Attestors

Information that Witness can collect

1: AWS Instance Identity
2: Command
3: Environment
4: GCP Instance Identity
5: Git
6: GitLab
7: JWT
8: Material
9: Maven
10: OCI
11: Product

1 - AWS Instance Identity

Attest that a command was executed on an AWS instance you trust

The AWS (Amazon Web Services) Instance Identity Attestor communicates with the AWS Instance Metadata to collect information about the AWS instance Witness on which executing. The document signature is verified with the AWS RSA public certificate available here. This verification method currently does not work for the Hong Kong, Bahrain, Cape Town, Milan, China, or GovCloud regions.

Subjects

Subject	Description
`instanceid`	The ID of the AWS instance where Witness was executed
`accountid`	ID of the account that owns the AWS instance
`imageid`	ID of the AMI (Amazon Machine Image) the instance was running at time of execution
`privateip`	IP address of the instance at time of execution

2 - Command

Collect information about and trace the execution of a command

The Command Attestor collects information about a command that TestifySec Witness executes and observes. The command arguments, exit code, stdout, and stderr will be collected and added to the attestation.

Witness can optionally trace the command which will record all subprocesses started by the parent process as well as all files opened by all processes. Please note that tracing is currently supported only on Linux operating systems and is considered experimental.

3 - Environment

Collect information about the environment

The Environment Attestor records the OS, hostname, username, and all environment variables set by TestifySec Witness at execution time. Currently there is no means to block specific environment variables so take care to not leak secrets stored in environment variables.

4 - GCP Instance Identity

Attest that a command was executed on a GCP instance you trust

The Google Cloud Platform (GCP) Instance Identity Attestor communicates with the GCP metadata server to collect information about the instance on which TestifySec Witness is being exected. The instance identity JSON Web Token signature is validated against Google’s JWKS (JSON Web Key Set) to ensure authenticity.

Subjects

Subject	Description
`instanceid`	ID of the Google Compute instance on which Witness was executed
`instancename`	Name of the Compute instance on which Witness was executed
`projectid`	The ID of the project to which the instance belonged
`projectnumber`	Number of the project to which the instance belonged
`clusteruid`	UID of the cluster if the execution environment was a Google Kubernetes Engine (GKE) cluster

5 - Git

Collect information about the state of a git repository

The Git Attestor records the current state of the objects in the git repository, including untracked objects. Both staged and unstaged states are recorded.

Subjects

The attestor returns the SHA1 (Secure Hash Algorithm 1) git commit hash as a subject.

6 - GitLab

Collect information about a Gitlab CI/CD Job

The GitLab Attestor records information about the GitLab CI/CD job execution in which TestifySec Witness was run. Witness verifies the JWT (JSON Web Token) provided in CI_JOB_JWT against the instance’s JWKS (JSON Web Key Set) to ensure authenticity at execution time.

Subjects

Subject	Description
`pipelineurl`	URL of the CI/CD pipeline to which this job belonged
`joburl`	URL of the CI/CD job that this attestor describes
`projecturl`	URL of the project that owns the CI/CD pipeline and job

7 - JWT

Collect information about a JWT at execution time

The JWT (JSON Web Token) Attestor verifies a JWT against a JWKS (JSON Web Key Set) and records information about the claims of the JWT. The JWK that was used to verify the JWT is also recorded.

8 - Material

Collect information about files before a command is executed

The Material Attestor records the digests of all files in the working directory of TestifySec Witness at exection time, but before any command is run. This recording provides information about the state of all files before any changes are made by a command.

9 - Maven

Collect information about a Maven project

The Maven Attestor records project and dependency information from a provided pom.xml (Maven Project Object Model).

Subjects

Subject	Description
`project:group/artifact@version`	The group, artifact, and version of the project to which the pom.xml belongs
`dependency:group/artifact@version`	The group, artifact, and verion of each dependency in the pom.xml

10 - OCI

Collect information about an OCI image

The OCI Attestor records information about a provided Open Container Initiative (OCI) image stored on disk as a tarball. Information about the image tags, layers, and manifest are collected and reported in this attestation.

Subjects

Subject	Description
`tardigest`	Digest of the tarred image
`imageid`	ID of the image
`layerdiffid`	Layer diff IDs of the image

11 - Product

Collect information about files after a command is executed

Product Attestor

The Product Attestor examines materials recorded before a command was run and records all products in the command. Digests and MIME types of any changed or created files are recorded as products.

Subjects

All subjects are reported as subjects.