Files

import "github.com/docker/buildx/policy"

Index ¶

func AddUnknowns(req *gwpb.ResolveSourceMetaRequest, unk []string) error
func AddUnknownsWithLogger(logf func(logrus.Level, string), req *gwpb.ResolveSourceMetaRequest, unk []string) error
func MultiPolicyCallback(callbacks ...policysession.PolicyCallback) policysession.PolicyCallback
func ResolveInputUnknowns(ctx context.Context, input *Input, rootSource *pb.SourceOp, unknowns []string, rootPlatform *pb.Platform, defaultPlatform *ocispecs.Platform, resolver SourceMetadataResolver, verifier PolicyVerifierProvider, logf func(logrus.Level, string)) (bool, *gwpb.ResolveSourceMetaRequest, error)
type Actor
type AttestationSignature
type Commit
type Decision
type Env
type File

func LoadTestModules(root fs.StatFS, path string) (map[string]*ast.Module, []File, error)

type Git
type HTTP
type Image
type ImageProvenance
type ImageProvenanceCompleteness
type ImageProvenanceConfigSource
type Input

func SourceToInput(ctx context.Context, verifier PolicyVerifierProvider, src *gwpb.ResolveSourceMetaResponse, platform *ocispecs.Platform, logf func(logrus.Level, string)) (Input, error)
func (inp Input) Unknowns() []string

type Local
type Opt
type PGPSignature
type Policy

func NewPolicy(opt Opt) *Policy
func (p *Policy) CheckPolicy(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *gwpb.ResolveSourceMetaRequest, error)
func (p *Policy) IsPolicyError(err error) bool
func (p *Policy) Print(ctx print.Context, msg string) error

type PolicyVerifier
type PolicyVerifierProvider

func SignatureVerifier(cfg *confutil.Config) PolicyVerifierProvider

type SSHSignature
type SignatureKind
type SignatureType
type SignerInfo
type SourceMetadataResolver
type Tag
type TestOptions
type TestOptionsProvider
type TestResult
type TestSummary

func RunPolicyTests(ctx context.Context, path string, opts TestOptions) (TestSummary, error)

type TrustedTimestamp

Functions ¶

func AddUnknowns ¶

func AddUnknowns(req *gwpb.ResolveSourceMetaRequest, unk []string) error

func AddUnknownsWithLogger ¶

func AddUnknownsWithLogger(logf func(logrus.Level, string), req *gwpb.ResolveSourceMetaRequest, unk []string) error

func MultiPolicyCallback ¶

func MultiPolicyCallback(callbacks ...policysession.PolicyCallback) policysession.PolicyCallback

MultiPolicyCallback returns a policy callback that requires all policies to allow.

func ResolveInputUnknowns ¶

func ResolveInputUnknowns(ctx context.Context, input *Input, rootSource *pb.SourceOp, unknowns []string, rootPlatform *pb.Platform, defaultPlatform *ocispecs.Platform, resolver SourceMetadataResolver, verifier PolicyVerifierProvider, logf func(logrus.Level, string)) (bool, *gwpb.ResolveSourceMetaRequest, error)

Types ¶

type Actor ¶

type Actor struct {
	Name  string     `json:"name,omitempty"`
	Email string     `json:"email,omitempty"`
	When  *time.Time `json:"when,omitempty"`
}

type AttestationSignature ¶

type AttestationSignature struct {
	SignatureKind   SignatureKind                             `json:"kind,omitempty"`
	SignatureType   SignatureType                             `json:"type,omitempty"`
	Timestamps      []policytypes.TimestampVerificationResult `json:"timestamps,omitempty"`
	DockerReference string                                    `json:"dockerReference,omitempty"`
	IsDHI           bool                                      `json:"isDHI,omitempty"`
	Signer          *SignerInfo                               `json:"signer,omitempty"`
	// contains filtered or unexported fields
}

type Commit ¶

type Commit struct {
	Tree      string   `json:"tree,omitempty"`
	Parents   []string `json:"parents,omitempty"`
	Author    Actor    `json:"author,omitzero"`
	Committer Actor    `json:"committer,omitzero"`
	Message   string   `json:"message,omitempty"`

