Skip to content

feat: gated attestation add #2623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Piskoo merged 2 commits into from
Dec 17, 2025
Merged

feat: gated attestation add #2623

Piskoo merged 2 commits into from
Dec 17, 2025

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Dec 17, 2025
edited
Loading

Checks whether any of evaluations performed during att add contain violations and exits with code reserved for gate errors when that happens.

Example contract:

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: gate-contract
  description: Test contract with gate
spec:
  materials:
  - type: SBOM_CYCLONEDX_JSON
    name: skynet-sbom
  policies:
    materials:
    - selector:
        name: skynet-sbom 
      ref: policy-gate
      gate: true

Example policy:

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: policy-gate
spec:
  policies:
    - kind: SBOM_CYCLONEDX_JSON
      embedded: |
        package main
        import rego.v1
        
        result := {"violations": ["Gated policy violation"]}

Attestation process:

$ chainloop att init --project myproject --workflow gateadd --contract contractgate.yaml --replace
WRN API contacted in insecure mode
This command will run against the organization "myorg"
Please confirm to continue y/N
y
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 17 Dec 25 11:43 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 2c154d14-b3f4-4127-993c-0b0fd6e7881c │
│ Organization              │ myorg                                │
│ Name                      │ gateadd                              │
│ Project                   │ myproject                            │
│ Version                   │ v1.63.0+next (prerelease)            │
│ Contract                  │ myproject-gateadd (revision 1)       │
│ Policy violation strategy │ ADVISORY                             │
└───────────────────────────┴──────────────────────────────────────┘


$ chainloop att add --value sbom.json --name skynet-sbom
WRN API contacted in insecure mode
INF uploading sbom.json - sha256:bfbb8312c63447567e65f128ac05ddaebf562d072532b37fb412f47bfc32a421
INF material added to attestation
┌────────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name               │ skynet-sbom                                                             │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type               │ SBOM_CYCLONEDX_JSON                                                     │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Required           │ Yes                                                                     │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Value              │ sbom.json                                                               │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Digest             │ sha256:bfbb8312c63447567e65f128ac05ddaebf562d072532b37fb412f47bfc32a421 │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Policy evaluations │ ------                                                                  │
├────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│                    │ policy-gate (gate): Gated policy violation                              │
└────────────────────┴─────────────────────────────────────────────────────────────────────────┘

ERR the policy "policy-gate" is configured as a gate and has violations
exit status 4

@Piskoo
fail att add when gated policy contains violations
838724c 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo requested review from jiparis and migmartri December 17, 2025 12:02
@Piskoo Piskoo marked this pull request as ready for review December 17, 2025 12:10
jiparis
jiparis reviewed Dec 17, 2025
View reviewed changes
@Piskoo
display output before fail
fd3cbbc 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo requested a review from jiparis December 17, 2025 13:27
@Piskoo Piskoo merged commit c496a81 into chainloop-dev:main Dec 17, 2025
13 checks passed
Piskoo added a commit that referenced this pull request Dec 22, 2025
@Piskoo
Revert "feat: gated attestation add (#2623)"
ec2f78e 
This reverts commit c496a81.
@Piskoo Piskoo mentioned this pull request Dec 22, 2025
Merged
Piskoo added a commit that referenced this pull request Dec 23, 2025
@Piskoo
Revert "feat: gated attestation add (#2623)"
785a16a 
This reverts commit c496a81.

Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis jiparis approved these changes

@migmartri migmartri Awaiting requested review from migmartri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Piskoo @jiparis