Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Implement "inspect" Command #345

Closed
colek42 opened this issue Jan 3, 2024 · 2 comments
Closed

Feature Request: Implement "inspect" Command #345

colek42 opened this issue Jan 3, 2024 · 2 comments

Comments

@colek42
Copy link
Member

colek42 commented Jan 3, 2024
edited
Loading

As a Witness user, I would like to have the ability to inspect attestations and policies using a new "inspect" command. This feature would provide a convenient way to verify the contents of these files, aiding in security and compliance verification. When policy creators are trying to create policies they generally use tools like jq to parse these documents, a built in command would provide better UX for users, specifically policy creators.

Proposed Solution

  1. Create a new "inspect" command in Witness.
  2. Implement flags for specifying the attestation and policy files to inspect.
  3. Develop logic to read and parse the specified attestation and policy files.
  4. Display the parsed information to the user, offering insights into the contents of the attestation and policy.

Expected Behavior

When the "inspect" command is executed, it should:

  • Read and parse the specified attestation and policy files.
  • Display the parsed data in a clear and structured manner to the user.

Additional Context

This feature would be highly beneficial for users who need to validate the contents of attestations and policies in their workflow. It enhances the utility of Witness by providing an easy way to perform manual verification and analysis.

Alternatives Considered

We have considered alternative approaches to achieving this functionality, such as integrating with external tools. However, implementing this as a built-in "inspect" command would provide a seamless and user-friendly experience within the Witness CLI.

Implementation Details

This feature will require modifications to the Witness CLI codebase. We will need to create a new Cobra command, define flags, and implement logic for reading and parsing attestation and policy files.
@ChaosInTheCRD
Copy link
Collaborator

I failed to work on this due to time in the end, but I put some work into thinking / designing a similar feature for cosign (sigstore/cosign#2210).

I definitely find that this sort of thing is valuable, but we should be careful of creating the impression that such a command would in any way verify or audit the information. Instead it should very clearly just fetch and print any attestations associated to the artifact.

Given that in witness we have an overarching AttestationCollection construct, I think there's a lot of opportunity from a UX perspective. I think it'd be pretty cool to be able to index all the attestations associated to the artifact and be able to inspect / describe them etc.

@adityasaky
Copy link
Member

Related to @ChaosInTheCRD’s comment, I’m wary of “inspect” over promising what it does. This is especially a concern because an “inspection” is an actual type of check in in-toto layouts. I think using a different sub command largely solves this.

@colek42 colek42 closed this as completed Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@colek42 @adityasaky @ChaosInTheCRD