-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Improve Signed-release for npm package #3038
Comments
Is there an API for it? |
A better link might be https://docs.deps.dev/api/v3alpha/, which has the example API url |
This should be possible with the deps.dev API in the near future. We're planning to surface packages associated with a GitHub repository from the GetProject endpoint soon. You could then use the GetVersion endpoint to discover whether any of these versions have SLSA attestations. Specifically, npm versions with SLSA attestations will include the attestation link in the links field. Note that these attestations are not verified by deps.dev at the moment, though we plan to do so in the future. |
Am I right? Short SummaryDeps.dev plans to add a feature to their API to allow users to discover whether any packages associated with a GitHub repository have SLSA attestations. Attestations for npm versions will be included in the links field. Key takeaways
|
Yep that's right. The npm attestation links are already available via the The main thing we need to add is a way for API users to get the packages associated with a GitHub repository. This may be via the |
Do you have some kind of timeline for this feature? |
I don't see it.
|
Sorry for the delayed response. From the
The new
deps.dev does not currently verify the attestations though it's on the roadmap for us to do so in the future. |
This issue is stale because it has been open for 60 days with no activity. |
A proposed update to the Signed-Releases check was discussed in the community meeting (Doc). PTAL, feedback welcome! |
Npm has support for SLSA provenance. We should improve the check to check for provenance for the corresponding package, if possible - rather than only looking at GitHub releases.
I think this requires a way to search provenance from a repo, rather than from a package. Note, package is
attestations_url=$(npm view "$package_name" --json | jq -r '.dist.attestations.url')
.So we can either find the right API on the registry; or use a deps.dev API
An alternative is to search for workflow files
npm publish --provenance
. Another is to search for use of the OpenSSF npm buider.The text was updated successfully, but these errors were encountered: