scai-gen Go CLI
This package provides a Go CLI for generating in-toto compatible SCAI
metadata. We assume a minimal Ubuntu 20.04+ platform.
Setup
First, install Go version 1.20 or higher following the
Go installation instructions, as well as
additional dependencies:
sudo apt install build-essential
Then, install the scai-gen Go module from this repo's root directory:
make go-mod
Usage
scai-gen can be used to generate JSON encoded in-toto Resource Descriptors,
SCAI Attribute Assertions, and SCAI Attribute Reports.
scai-gen also provides a feature for checking DSSE-signed in-toto
attestations against an in-toto Layout or a SCAI evidence policy.
Examples can be found in the layouts and
policies directories.
Generate an in-toto Resource Descriptor
Local file:
scai-gen rd file -o <out-file> [-n <name>] [-u <URI>] [-l <download location>] [-t <media type>] <filename>
Remote resource or service:
scai-gen rd remote -o <out-file> [-a <hash algorithm> -d <digest>] [-n <name>] <resource URI>
Generate a SCAI Attribute Assertion
scai-gen assert -o <out-file> [-e <evidence RD filename>] <attribute>
Run scai-gen assert help
for a full list of command-line options.
Generate a SCAI Attribute Report
scai-gen report -o <out-file> [-e <evidence RD filename>] <attribute assertion file1> [<attribute assertion file2> ...]
Run scai-gen report help
for a full list of command-line options.
SCAI policy checker
Check the in-toto Layout for SCAI attestations
scai-gen check layout -l <layout-file> <SCAI attestation file1> [<SCAI attestation file2> ...]
Check SCAI attestation against an evidence policy
The scai-gen check evidence
command currently only supports checking
policies about evidence that is located locally. Support for checking
evidence formats other than plaintext or in-toto attestations is upcoming.
scai-gen check evidence -p <policy-file> -e <evidence-directory> <SCAI attestation file>
Run scai-gen check help
for a full list of command-line options.