	PGPSignature *PGPSignature `json:"pgpSignature,omitempty"`
	SSHSignature *SSHSignature `json:"sshSignature,omitempty"`
	// contains filtered or unexported fields
}

type Decision ¶

type Decision struct {
	Allow        *bool    `json:"allow,omitempty"`
	DenyMessages []string `json:"deny_msg,omitempty"`
}

type Env ¶

type Env struct {
	Args     map[string]*string `json:"args,omitempty"`
	Labels   map[string]string  `json:"labels,omitempty"`
	Filename string             `json:"filename,omitempty"`
	Target   string             `json:"target,omitempty"`
	Depth    int                `json:"depth"`
}

type File ¶

type File struct {
	Filename string
	Data     []byte
}

func LoadTestModules ¶

func LoadTestModules(root fs.StatFS, path string) (map[string]*ast.Module, []File, error)

type Git ¶

type Git struct {
	Schema      string `json:"schema,omitempty"`
	Host        string `json:"host,omitempty"`
	Remote      string `json:"remote,omitempty"`
	FullURL     string `json:"fullURL,omitempty"`
	TagName     string `json:"tagName,omitempty"`
	Branch      string `json:"branch,omitempty"`
	Ref         string `json:"ref,omitempty"`
	Subdir      string `json:"subDir,omitempty"`
	IsCommitRef bool   `json:"isCommitRef,omitempty"`

	IsSHA256       bool   `json:"isSHA256,omitempty"`
	Checksum       string `json:"checksum,omitempty"`
	CommitChecksum string `json:"commitChecksum,omitempty"`
	IsAnnotatedTag bool   `json:"isAnnotatedTag,omitempty"`

	Tag    *Tag    `json:"tag,omitempty"`
	Commit *Commit `json:"commit,omitempty"`
}

type HTTP ¶

type HTTP struct {
	URL     string              `json:"url,omitempty"`
	Schema  string              `json:"schema,omitempty"`
	Host    string              `json:"host,omitempty"`
	Path    string              `json:"path,omitempty"`
	Query   map[string][]string `json:"query,omitempty"`
	HasAuth bool                `json:"hasAuth,omitempty"`

	Checksum string `json:"checksum,omitempty"`
	// contains filtered or unexported fields
}

type Image ¶

type Image struct {
	Ref          string `json:"ref,omitempty"`
	Host         string `json:"host,omitempty"`
	Repo         string `json:"repo,omitempty"`
	FullRepo     string `json:"fullRepo,omitempty"` // domain + repo
	Tag          string `json:"tag,omitempty"`      // unset if canonical ref
	Platform     string `json:"platform,omitempty"`
	OS           string `json:"os,omitempty"`
	Architecture string `json:"arch,omitempty"`
	Variant      string `json:"variant,omitempty"`
	IsCanonical  bool   `json:"isCanonical,omitempty"`

	Checksum string `json:"checksum,omitempty"`

	// Config based
	CreatedTime string            `json:"createdTime,omitempty"`
	Env         []string          `json:"env,omitempty"`
	Labels      map[string]string `json:"labels,omitempty"`
	User        string            `json:"user,omitempty"`
	Volumes     []string          `json:"volumes,omitempty"`
	WorkingDir  string            `json:"workingDir,omitempty"`

	HasProvenance bool                   `json:"hasProvenance,omitempty"`
	Provenance    *ImageProvenance       `json:"provenance,omitempty"`
	Signatures    []AttestationSignature `json:"signatures,omitempty"`
}

type ImageProvenance ¶

type ImageProvenance struct {
	PredicateType string `json:"predicateType,omitempty"`
	BuildType     string `json:"buildType,omitempty"`
	BuilderID     string `json:"builderID,omitempty"`

	InvocationID string `json:"invocationID,omitempty"`
	StartedOn    string `json:"startedOn,omitempty"`
	FinishedOn   string `json:"finishedOn,omitempty"`

	ConfigSource *ImageProvenanceConfigSource `json:"configSource,omitempty"`
	Frontend     string                       `json:"frontend,omitempty"`
	BuildArgs    map[string]string            `json:"buildArgs,omitempty"`
	RawArgs      map[string]string            `json:"rawArgs,omitempty"`
	Reproducible *bool                        `json:"reproducible,omitempty"`
	Hermetic     *bool                        `json:"hermetic,omitempty"`

