scai-gen

scai-gen Go CLI

This package provides a Go CLI for generating in-toto compatible SCAI metadata. We assume a minimal Ubuntu 20.04+ platform.

Setup

First, install Go version 1.20 or higher following the Go installation instructions, as well as additional dependencies:

sudo apt install build-essential

Then, install the scai-gen Go module from this repo's root directory:

make go-mod

Usage

scai-gen can be used to generate JSON encoded in-toto Resource Descriptors, SCAI Attribute Assertions, and SCAI Attribute Reports.

scai-gen also provides a feature for checking DSSE-signed in-toto attestations against an in-toto Layout or a SCAI evidence policy. Examples can be found in the layouts and policies directories.

Generate an in-toto Resource Descriptor

Local file:

scai-gen rd file -o <out-file> [-n <name>] [-u <URI>] [-l <download location>] [-t <media type>] <filename> 

Remote resource or service:

scai-gen rd remote -o <out-file> [-a <hash algorithm> -d <digest>] [-n <name>] <resource URI> 

Generate a SCAI Attribute Assertion

scai-gen assert -o <out-file> [-e <evidence RD filename>] <attribute> 

Run scai-gen assert help for a full list of command-line options.

Generate a SCAI Attribute Report

scai-gen report -o <out-file> [-e <evidence RD filename>] <attribute assertion file1> [<attribute assertion file2> ...]

Run scai-gen report help for a full list of command-line options.

SCAI policy checker

Check the in-toto Layout for SCAI attestations

scai-gen check layout -l <layout-file> <SCAI attestation file1> [<SCAI attestation file2> ...]

Check SCAI attestation against an evidence policy

The scai-gen check evidence command currently only supports checking policies about evidence that is located locally. Support for checking evidence formats other than plaintext or in-toto attestations is upcoming.

scai-gen check evidence -p <policy-file> -e <evidence-directory> <SCAI attestation file>

Run scai-gen check help for a full list of command-line options.