Using the in-toto-run command (with examples)
1: Tag a git repo and sign the resulting link file
in-toto-run -n tag --products . -k key_file -- git tag v1.0
Motivation: The in-toto-run tag command is used to generate metadata for a supply chain step where a Git repository is tagged and the resulting link file is signed. This ensures the integrity and authenticity of the tagged version.
Explanation:
-n tagspecifies the step name as “tag”.--products .specifies that the current directory (.) is the product of this step.-k key_filespecifies the private key file used for signing the resulting link file.--separates the in-toto-run command from the actual command being executed (git tag v1.0).
Example output: A signed link file is generated, representing the tag operation on the Git repo.
2: Create a tarball, storing files as materials and the tarball as a product
in-toto-run -n package -m project -p project.tar.gz -- tar czf project.tar.gz project
Motivation: The in-toto-run package command is used to generate metadata for a supply chain step where a tarball is created. This command allows us to track the inputs (materials) and outputs (products) of the tarball creation process.
Explanation:
-n packagespecifies the step name as “package”.-m projectspecifies that the “project” directory is a material of this step.-p project.tar.gzspecifies the tarball as the product of this step.--separates the in-toto-run command from the actual command being executed (tar czf project.tar.gz project).
Example output: A tarball (project.tar.gz) is created, and a link file is generated with metadata about the tarball creation process.
3: Generate signed attestations for review work
in-toto-run -n review -k key_file -m document.pdf -x
Motivation: The in-toto-run review command is used to generate metadata for a supply chain step where signed attestations for review work are created. This allows us to track and verify the review process for important documents.
Explanation:
-n reviewspecifies the step name as “review”.-k key_filespecifies the private key file used for signing the resulting link file.-m document.pdfspecifies the document as a material of this step.-xindicates that the resulting link file should be excluded from the final output.
Example output: A signed link file is generated, representing the review process for the document.
4: Scan an image using Trivy and generate a link file
in-toto-run -n scan -k key_file -p report.json -- /bin/sh -c "trivy -o report.json -f json <IMAGE>"
Motivation: The in-toto-run scan command is used to generate metadata for a supply chain step where an image is scanned using Trivy, a vulnerability scanner. This allows us to track the vulnerability scanning process and provide evidence of the security measures taken.
Explanation:
-n scanspecifies the step name as “scan”.-k key_filespecifies the private key file used for signing the resulting link file.-p report.jsonspecifies the vulnerability report as the product of this step.--separates the in-toto-run command from the actual command being executed (/bin/sh -c "trivy -o report.json -f json <IMAGE>").
Example output: A vulnerability report (report.json) is generated, and a link file is created with metadata about the scanning process.
Conclusion
With the in-toto-run command, you can generate link metadata while carrying out various supply chain steps. This allows you to track and verify the integrity of the steps performed in your supply chain. In this article, we have demonstrated several examples of using the in-toto-run command, ranging from tagging a git repository to scanning an image for vulnerabilities. By applying in-toto to your supply chain, you can enhance security and trustworthiness in your software development process.