	Completeness *ImageProvenanceCompleteness `json:"completeness,omitempty"`
	Materials    []Input                      `json:"materials,omitempty"`
	// contains filtered or unexported fields
}

type ImageProvenanceCompleteness ¶

type ImageProvenanceCompleteness struct {
	Parameters  *bool `json:"parameters,omitempty"`
	Environment *bool `json:"environment,omitempty"`
	Materials   *bool `json:"materials,omitempty"`
}

type ImageProvenanceConfigSource ¶

type ImageProvenanceConfigSource struct {
	URI    string            `json:"uri,omitempty"`
	Digest map[string]string `json:"digest,omitempty"`
	Path   string            `json:"path,omitempty"`
}

type Input ¶

type Input struct {
	Env   Env    `json:"env,omitzero"`
	Local *Local `json:"local,omitempty"`
	Image *Image `json:"image,omitempty"`
	HTTP  *HTTP  `json:"http,omitempty"`
	Git   *Git   `json:"git,omitempty"`
	// contains filtered or unexported fields
}

func SourceToInput ¶

func SourceToInput(ctx context.Context, verifier PolicyVerifierProvider, src *gwpb.ResolveSourceMetaResponse, platform *ocispecs.Platform, logf func(logrus.Level, string)) (Input, error)

func (Input) Unknowns ¶

func (inp Input) Unknowns() []string

type Local ¶

type Local struct {
	Name string `json:"name,omitempty"`
}

type Opt ¶

type Opt struct {
	Files            []File
	Env              Env
	Log              func(logrus.Level, string)
	FS               func() (fs.StatFS, func() error, error)
	VerifierProvider PolicyVerifierProvider
	DefaultPlatform  *ocispecs.Platform
	SourceResolver   *sourcemeta.Resolver
}

type PGPSignature ¶

type PGPSignature struct {
	Version int    `json:"version,omitempty"`
	KeyID   string `json:"keyID,omitempty"`
}

type Policy ¶

type Policy struct {
	// contains filtered or unexported fields
}

func NewPolicy ¶

func NewPolicy(opt Opt) *Policy

func (*Policy) CheckPolicy ¶

func (p *Policy) CheckPolicy(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *gwpb.ResolveSourceMetaRequest, error)

func (*Policy) IsPolicyError ¶

func (p *Policy) IsPolicyError(err error) bool

func (*Policy) Print ¶

func (p *Policy) Print(ctx print.Context, msg string) error

type PolicyVerifier ¶

type PolicyVerifier interface {
	VerifyImage(context.Context, policyimage.ReferrersProvider, ocispecs.Descriptor, *ocispecs.Platform) (*policytypes.SignatureInfo, error)
	VerifyArtifact(context.Context, digest.Digest, []byte, ...policyverifier.ArtifactVerifyOpt) (*policytypes.SignatureInfo, error)
}

type PolicyVerifierProvider ¶

type PolicyVerifierProvider func() (PolicyVerifier, error)

func SignatureVerifier ¶

func SignatureVerifier(cfg *confutil.Config) PolicyVerifierProvider

type SSHSignature ¶

type SSHSignature struct {
	Version int    `json:"version,omitempty"`
	PubKey  string `json:"pubKey,omitempty"`
}

type SignatureKind ¶

type SignatureKind string

const (
	SignatureKindDockerGithubBuilder  SignatureKind = "docker-github-builder"
	SignatureKindDockerHardenedImage  SignatureKind = "docker-hardened-image"
	SignatureKindSelfSignedGithubRepo SignatureKind = "self-signed-github-repo"
	SignatureKindSelfSigned           SignatureKind = "self-signed"
	SignatureKindUntrusted            SignatureKind = "untrusted"
)

type SignatureType ¶

type SignatureType string

const (
	SignatureTypeBundleV03       SignatureType = "bundle-v0.3"
	SignatureTypeSimpleSigningV1 SignatureType = "simplesigning-v1"
)

type SignerInfo ¶

type SignerInfo struct {
	// certificate.Summary with deprecated fields removed
	CertificateIssuer                   string `json:"certificateIssuer"`
	SubjectAlternativeName              string `json:"subjectAlternativeName"`
	Issuer                              string `json:"issuer,omitempty"`                              // OID 1.3.6.1.4.1.57264.1.8 and 1.3.6.1.4.1.57264.1.1 (Deprecated)
	BuildSignerURI                      string `json:"buildSignerURI,omitempty"`                      //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.9
	BuildSignerDigest                   string `json:"buildSignerDigest,omitempty"`                   // 1.3.6.1.4.1.57264.1.10
	RunnerEnvironment                   string `json:"runnerEnvironment,omitempty"`                   // 1.3.6.1.4.1.57264.1.11
	SourceRepositoryURI                 string `json:"sourceRepositoryURI,omitempty"`                 //nolint:tagliatelle  // 1.3.6.1.4.1.57264.1.12
	SourceRepositoryDigest              string `json:"sourceRepositoryDigest,omitempty"`              // 1.3.6.1.4.1.57264.1.13
	SourceRepositoryRef                 string `json:"sourceRepositoryRef,omitempty"`                 // 1.3.6.1.4.1.57264.1.14
	SourceRepositoryIdentifier          string `json:"sourceRepositoryIdentifier,omitempty"`          // 1.3.6.1.4.1.57264.1.15
	SourceRepositoryOwnerURI            string `json:"sourceRepositoryOwnerURI,omitempty"`            //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.16
	SourceRepositoryOwnerIdentifier     string `json:"sourceRepositoryOwnerIdentifier,omitempty"`     // 1.3.6.1.4.1.57264.1.17
	BuildConfigURI                      string `json:"buildConfigURI,omitempty"`                      //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.18
	BuildConfigDigest                   string `json:"buildConfigDigest,omitempty"`                   // 1.3.6.1.4.1.57264.1.19
	BuildTrigger                        string `json:"buildTrigger,omitempty"`                        // 1.3.6.1.4.1.57264.1.20
	RunInvocationURI                    string `json:"runInvocationURI,omitempty"`                    //nolint:tagliatelle // 1.3.6.1.4.1.57264.1.21
	SourceRepositoryVisibilityAtSigning string `json:"sourceRepositoryVisibilityAtSigning,omitempty"` // 1.3.6.1.4.1.57264.1.22
}

type SourceMetadataResolver ¶

type SourceMetadataResolver interface {
	ResolveSourceMetadata(context.Context, *pb.SourceOp, sourceresolver.Opt) (*sourceresolver.MetaResponse, error)
}

type Tag ¶

type Tag struct {
	Object  string `json:"object,omitempty"`
	Type    string `json:"type,omitempty"`
	Tag     string `json:"tag,omitempty"`
	Tagger  Actor  `json:"tagger,omitzero"`
	Message string `json:"message,omitempty"`

	PGPSignature *PGPSignature `json:"pgpSignature,omitempty"`
	SSHSignature *SSHSignature `json:"sshSignature,omitempty"`
	// contains filtered or unexported fields
}

type TestOptions ¶

type TestOptions struct {
	Run      string
	Filename string
	Root     fs.StatFS
	Provider *TestOptionsProvider
}

type TestOptionsProvider ¶

type TestOptionsProvider struct {
	Resolve          func(context.Context, *pb.SourceOp, *gwpb.ResolveSourceMetaRequest) (*gwpb.ResolveSourceMetaResponse, error)
	Platform         func(context.Context) (*ocispecs.Platform, error)
	VerifierProvider PolicyVerifierProvider
}

type TestResult ¶

type TestResult struct {
	Name           string
	Package        string
	Passed         bool
	Allow          *bool
	DenyMessages   []string
	Input          *Input
	Decision       *Decision
	MissingInput   []string
	MetadataNeeded []string
}

type TestSummary ¶

type TestSummary struct {
	Results []TestResult
	Failed  int
}

func RunPolicyTests ¶

func RunPolicyTests(ctx context.Context, path string, opts TestOptions) (TestSummary, error)

type TrustedTimestamp ¶

type TrustedTimestamp struct {
	Tlog      bool      `json:"tlog,omitempty"`
	URI       string    `json:"uri,omitempty"`
	Timestamp time.Time `json:"timestamp,omitzero"`
}

Source Files ¶

builtin_module.go builtins.go funcs.go git.go input.go input_unknowns.go materials.go multipolicy.go provenance.go resolve.go signatures.go tester.go types.go validate.go

Version: v0.33.0 (latest)
Published: Mar 31, 2026
Platform: linux/amd64
Imports: 54 packages
Last checked: 20 hours ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples